Profile Applicability:
Level 1

Description:
 Amazon SageMaker Notebook instances provide a fully managed environment for data scientists to develop, train, and deploy machine learning models. Data encryption ensures that data stored on the notebook instance is protected both at rest and in transit. This is especially important when working with sensitive or regulated data. Enabling encryption for notebook instances protects the integrity and confidentiality of your data, helping to meet security and compliance requirements.

Rationale:
 Enabling data encryption for SageMaker notebook instances is critical for ensuring the protection of sensitive data both at rest and in transit. By encrypting data, organizations can prevent unauthorized access and ensure that any data stored within the notebook instance is securely protected. This is particularly important for compliance with privacy regulations like GDPR, HIPAA, and SOC 2.

Impact:
 Pros:

  • Protects sensitive data stored on the notebook instance.

  • Ensures compliance with security and regulatory requirements for data protection.

  • Helps prevent unauthorized access to data at rest and in transit.

Cons:

  • May introduce slight performance overhead due to encryption and decryption processes.

  • Requires the proper management of encryption keys (e.g., AWS KMS keys).

  • Increases complexity in setting up and managing the notebook instance with encryption.

Default Value:
 By default, data encryption is not enabled on SageMaker Notebook instances. It must be explicitly configured when creating or modifying the notebook instance to use either Amazon SageMaker-managed keys or customer-managed keys via AWS KMS (Key Management Service).

Pre-requisites:

  • AWS IAM permissions:
         sagemaker:CreateNotebookInstance
         sagemaker:DescribeNotebookInstance
         kms:DescribeKey
         kms:Encrypt

  • A properly configured AWS KMS key for managing encryption (if using customer-managed keys).

  • Access to Amazon SageMaker and permissions to modify notebook instance configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon SageMaker and go to Notebook Instances.

  3. Select a notebook instance from the list.

  4. In the Notebook Instance details, check the Encryption section.

  5. Verify if Encryption is enabled for the instance, either using Amazon SageMaker-managed keys or a custom AWS KMS key.

  6. If encryption is not enabled, modify the notebook instance by selecting an encryption option during creation or by updating the instance settings.

Using AWS CLI:

  1. List all SageMaker notebook instances:

    aws sagemaker list-notebook-instances --query "NotebookInstances[*].NotebookInstanceName"

  2. For each notebook instance, describe the instance to check if encryption is enabled:

    aws sagemaker describe-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME>

  3. Check the response for VolumeEncryptionKeyId or EncryptionConfig to verify if data encryption is enabled.

  4. If encryption is not enabled, configure the notebook instance to use encryption:

    aws sagemaker create-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME> --instance-type <INSTANCE_TYPE> --role-arn <IAM_ROLE> --volume-encryption-key-id <KMS_KEY_ID> --encryption-config "NotebookInstanceEncryptionOption=EncryptionEnabled,VolumeEncryptionEnabled=True"


Implementation Plan:

Using AWS Console:

  1. Navigate to the Amazon SageMaker Console and select Notebook Instances.

  2. Click Create notebook instance or select an existing notebook instance to modify.

  3. Under Encryption settings, enable data encryption by selecting either the default Amazon SageMaker-managed keys or specifying a custom KMS key.

  4. For volume encryption, ensure that the Volume encryption option is enabled, and a KMS key is selected.

  5. Complete the notebook instance creation or modification and ensure that encryption is applied.

  6. Verify that the notebook instance is using encryption by reviewing the Encryption section in the Notebook Instance details.

Using AWS CLI:

  1. When creating or modifying the notebook instance, include the --volume-encryption-key-id and --encryption-config parameters to enable encryption:

    aws sagemaker create-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME> --instance-type <INSTANCE_TYPE> --role-arn <IAM_ROLE> --volume-encryption-key-id <KMS_KEY_ID> --encryption-config "NotebookInstanceEncryptionOption=EncryptionEnabled,VolumeEncryptionEnabled=True"

  2. Verify the encryption settings:

    aws sagemaker describe-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME>

Backout Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon SageMaker and select Notebook instances.

  3. Select the Notebook instance that has encryption enabled.

  4. Click Edit and disable encryption or switch to another KMS key (e.g., default AWS-managed key).

  5. Save the changes and monitor the notebook instance to ensure it functions correctly.

Using AWS CLI:

  1. To disable encryption or revert to the default encryption settings, run:

    aws sagemaker update-notebook-instance \
--notebook-instance-name <NOTEBOOK_INSTANCE_NAME> \--encryption-kms-key-id null

  1. Verify that encryption has been disabled:

    aws sagemaker describe-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME>

  2. Monitor the notebook instance to ensure it continues to function correctly without encryption or with the updated encryption settings.

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that sensitive data is encrypted at rest and in transit, including on notebook instances in Amazon SageMaker.

7.1

8.1

Enable encryption on cloud services to ensure the confidentiality and integrity of sensitive data.