|
Notebook Data Encrypted
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that the data stored on Machine Learning (ML) storage volumes attached to your AWS SageMaker notebook instances is encrypted in order to meet regulatory requirements and protect your SageMaker data at rest. SageMaker is a fully-managed AWS service that enables developers and data engineers to quickly and easily build, train and deploy machine learning models at any scale. An AWS SageMaker notebook instance is a fully managed ML instance that is running the Jupyter Notebook open-source web application.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When working with sensitive or private data such as Personally Identifiable Information (PII), it is strongly recommended to implement encryption at rest in order to protect your data from unauthorized entities and fulfill any compliance requirements strictly defined within your organization.
To determine if your Amazon SageMaker instance storage volumes are using encryption, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.
03 In the navigation panel, under Notebook, choose Notebook instances.
04 Select the SageMaker notebook instance that you want to examine, then click on its name (link) to access the resource configuration details.
05 On the selected instance configuration page, within Permissions and Encryption section, check the Encryption key attribute value. If the Encryption key attribute does not have any value assigned, data-at-rest encryption is not enabled for the selected AWS SageMaker notebook instance.
06 Repeat step no. 4 and 5 for each Amazon SageMaker notebook instance provisioned in the current AWS region.
07 Change the AWS region from the navigation bar to repeat the audit process for other regions.
01 Run list-notebook-instances command (OSX/Linux/UNIX) to list the names of all SageMaker notebook instances available within the selected AWS region, in this case the US East (N. Virginia) region:
aws sagemaker list-notebook-instances --region us-east-1 --query 'NotebookInstances[*].NotebookInstanceName'
02 The command output should return the requested notebook instance names:
[
"cc-sagemaker-instance",
"cc-ml-application-instance"
]
03 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to examine as identifier and custom query filters to return the Amazon Resource Name (ARN) of the AWS KMS key used to encrypt data stored on the ML storage volume attached to the selected instance:
aws sagemaker describe-notebook-instance --region us-east-1 --notebook-instance-name cc-sagemaker-instance --query 'KmsKeyId'
04 The command output should return the requested information or null if there is no Amazon KMS key configured for data encryption:
null
05 Repeat step no. 3 and 4 for each AWS SageMaker notebook instance available in the selected AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.
To enable data encryption for an existing AWS SageMaker notebook instance, you must re-create that notebook instance with the necessary encryption configuration. To launch your new SageMaker notebook instance, enable data-at-rest encryption and copy your existing data to it, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.
03 In the navigation panel, under Notebook, choose Notebook instances.
04 Click Create notebook instance button from the dashboard top-right menu to initiate the instance setup process.
05 On Create notebook instance page, within Notebook instance settings section, perform the following:
06 In the Tags – optional section, set up any required tags, based on the source notebook instance tagging scheme.
07 Click Create notebook instance to launch your new (encrypted) Amazon SageMaker notebook instance.
08 Once the new notebook instance is created, migrate the data from the source instance to the new (destination) instance.
09 Now it’s safe to remove the source SageMaker notebook instance from your AWS account to avoid further charges. To delete the necessary SageMaker instance, perform the following:
10 Repeat steps no. 4 - 9 to enable data-at-rest encryption for other Amazon SageMaker notebook instances provisioned in the current region.
11 Change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to re-create as identifier (see Audit section part II to identify the right resource) to return the selected instance configuration metadata, information required later when the new notebook instance is created:
aws sagemaker describe-notebook-instance --region us-east-1 --notebook-instance-name cc-sagemaker-instance
02 The command output should return the selected instance configuration metadata:
{
"NotebookInstanceStatus": "InService",
"Url": "cc-sagemaker-instance.notebook.us-east-1.sagemaker.aws",
"RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180916T094478",
"NotebookInstanceName": "cc-sagemaker-instance",
"CreationTime": 1537512114.647,
"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-instance",
"LastModifiedTime": 1537514035.934,
"InstanceType": "ml.t2.xlarge"
}
03 Run create-notebook-instance command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the source (unencrypted) SageMaker notebook instance (see Audit section part II to identify the right resource) with the necessary encryption configuration (i.e. using an AWS KMS key identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc"):
aws sagemaker create-notebook-instance --region us-east-1 --notebook-instance-name cc-sagemaker-encrypted-instance --instance-type ml.t2.xlarge --role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180916T094478 --kms-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
04 If successful, the command output should return the ARN of the new Amazon SageMaker notebook instance:
{
"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-encrypted-instance"
}
05 Now you can migrate the data from the source notebook instance to the destination instance.
06 After your data is migrated, it is safe to remove the source SageMaker notebook instance in order to stop adding charges for that resource. To delete the instance, run delete-notebook-instance command (OSX/Linux/UNIX) using the name of the source notebook instance as identifier (the command does not produce an output):
aws sagemaker delete-notebook-instance --region us-east-1 --notebook-instance-name cc-sagemaker-instance
07 Repeat steps no. 1 – 6 to enable data-at-rest encryption for other AWS SageMaker notebook instances available within the current region.
08 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat