SageMaker Data Encryption Disabled
- Query id: 709e6da6-fa1f-44cc-8f17-7f25f96dadbe
- Query name: SageMaker Data Encryption Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: 312
- URL: Github
Description¶
Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Description: "Basic NotebookInstance test update to a different instance type"
Resources:
BasicNotebookInstance:
Type: "AWS::SageMaker::NotebookInstance"
Properties:
InstanceType: "ml.t2.large"
RoleArn: !GetAtt ExecutionRole.Arn
BasicNotebookInstance2:
Type: "AWS::SageMaker::NotebookInstance"
Properties:
InstanceType: "ml.t2.large"
RoleArn: !GetAtt ExecutionRole.Arn
KmsKeyId: 'some-kms-key'
BasicNotebookInstance3:
Type: "AWS::SageMaker::NotebookInstance"
Properties:
InstanceType: "ml.t2.large"
RoleArn: !GetAtt ExecutionRole.Arn
KmsKeyId : ""
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
BasicNotebookInstanceId:
Value: !Ref BasicNotebookInstance
Positive test num. 2 - json file
{
"Description": "Basic NotebookInstance test update to a different instance type",
"Resources": {
"BasicNotebookInstance2": {
"Type": "AWS::SageMaker::NotebookInstance",
"Properties": {
"RoleArn": "ExecutionRole.Arn",
"KmsKeyId": "some-kms-key",
"InstanceType": "ml.t2.large"
}
},
"BasicNotebookInstance3": {
"Properties": {
"InstanceType": "ml.t2.large",
"RoleArn": "ExecutionRole.Arn",
"KmsKeyId": ""
},
"Type": "AWS::SageMaker::NotebookInstance"
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
},
"PolicyName": "root"
}
]
}
},
"BasicNotebookInstance": {
"Type": "AWS::SageMaker::NotebookInstance",
"Properties": {
"InstanceType": "ml.t2.large",
"RoleArn": "ExecutionRole.Arn"
}
}
},
"Outputs": {
"BasicNotebookInstanceId": {
"Value": "BasicNotebookInstance"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Description: "Basic NotebookInstance test update to a different instance type"
Resources:
BasicNotebookInstance:
Type: "AWS::SageMaker::NotebookInstance"
Properties:
InstanceType: "ml.t2.large"
RoleArn: !GetAtt ExecutionRole.Arn
KmsKeyId: "Key"
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
BasicNotebookInstanceId:
Value: !Ref BasicNotebookInstance
Negative test num. 2 - json file
{
"Description": "Basic NotebookInstance test update to a different instance type",
"Resources": {
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"BasicNotebookInstance": {
"Type": "AWS::SageMaker::NotebookInstance",
"Properties": {
"RoleArn": "ExecutionRole.Arn",
"KmsKeyId": "Key",
"InstanceType": "ml.t2.large"
}
}
},
"Outputs": {
"BasicNotebookInstanceId": {
"Value": "BasicNotebookInstance"
}
}
}