Description:

Amazon SageMaker is a fully managed machine learning service. With SageMaker, data scientists and developers can quickly and easily build and train machine learning models, and then directly deploy them into a production-ready hosted environment.


Rationale:

To satisfy the requirement that PHI be encrypted at rest, encryption of data stored with the instance running models with Amazon SageMaker is enabled using AWS Key Management Service (KMS) when setting up the endpoint (DescribeEndpointConfig:KmsKeyID).


Impact:

Amazon SageMaker uses KMS keys to encrypt the core dump data at rest using Amazon S3 server-side encryption.  Encryption of data in transit is provided by SSL/TLS and is used when communicating both with the front-end interface of Amazon SageMaker (to the Notebook) and whenever Amazon SageMaker interacts with any other AWS service (for example, pulling data from Amazon S3).


Default Value:

If a KMS Key ID isn’t provided, the default Amazon S3 KMS Key for the role’s account will be utilized.


Audit:

  1. Sign in to the AWS Management Console and navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.

  2. In the navigation panel, under Inference, choose Endpoint.

  3. Select the SageMaker endpoint that you want to examine, then click on it to access the resource configuration details.

  4. On the selected Endpoint configuration page, within Endpoint Configuration Settings section, check the Encryption key attribute value.

  5. If the Encryption key attribute does not have any value assigned, data-at-rest encryption is not enabled for that selected AWS SageMaker endpoint


Via CLI:

aws sagemaker describe-endpoint
    --endpoint-name <value>
    -- query 'KmsKeyId'
    [--cli-input-json <value>]
    [--generate-cli-skeleton <value>]


Remediation:

Pre-Requisites:

  • Have the configuration of the existing endpoint copied somewhere else in case you wish to recreate it later


 Implementation steps:

  1. Sign in to the AWS Management Console.

  2. Go to the SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.

  3. In the navigation panel, under Inference, choose Endpoints.

  4. Select the SageMaker endpoint that you want to examine, then click on it to access the resource configuration details.

  5. Scroll down to Endpoint Configuration Settings and click Change

  6. Scroll down to Change the Endpoint Configuration and choose to create a NEW Endpoint Configuration.

  7. Give a name to the Endpoint configuration and choose the Encryption key. For AWS Managed Keys, enter a KMS key ARN. For customer-managed keys, choose one from the drop-down.

  8. Add a model under Production variants.

  9. Choose the same model used before from the available models and save

  10. Click Create endpoint configuration and then Update Endpoint.
  11. Finally, click Update Endpoint for changes to propagate.


Via CLI:

Step - 1: Create a new endpoint configuration

aws sagemaker create-endpoint-config
    --endpoint-config-name <value>
    --production-variants <value>
    [--data-capture-config <value>]
    [--tags <value>]
    [--kms-key-id <value>]
    [--async-inference-config <value>]
    [--cli-input-json <value>]
    [--generate-cli-skeleton <value>]

Step - 2: Update endpoint with the newly created endpoint configuration.

aws sagemaker update-endpoint
    --endpoint-name <value>
    --endpoint-config-name <value>
    [--retain-all-variant-properties | --no-retain-all-variant-properties]
    [--exclude-retained-variant-properties <value>]
    [--deployment-config <value>]
    [--cli-input-json <value>]
    [--generate-cli-skeleton <value>]


 Backout Plan:

Follow the same steps as mentioned in Implementation section except that in step-6, choose to use an existing endpoint configuration on which encryption is disabled.


Note:

  •  SageMaker is a regional service. Therefore, perform these steps in every region to make the environment compliant with the standards.

  • You must not delete an EndpointConfig that is in use by an endpoint that is live or while the UpdateEndpoint or CreateEndpoint operations are being performed on the endpoint. To update an endpoint, you must create a new EndpointConfig .


References:

https://docs.aws.amazon.com/cli/latest/reference/sagemaker/