Amazon SageMaker is a managed machine learning service in a hosted production-ready environment. To train machine learning models, SageMaker instances can process potentially sensitive data, such as personal information that should not be stored unencrypted. In the event that adversaries physically access the storage media, they cannot decrypt encrypted data.
There is a risk if you answered yes to any of those questions.
It’s recommended to encrypt SageMaker notebook instances that contain sensitive information. Encryption and decryption are handled transparently by SageMaker, so no further modifications to the application are necessary.
For aws_cdk.aws_sagemaker.CfnNotebookInstance:
from aws_cdk import (
aws_sagemaker as sagemaker
)
class CfnSagemakerStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
sagemaker.CfnNotebookInstance(
self, "Sensitive",
instance_type="instanceType",
role_arn="roleArn"
) # Sensitive, no KMS key is set by default; thus, encryption is disabled
For aws_cdk.aws_sagemaker.CfnNotebookInstance:
from aws_cdk import (
aws_sagemaker as sagemaker,
aws_kms as kms
)
class CfnSagemakerStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
my_key = kms.Key(self, "Key")
sagemaker.CfnNotebookInstance(
self, "Compliant",
instance_type="instanceType",
role_arn="roleArn",
kms_key_id=my_key.key_id
)