Ensure SageMaker Endpoint is encrypted

sagemaker_endpoint_encryption

Severity

high

Vendor

AWS

Resource

Amazon Sagemaker Endpoints

Description

Ensure Amazon SageMaker Endpoints have a KMS key for encrypting data, securing the following resources: Storage volume, Processing jobs, Training jobs, Hyperparameter, tuning jobs, Batch transform jobs and Endpoints.

Examples

Buildtime

Terraform

resource "aws_sagemaker_endpoint_configuration" "test" {
    name = "my-endpoint-config"
    (1)
    production_variants {
        variant_name           = "variant-1"
        model_name             = aws_sagemaker_model.m.name
        initial_instance_count = 1
        instance_type          = "ml.t2.medium"
        }
}

1	No kms key is set.

Mitigation / Fix

Buildtime

Terraform

resource "aws_sagemaker_endpoint_configuration" {
    name = "my-endpoint-config"
    kms_key_arn = aws_kms_key.value.arn (1)
    production_variants {
        variant_name           = "variant-1"
        model_name             = aws_sagemaker_model.m.name
        initial_instance_count = 1
        instance_type          = "ml.t2.medium"
        }
}

1	Ensure a kms key is set for encryption.