SageMaker Data Encryption Disabled

  • Query id: 709e6da6-fa1f-44cc-8f17-7f25f96dadbe
  • Query name: SageMaker Data Encryption Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Description: "Basic NotebookInstance test update to a different instance type"
Resources:
  BasicNotebookInstance:
    Type: "AWS::SageMaker::NotebookInstance"
    Properties:
      InstanceType: "ml.t2.large"
      RoleArn: !GetAtt ExecutionRole.Arn
  BasicNotebookInstance2:
    Type: "AWS::SageMaker::NotebookInstance"
    Properties:
      InstanceType: "ml.t2.large"
      RoleArn: !GetAtt ExecutionRole.Arn
      KmsKeyId: 'some-kms-key'
  BasicNotebookInstance3:
    Type: "AWS::SageMaker::NotebookInstance"
    Properties:
      InstanceType: "ml.t2.large"
      RoleArn: !GetAtt ExecutionRole.Arn
      KmsKeyId : ""
  ExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "sagemaker.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      Policies:
        -
          PolicyName: "root"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action: "*"
                Resource: "*"
Outputs:
  BasicNotebookInstanceId:
    Value: !Ref BasicNotebookInstance
Positive test num. 2 - json file
{
  "Description": "Basic NotebookInstance test update to a different instance type",
  "Resources": {
    "BasicNotebookInstance2": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "Properties": {
        "RoleArn": "ExecutionRole.Arn",
        "KmsKeyId": "some-kms-key",
        "InstanceType": "ml.t2.large"
      }
    },
    "BasicNotebookInstance3": {
      "Properties": {
        "InstanceType": "ml.t2.large",
        "RoleArn": "ExecutionRole.Arn",
        "KmsKeyId": ""
      },
      "Type": "AWS::SageMaker::NotebookInstance"
    },
    "ExecutionRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "sagemaker.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "*",
                  "Resource": "*"
                }
              ]
            },
            "PolicyName": "root"
          }
        ]
      }
    },
    "BasicNotebookInstance": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "Properties": {
        "InstanceType": "ml.t2.large",
        "RoleArn": "ExecutionRole.Arn"
      }
    }
  },
  "Outputs": {
    "BasicNotebookInstanceId": {
      "Value": "BasicNotebookInstance"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Description: "Basic NotebookInstance test update to a different instance type"
Resources:
  BasicNotebookInstance:
    Type: "AWS::SageMaker::NotebookInstance"
    Properties:
      InstanceType: "ml.t2.large"
      RoleArn: !GetAtt ExecutionRole.Arn
      KmsKeyId: "Key"
  ExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "sagemaker.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      Policies:
        -
          PolicyName: "root"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action: "*"
                Resource: "*"
Outputs:
  BasicNotebookInstanceId:
    Value: !Ref BasicNotebookInstance
Negative test num. 2 - json file
{
  "Description": "Basic NotebookInstance test update to a different instance type",
  "Resources": {
    "ExecutionRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "sagemaker.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyName": "root",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "*",
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    },
    "BasicNotebookInstance": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "Properties": {
        "RoleArn": "ExecutionRole.Arn",
        "KmsKeyId": "Key",
        "InstanceType": "ml.t2.large"
      }
    }
  },
  "Outputs": {
    "BasicNotebookInstanceId": {
      "Value": "BasicNotebookInstance"
    }
  }
}