Description:
This policy ensures that all Amazon SageMaker Notebook instances have data encryption enabled. This helps to protect notebook instance data from unauthorized access.
Rationale:
Notebook instances are often used to store sensitive data, such as training data, model artifacts, and configuration files. By enabling data encryption, we can help to protect this data from unauthorized access.
Impact:
If data encryption is not enabled, notebook instance data could be accessed by unauthorized users. This could lead to data breaches, financial losses, and reputational damage.
Default Value:
AWS will initially recommend that data encryption is not enabled for notebook instances. However, this is not a secure configuration.
Pre-Requisite:
To follow this policy, you will need to have access to the AWS Management Console and to the IAM console. You will also need to know the KMS key ID that you want to use for data encryption.
Remediation Steps
- Go to the AWS Management Console and open the Amazon SageMaker console.
- Click on the "Notebook instances" tab.
- Select the notebook instance that you want to configure.
- Click on the "Encryption" tab.
- In the "Data encryption" section, select the "Enable data encryption" checkbox.
- Enter the KMS key ID that you want to use for data encryption.
- Click on the "Save" button.
Test Plan
- To test that data encryption has been enabled, you can try to access the notebook instance data from outside the VPC. If you are unable to access the notebook instance data, then data encryption has been enabled correctly.
Using AWS GUI:
- Go to the AWS Management Console and open the Amazon SageMaker console.
- Click on the "Notebook instances" tab.
- Select the notebook instance that you want to configure.
- Click on the "Encryption" tab.
- In the "Data encryption" section, select the "Enable data encryption" checkbox.
- Enter the KMS key ID that you want to use for data encryption.
- Click on the "Save" button.
Backout Plan
- To back out of this policy, you can disable data encryption for the notebook instance.
- To do this, go to the AWS Management Console and open the Amazon SageMaker console.
- Click on the "Notebook instances" tab.
- Select the notebook instance that you want to configure.
- Click on the "Encryption" tab.
- In the "Data encryption" section, unselect the "Enable data encryption" checkbox.
- Click on the "Save" button.
Note:
- This policy does not apply to notebook instances that are running in a SageMaker Studio environment.
- For more information on enabling data encryption for Amazon SageMaker Notebook instances, please refer to the Amazon SageMaker documentation: https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html.
Reference:
https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html