Description:
This policy ensures that all Amazon SageMaker Training jobs have volume and output with KMS encryption enabled. This helps to protect the data that is stored on the training instance and the output of the training job.
Rationale:
By default, Amazon SageMaker Training jobs do not have volume and output with KMS encryption enabled. This means that the data that is stored on the training instance and the output of the training job is not encrypted. This could allow unauthorized users to access the data. Enabling KMS encryption helps to protect the data from this risk.
Impact:
If this policy is not followed, the data that is stored on the training instance and the output of the training job could be accessed by unauthorized users. This could lead to the disclosure of sensitive information, such as training data or model parameters.
Default Value:
AWS recommends that all Amazon SageMaker Training jobs have volume and output with KMS encryption enabled.
Pre-Requisite:
To follow this policy, you will need to have access to the Amazon SageMaker console and a KMS key.
Remediation Steps:
- In the Amazon SageMaker console, go to the Training jobs page.
- Click on the name of the training job that you want to configure.
- In the Advanced section, select the Enable encryption for training data checkbox.
- In the Output encryption section, select the KMS encryption option.
- In the KMS key ID field, enter the ID of the KMS key that you want to use for encryption.
- Click on the Save button.
Test Plan:
- To verify that the training job has volume and output with KMS encryption enabled, go to the Advanced section of the training job's configuration page.
- The Enable encryption for training data checkbox should be selected.
- The Output encryption section should show that KMS encryption is enabled.
- The KMS key ID field should show the ID of the KMS key that you used for encryption.
Using AWS GUI:
- Go to the Amazon SageMaker console.
- Click on the Training jobs page.
- Click on the name of the training job that you want to configure.
- In the Advanced section, select the Enable encryption for training data checkbox.
- In the Output encryption section, select the KMS encryption option.
- In the KMS key ID field, enter the ID of the KMS key that you want to use for encryption.
- Click on the Save button.
Using AWS CLI:
- Import the AWS CLI library.
- Get the Sage Maker client.
- Get the name of the training job.
- Enable volume and output with KMS encryption for the training job.
# Import the AWS CLI library import boto3 # Get the SageMaker client sagemaker = boto3.client('sagemaker') # Get the name of the training job training_job_name = 'my-training-job' # Enable volume and output with KMS encryption for the training job response = sagemaker.update_training_job( TrainingJobName=training_job_name, EnableEncryptionForTrainingData=True, OutputEncryptionMode='KMS', KmsKeyId='arn:aws:kms:us-east-1:123456789012:key/12345678-9012-3456-7890-123456789012' ) # Print the response print(response)
Implementation Plan:
The implementation plan for this policy is to follow the remediation steps outlined above. This can be done manually or by using the AWS CLI.
Backout Plan:
The backout plan for this policy is to revoke the changes that were made to the training job's configuration. This can be done by following the steps outlined in the Test Plan
section.