Sagemaker Notebook Instance Without KMS

• Query id: f3674e0c-f6be-43fa-b71c-bf346d1aed99
• Query name: Sagemaker Notebook Instance Without KMS
• Platform: Terraform
• Severity: High
• Category: Encryption
• CWE: 326
• URL: Github

Description

AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_sagemaker_notebook_instance" "ni" {
  name          = "my-notebook-instance"
  role_arn      = aws_iam_role.role.arn
  instance_type = "ml.t2.medium"

  tags = {
    Name = "foo"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_sagemaker_notebook_instance" "ni" {
  name          = "my-notebook-instance"
  role_arn      = aws_iam_role.role.arn
  instance_type = "ml.t2.medium"
  kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

  tags = {
    Name = "foo"
  }
}