Description:
Amazon SageMaker is a fully managed machine learning service. With SageMaker, data scientists and developers can quickly and easily build and train machine learning models, and then directly deploy them into a production-ready hosted environment.
Rationale:
To satisfy the requirement that PHI be encrypted at rest, encryption of data stored with the instance running models with Amazon SageMaker is enabled using AWS Key Management Service (KMS) when setting up the endpoint (DescribeEndpointConfig:KmsKeyID).
Impact:
Amazon SageMaker uses KMS keys to encrypt the core dump data at rest using Amazon S3 server-side encryption. Encryption of data in transit is provided by SSL/TLS and is used when communicating both with the front-end interface of Amazon SageMaker (to the Notebook) and whenever Amazon SageMaker interacts with any other AWS service (for example, pulling data from Amazon S3).
Default Value:
If a KMS Key ID isn’t provided, the default Amazon S3 KMS Key for the role’s account will be utilized.
Audit:
Sign in to the AWS Management Console and navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.
In the navigation panel, under Inference, choose Endpoint.
Select the SageMaker endpoint that you want to examine, then click on it to access the resource configuration details.
On the selected Endpoint configuration page, within Endpoint Configuration Settings section, check the Encryption key attribute value.
If the Encryption key attribute does not have any value assigned, data-at-rest encryption is not enabled for that selected AWS SageMaker endpoint
Via CLI:
aws sagemaker describe-endpoint --endpoint-name <value> -- query 'KmsKeyId' [--cli-input-json <value>] [--generate-cli-skeleton <value>]
Remediation:
Pre-Requisites:
Have the configuration of the existing endpoint copied somewhere else in case you wish to recreate it later
Implementation steps:
Sign in to the AWS Management Console.
Go to the SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.
In the navigation panel, under Inference, choose Endpoints.
Select the SageMaker endpoint that you want to examine, then click on it to access the resource configuration details.
Scroll down to Endpoint Configuration Settings and click Change
Scroll down to Change the Endpoint Configuration and choose to create a NEW Endpoint Configuration.
Give a name to the Endpoint configuration and choose the Encryption key. For AWS Managed Keys, enter a KMS key ARN. For customer-managed keys, choose one from the drop-down.
Add a model under Production variants.
Choose the same model used before from the available models and save
- Click Create endpoint configuration and then Update Endpoint.
- Finally, click Update Endpoint for changes to propagate.
Via CLI:
Step - 1: Create a new endpoint configuration
aws sagemaker create-endpoint-config
--endpoint-config-name <value>
--production-variants <value>
[--data-capture-config <value>]
[--tags <value>]
[--kms-key-id <value>]
[--async-inference-config <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
Step - 2: Update endpoint with the newly created endpoint configuration.
aws sagemaker update-endpoint
--endpoint-name <value>
--endpoint-config-name <value>
[--retain-all-variant-properties | --no-retain-all-variant-properties]
[--exclude-retained-variant-properties <value>]
[--deployment-config <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
Backout Plan:
Follow the same steps as mentioned in Implementation section except that in step-6, choose to use an existing endpoint configuration on which encryption is disabled.
Note:
SageMaker is a regional service. Therefore, perform these steps in every region to make the environment compliant with the standards.
You must not delete an
EndpointConfig
that is in use by an endpoint that is live or while theUpdateEndpoint
orCreateEndpoint
operations are being performed on the endpoint. To update an endpoint, you must create a newEndpointConfig
.