Ensure that your SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over the data-at-rest encryption/decryption process and meet compliance requirements. SageMaker is a fully-managed AWS service that enables data scientists and developers to build, train and deploy machine learning models at any scale. AWS SageMaker removes the barriers that typically slow down data developers who want to use machine learning in the cloud. A SageMaker notebook instance is a fully managed Machine Learning (ML) instance based on the Jupyter Notebook web application.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you use your own Amazon KMS Customer Master Keys (CMKs) to protect data within your SageMaker notebook instances, you have full control over who can use the encryption keys to access your SageMaker data. Amazon KMS service allows you to easily create, rotate, disable and audit Customer Master Keys created for your SageMaker notebook instances.
To determine the encryption status and configuration for your Amazon SageMaker notebook instances, perform the following actions:
To encrypt an existing AWS SageMaker notebook instance with your own KMS Customer Master Key (CMK), you need to re-create the instance with the necessary encryption configuration. To launch your new SageMaker notebook instance, enable data-at-rest encryption using a KMS CMK and copy your existing data to it. To implement the necessary remediation/resolution process, perform the following: