Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Notebook Data Encrypted With KMS Customer Master Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SageMaker-002

Ensure that the storage volumes attached to your Amazon SageMaker notebook instances are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over the data-at-rest encryption/decryption process and meet compliance requirements. SageMaker is a fully-managed AWS service that enables data scientists and developers to build, train, and deploy machine learning models at any scale. Amazon SageMaker removes the barriers that typically slow down data developers who want to use machine learning in the cloud. A SageMaker notebook instance is a fully managed Machine Learning (ML) instance based on the Jupyter Notebook application.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

By default, the data stored on your Amazon SageMaker notebook instances is encrypted using an AWS managed-key. When you use your own KMS Customer Master Keys (CMKs) to protect your SageMaker notebook instance data, you have full control over who can use the encryption keys to access your SageMaker data. The KMS service allows you to easily create, rotate, disable, and audit Customer Master Keys for your SageMaker notebook instance volumes.


Audit

To determine the encryption status available for your Amazon SageMaker notebook instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, select Notebook, then choose Notebook instances.

04 Click on the name (link) of the notebook instance that you want to examine.

05 In the Permissions and encryption section, check the Encryption key attribute value to find the Customer Master Key used to encrypt the data for the selected notebook instance. If the Encryption key attribute does not have a value, the data on the selected Amazon SageMaker notebook instance is encrypted using the default master key (AWS-managed key) instead of using a Customer Master Key (CMK).

06 Repeat steps no. 4 and 5 for each SageMaker notebook instance launched within the current AWS region.

07 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

01 Runlist-notebook-instances command (OSX/Linux/UNIX) to list the name of each SageMaker notebook instance provisioned in the selected AWS region:

aws sagemaker list-notebook-instances
  --region us-east-1
  --query 'NotebookInstances[*].NotebookInstanceName'

02 The command output should return the requested notebook instance names:

[
	"cc-sagemaker-ml-instance",
	"cc-ml-app-data-instance"
]

03 Rundescribe-notebook-instance command (OSX/Linux/UNIX) using the name of the Amazon SageMaker notebook instance that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the KMS key used to encrypt data stored on the selected SageMaker instance:

aws sagemaker describe-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance
  --query 'KmsKeyId'

04 The command output should return the requested KMS key ARN:

null

If the describe-notebook-instance command output returns null, as shown in the example above, the data on the selected Amazon SageMaker notebook instance is encrypted using the default master key (AWS-managed key) instead of a Customer Master Key (CMK).

05 Repeat steps no. 3 and 4 for each SageMaker notebook instance provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To encrypt the data available on an existing Amazon SageMaker notebook instance using your own KMS Customer Master Key (CMK), you must re-create the instance with the necessary encryption configuration by performing the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Encryption with Amazon KMS Customer Managed Keys",
	"Resources": {
		"VpcNetwork": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": true,
				"EnableDnsSupport": true,
				"InstanceTenancy": "default"
			}
		},
		"SageMakerInstanceExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"sagemaker.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AmazonSageMakerReadOnly"
				]
			}
		},
		"SageMakerNotebookSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"VpcId": {
					"Ref": "VpcNetwork"
				}
			}
		},
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Symmetric Amazon KMS Customer Master Key",
				"EnableKeyRotation": true,
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*",
							"Condition": {
								"Bool": {
									"kms:GrantIsForAWSResource": "true"
								}
							}
						}
					]
				}
			}
		},
		"KMSKEYAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/NotebookInstanceCMK",
				"TargetKeyId": {
					"Ref": "KMSKEY"
				}
			}
		},
		"SageMakerNotebookInstance": {
			"Type": "AWS::SageMaker::NotebookInstance",
			"Properties": {
				"InstanceType": "ml.t2.large",
				"RoleArn": {
					"Fn::GetAtt": [
						"SageMakerInstanceExecutionRole",
						"Arn"
					]
				},
				"SecurityGroupIds": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				],
				"SubnetId": {
					"Ref": "SageMakerNotebookSubnet"
				},
				"KmsKeyId": {
					"Ref": "KMSKEY"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Encryption with Amazon KMS Customer Managed Keys
	Resources:
	VpcNetwork:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 10.0.0.0/16
		EnableDnsHostnames: true
		EnableDnsSupport: true
		InstanceTenancy: default
	SageMakerInstanceExecutionRole:
		Type: AWS::IAM::Role
		Properties:
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- sagemaker.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonSageMakerReadOnly
	SageMakerNotebookSubnet:
		Type: AWS::EC2::Subnet
		Properties:
		VpcId: !Ref 'VpcNetwork'
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeySpec: SYMMETRIC_DEFAULT
		KeyUsage: ENCRYPT_DECRYPT
		Description: Symmetric Amazon KMS Customer Master Key
		EnableKeyRotation: true
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
			- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/kms-key-admin
				Action:
				- kms:Create*
				- kms:Describe*
				- kms:Enable*
				- kms:List*
				- kms:Put*
				- kms:Update*
				- kms:Revoke*
				- kms:Disable*
				- kms:Get*
				- kms:Delete*
				- kms:TagResource
				- kms:UntagResource
				- kms:ScheduleKeyDeletion
				- kms:CancelKeyDeletion
				Resource: '*'
			- Sid: Allow use of the key
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:Encrypt
				- kms:Decrypt
				- kms:ReEncrypt*
				- kms:GenerateDataKey*
				- kms:DescribeKey
				Resource: '*'
			- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:CreateGrant
				- kms:ListGrants
				- kms:RevokeGrant
				Resource: '*'
				Condition:
				Bool:
					kms:GrantIsForAWSResource: 'true'
	KMSKEYAlias:
		Type: AWS::KMS::Alias
		Properties:
		AliasName: alias/NotebookInstanceCMK
		TargetKeyId: !Ref 'KMSKEY'
	SageMakerNotebookInstance:
		Type: AWS::SageMaker::NotebookInstance
		Properties:
		InstanceType: ml.t2.large
		RoleArn: !GetAtt 'SageMakerInstanceExecutionRole.Arn'
		SecurityGroupIds:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
		SubnetId: !Ref 'SageMakerNotebookSubnet'
		KmsKeyId: !Ref 'KMSKEY'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_vpc" "vpc-network" {
	cidr_block = "10.0.0.0/16"
	enable_dns_hostnames = true
	enable_dns_support = true
	instance_tenancy = "default"  
}

resource "aws_iam_role" "iam-role" {
	name = "sagemaker-instance-execution-role"
	path = "/"
	managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonSageMakerReadOnly" ]
	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "sagemaker.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF
}

resource "aws_subnet" "sagemaker-notebook-subnet" {
	vpc_id     = aws_vpc.vpc-network.id
	cidr_block = "10.0.1.0/24"
}

resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "KMS Customer Master Key (CMK)"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*",
				"Condition": {
					"Bool": {
						"kms:GrantIsForAWSResource": "true"
					}
				}
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/NotebookInstanceCMK"
}

resource "aws_sagemaker_notebook_instance" "sagemaker-notebook-instance" {
	name            = "cc-prod-notebook-instance"
	instance_type   = "ml.t2.medium"
	role_arn        = aws_iam_role.iam-role.arn
	subnet_id       = aws_subnet.sagemaker-notebook-subnet.id
	security_groups = [ "sg-0abcd1234abcd1234", "sg-01234abcd1234abcd" ]

	# Encryption with Amazon KMS Customer Managed Keys
	kms_key_id = aws_kms_key.kms-key.arn
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 To create your own customer-provided Customer Master Key (CMK), navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Customer managed keys.

04 Select the appropriate AWS region from the navigation bar (must match the region of your SageMaker notebook instance).

05 Click the Create Key button from the console top menu to initiate the setup process.

06 For Step 1 Configure key, choose Symmetric from the Key type section, and select KMS for the Key material origin, available under Advanced options. Click Next to continue.

07 For Step 2 Add labels, provide a unique name (alias) and a short description for your new CMK, then use the Add tag button to create any required tag sets (optional). Click Next to continue the setup process.

08 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS console. Click Next to continue.

09 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key (CMK) for cryptographic operations. (Optional) In the Other AWS accounts section, click Add another AWS account and enter an external account ID in order to specify another AWS account that can use this KMS CMK to encrypt and decrypt your SageMaker notebook instance data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Click Next to continue the process.

10 For Step 5 Review and edit key policy, review the key policy, then click Finish to create your new KMS Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

11 Once your new Customer Master Key (CMK) is available, navigate to Amazon SageMaker console at https://console.aws.amazon.com/sagemaker/.

12 In the main navigation panel, select Notebook, then choose Notebook instances.

13 Click on the name of the notebook instance that you want to re-create and copy the instance configuration details such as instance type, volume size, instance permissions, etc.

14 Go back to the Notebook instances listing page, and choose Create notebook instance to initiate the launch process.

15 On Create notebook instance setup page, perform the following operations:

  1. For Notebook instance name, provide a unique name for the new Amazon SageMaker notebook instance.
  2. From the Notebook instance type dropdown list, select the same instance type as the source notebook instance, copied at step no. 4.
  3. (Optional) Choose the type of the Amazon Elastic Inference (EI) that you want to use for your instance, from the Elastic Inference dropdown list.
  4. Select the same platform as the source notebook instance from Platform identifier dropdown list.
  5. Select Additional configuration, and perform the following:
    • From Lifecycle configuration – optional dropdown list, select the available lifecycle configuration (if applicable) to customize your notebook environment with default scripts and plugins.
    • For Volume size in GB – optional, enter the volume size of the notebook instance in GB, copied at step no. 4.
  6. Choose the same IAM role as the one created for the source notebook instance from the IAM role dropdown list.
  7. For Root access – optional, choose whether or not to give users root access to your new netbook instance.
  8. Select the name (alias) of the KMS Customer Master Key (CMK) created earlier in the Remediation process from the Encryption key – optional dropdown list.
  9. Select the ID of the Virtual Private Cloud (VPC) where you want to deploy your new notebook instance from the VPC – optional dropdown list.
  10. Choose the ID of the VPC subnet that you want to use for your instance from the Subnet dropdown list.
  11. For Security group(s), select one or more security groups based on your access policy requirements.
  12. For Direct internet access, select Enable — Access the internet directly through Amazon SageMaker so that Amazon SageMaker can provide direct Internet access to your new notebook instance.
  13. Configure any necessary Git repositories in the Git repositories – optional section.
  14. In the Tags – optional section, create any required tags, according to the source instance tagging scheme.
  15. ChooseCreate notebook instance to launch your new, encrypted Amazon SageMaker notebook instance.

16 Once your SageMaker notebook instance is created, copy the data from the source instance to the new (destination) instance.

17 (Optional) You can remove the source SageMaker notebook instance from your AWS cloud account to avoid further charges. To delete the unneeded SageMaker instance, perform the following actions:

  1. Select the SageMaker notebook instance that you want to remove.
  2. Choose Actions and select the Delete option.
  3. Inside the Delete <notebook-instance-name> confirmation box, choose Delete to remove the instance from your AWS account.

18 Repeat steps no. 13 – 17 for each SageMaker notebook instance encrypted with an AWS-managed key, available within the current AWS region.

19 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your SageMaker notebook instance data using the KMS API. Create a new policy document (JSON format), name the file sagemaker-instance-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
	"Id": "aws-sagemaker-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e.sagemaker-instance-cmk-policy.json) as value for the --policy parameter, to create your new customer-provided Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'KMS CMK for encrypting SageMaker notebook instance data'
  --policy file://sagemaker-instance-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/NotebookInstanceCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd

05 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected notebook instance, information required for the next steps when the new instance will be launched:

aws sagemaker describe-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

06 The command output should return the requested configuration details:

{
	"NotebookInstanceStatus": "InService",
	"Url": "cc-sagemaker-ml-instance.notebook.us-east-1.sagemaker.aws",
	"RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionPolicy-20180921T204001",
	"NotebookInstanceName": "cc-sagemaker-ml-instance",
	"CreationTime": 1537512545.117,
	"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-ml-instance",
	"LastModifiedTime": 1537514345.153,
	"InstanceType": "ml.t2.large"
}

07 Run create-notebook-instance command (OSX/Linux/UNIX) using the configuration information returned at the previous step to relaunch your Amazon SageMaker notebook instance using a different encryption configuration. To encrypt your SageMaker notebook instance data using a customer-provided CMK, provide the ARN of the Customer Master Key (CMK) created earlier in the Remediation process as value for the --kms-key-id parameter:

aws sagemaker create-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-new-sagemaker-ml-instance
  --instance-type ml.t2.large
  --role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180921T204001
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --subnet-id subnet-1234abcd
  --security-group-ids sg-aabbccdd012345678

08 The command output should return the ARN of the new Amazon SageMaker notebook instance:

{
	"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-new-sagemaker-ml-instance"
}

09 Copy the data from the source notebook instance to the new (destination) instance.

10 (Optional) You can remove the source SageMaker notebook instance from your AWS account in order to avoid further charges. To delete the unneeded SageMaker instance, run delete-notebook-instance command (OSX/Linux/UNIX), using the name of the notebook instance that you want to delete as the identifier parameter (the command does not produce an output):

aws sagemaker delete-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

11 Repeat steps no. 5 – 10 for each SageMaker notebook instance encrypted with an AWS-managed key, available in the selected AWS region.

12 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Oct 15, 2018

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Notebook Data Encrypted With KMS Customer Master Keys

Risk Level: High