SageMaker EndPoint Config Should Specify KmsKeyId Attribute
- Query id: 44034eda-1c3f-486a-831d-e09a7dd94354
- Query name: SageMaker EndPoint Config Should Specify KmsKeyId Attribute
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- URL: Github
Description¶
KmsKeyId attribute should be defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Description: "Basic Hosting entities test. We need models to create endpoint configs."
Mappings:
RegionMap:
"us-west-2":
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
"us-east-2":
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
"us-east-1":
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
"eu-west-1":
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
"ap-northeast-1":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
"ap-northeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
"ap-southeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
"eu-central-1":
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
Resources:
Endpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt EndpointConfig.EndpointConfigName
EndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
ModelName: !GetAtt Model.ModelName
VariantName: !GetAtt Model.ModelName
Model:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"]
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
EndpointId:
Value: !Ref Endpoint
EndpointName:
Value: !GetAtt Endpoint.EndpointName
Positive test num. 2 - json file
{
"Description": "Basic Hosting entities test. We need models to create endpoint configs.",
"Mappings": {
"RegionMap": {
"ap-northeast-1": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
},
"ap-southeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
},
"eu-central-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
},
"us-west-2": {
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
},
"us-east-2": {
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
},
"us-east-1": {
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
},
"eu-west-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
}
}
},
"Resources": {
"Endpoint": {
"Properties": {
"EndpointConfigName": "EndpointConfig.EndpointConfigName"
},
"Type": "AWS::SageMaker::Endpoint"
},
"EndpointConfig": {
"Type": "AWS::SageMaker::EndpointConfig",
"Properties": {
"ProductionVariants": [
{
"InitialInstanceCount": 1,
"InitialVariantWeight": 1,
"InstanceType": "ml.t2.large",
"ModelName": "Model.ModelName",
"VariantName": "Model.ModelName"
}
]
}
},
"Model": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"PrimaryContainer": {
"Image": [
"RegionMap",
"AWS::Region",
"NullTransformer"
]
},
"ExecutionRoleArn": "ExecutionRole.Arn"
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"EndpointId": {
"Value": "Endpoint"
},
"EndpointName": {
"Value": "Endpoint.EndpointName"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Description: "Basic Hosting entities test. We need models to create endpoint configs."
Mappings:
RegionMap:
"us-west-2":
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
"us-east-2":
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
"us-east-1":
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
"eu-west-1":
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
"ap-northeast-1":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
"ap-northeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
"ap-southeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
"eu-central-1":
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
Resources:
Endpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt EndpointConfig.EndpointConfigName
EndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
DataCaptureConfig: DataCaptureConfig
EndpointConfigName: String
KmsKeyId: String
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
ModelName: !GetAtt Model.ModelName
VariantName: !GetAtt Model.ModelName
Model:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"]
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
EndpointId:
Value: !Ref Endpoint
EndpointName:
Value: !GetAtt Endpoint.EndpointName
Negative test num. 2 - json file
{
"Description": "Basic Hosting entities test. We need models to create endpoint configs.",
"Mappings": {
"RegionMap": {
"eu-central-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
},
"us-west-2": {
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
},
"us-east-2": {
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
},
"us-east-1": {
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
},
"eu-west-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-1": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
},
"ap-southeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
}
}
},
"Resources": {
"Endpoint": {
"Type": "AWS::SageMaker::Endpoint",
"Properties": {
"EndpointConfigName": "EndpointConfig.EndpointConfigName"
}
},
"EndpointConfig": {
"Type": "AWS::SageMaker::EndpointConfig",
"Properties": {
"EndpointConfigName": "String",
"KmsKeyId": "String",
"ProductionVariants": [
{
"InitialInstanceCount": 1,
"InitialVariantWeight": 1,
"InstanceType": "ml.t2.large",
"ModelName": "Model.ModelName",
"VariantName": "Model.ModelName"
}
],
"DataCaptureConfig": "DataCaptureConfig"
}
},
"Model": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"PrimaryContainer": {
"Image": [
"RegionMap",
"AWS::Region",
"NullTransformer"
]
},
"ExecutionRoleArn": "ExecutionRole.Arn"
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
}
]
}
}
},
"Outputs": {
"EndpointName": {
"Value": "Endpoint.EndpointName"
},
"EndpointId": {
"Value": "Endpoint"
}
}
}