Profile Applicability:
 Level 2

Description:
 Amazon SageMaker provides fully managed machine learning services for building, training, and deploying models. Intercontainer encryption ensures that data transmitted between containers during the training job is encrypted, protecting sensitive data in transit. By enabling intercontainer encryption, you can ensure that any communications between containers are secured, reducing the risk of data exposure or interception.

Rationale:
 Enabling intercontainer encryption for SageMaker training jobs ensures that data transferred between containers during training is encrypted in transit, improving the overall security of machine learning workloads. This is especially crucial when dealing with sensitive data or when training jobs involve multiple containers communicating with each other.

Impact:
 Pros:

  • Protects sensitive data during training by encrypting communication between containers.

  • Helps comply with data protection and privacy regulations.

  • Provides additional security layer in multi-container training jobs.

Cons:

  • Slightly increases overhead in terms of performance due to encryption and decryption processes.

  • May require additional configuration in terms of IAM roles and encryption keys.

Default Value:
 By default, Amazon SageMaker does not have intercontainer encryption enabled. It must be manually configured when creating the training job.

Pre-requisites:

  • AWS IAM permissions:
         sagemaker:CreateTrainingJob
     sagemaker:DescribeTrainingJob

  • Amazon SageMaker environment with an active training job.

  • Encryption key in AWS KMS (Key Management Service), if needed.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to SageMaker and review the list of training jobs.

  3. Select the training job that you want to check for intercontainer encryption.

  4. Under the Job details tab, locate the Encryption section.

  5. Verify if Intercontainer encryption is enabled.

  6. If intercontainer encryption is not enabled, modify the job by selecting a KMS key for encryption.

Using AWS CLI:

List the training jobs:

aws sagemaker list-training-jobs --query "TrainingJobSummaries[*].TrainingJobName"


For each training job, check if intercontainer encryption is enabled:
 

aws sagemaker describe-training-job --training-job-name <TRAINING_JOB_NAME> --query "TrainingJob.StaticHyperParameters"


If encryption is not enabled, configure the training job to use intercontainer encryption by running:
 

aws sagemaker create-training-job --training-job-name <TRAINING_JOB_NAME> --role <IAM_ROLE> --algorithm-specification TrainingImage=<IMAGE_URL>,TrainingInputMode=File --input-data-config <INPUT_DATA_CONFIG> --output-data-config <OUTPUT_DATA_CONFIG> --resource-config <RESOURCE_CONFIG> --encryption-config "InterContainerEncryptionEnabled=true,EncryptionKeyId=<KMS_KEY_ID>"


Implementation Plan:

Using AWS Console:

  1. Navigate to Amazon SageMaker and select Create Training Job.

  2. Under Encryption Configurations, ensure Intercontainer Encryption is enabled.

  3. Select the encryption key from AWS KMS or create a new one.

  4. Continue with the setup and create the training job.

  5. Monitor the training job to ensure that intercontainer encryption is active and data is securely transmitted.

Using AWS CLI:

Ensure that the create-training-job command is used with the InterContainerEncryptionEnabled parameter set to true:

aws sagemaker create-training-job --training-job-name <TRAINING_JOB_NAME> --role <IAM_ROLE> --encryption-config "InterContainerEncryptionEnabled=true,EncryptionKeyId=<KMS_KEY_ID>"


Verify that encryption is enabled by running:

aws sagemaker describe-training-job --training-job-name <TRAINING_JOB_NAME>


Backout Plan: 
If enabling intercontainer encryption causes issues:

  1. Identify the affected training job and review the encryption configuration.

Disable intercontainer encryption by running:

aws sagemaker update-training-job --training-job-name <TRAINING_JOB_NAME> --encryption-config "InterContainerEncryptionEnabled=false"

  1. Verify that data is no longer encrypted during intercontainer communication and troubleshoot any issues related to encryption configuration or IAM permissions.

  2. Document the changes and backout process for auditing purposes.

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure encryption is enabled for sensitive data in transit and at rest, including for containerized environments like Amazon SageMaker.

7.1

8.1

Enable encryption for all cloud service communications, especially for sensitive data like machine learning training data.