Profile Applicability:
• Level 1

Description:
Amazon SageMaker Training jobs allow users to run machine learning model training using one or more Docker containers. Intercontainer encryption protects data transmitted between containers during distributed training by encrypting the communication channel. Enabling intercontainer encryption reduces the risk of data interception or tampering during training.

Rationale:
Without intercontainer encryption, data exchanged between containers on different hosts or network segments might be vulnerable to interception by unauthorized parties. Enabling this encryption ensures confidentiality and integrity of training data in transit, which is critical for compliance with security best practices and regulations involving sensitive data.

Impact:
Pros:

  • Protects training data confidentiality during distributed training.

  • Helps meet regulatory and security compliance requirements.

  • Prevents potential data leakage and man-in-the-middle attacks between containers.

Cons:

  • May introduce slight performance overhead due to encryption processing.

  • Requires explicit enabling; default behavior might be unencrypted.

Default Value:
Intercontainer encryption is disabled by default for SageMaker Training jobs.

Pre-requisites:

  • Appropriate IAM permissions to view and modify SageMaker training job configurations.

  • Awareness of distributed training setup and intercontainer communication.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to SageMaker > Training jobs.

  3. Select an existing training job or create a new one.

  4. Check the training job configuration for intercontainer encryption settings (e.g., EnableInterContainerTrafficEncryption).

  5. Verify if intercontainer encryption is enabled (true).

Using AWS CLI:

  1. List training jobs:
    aws sagemaker list-training-jobs

  2. Describe a specific training job to check encryption status:
    aws sagemaker describe-training-job --training-job-name <job-name>

  3. Look for the EnableInterContainerTrafficEncryption parameter in the output. If it is set to true, intercontainer encryption is enabled.


Implementation Plan:

Using AWS Console:

  1. While creating or editing a SageMaker training job, go to the “Advanced configuration” section.

  2. Enable the option Encrypt inter-container traffic or check the box for intercontainer encryption.

  3. Save and launch the training job.

Using AWS CLI:

  1. Prepare a JSON configuration file for the training job.

  2. Add or ensure the following parameter is set:
    "EnableInterContainerTrafficEncryption": true

  3. Create or update the training job with this configuration, e.g.:
    aws sagemaker create-training-job --cli-input-json file://training-job-config.json

Backout Plan:

Using AWS Console:

  1. Edit the training job configuration.

  2. Disable the intercontainer encryption option.

  3. Save changes or terminate the job and recreate without encryption.

Using AWS CLI:

  1. Update or recreate the training job configuration file with:
    "EnableInterContainerTrafficEncryption": false

  2. Use the CLI to create or update the job accordingly.


References:

  • AWS SageMaker API Documentation: TrainingJob — EnableInterContainerTrafficEncryption parameter

  • AWS SageMaker User Guide: Securing inter-container traffic

  • CIS AWS Foundations Benchmark (general encryption best practices)