Sagemaker Notebook Instance Without KMS

  • Query id: f3674e0c-f6be-43fa-b71c-bf346d1aed99
  • Query name: Sagemaker Notebook Instance Without KMS
  • Platform: Terraform
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file
resource "aws_sagemaker_notebook_instance" "ni" {
  name          = "my-notebook-instance"
  role_arn      = aws_iam_role.role.arn
  instance_type = "ml.t2.medium"

  tags = {
    Name = "foo"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_sagemaker_notebook_instance" "ni" {
  name          = "my-notebook-instance"
  role_arn      = aws_iam_role.role.arn
  instance_type = "ml.t2.medium"
  kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

  tags = {
    Name = "foo"
  }
}