Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)
Error: AWS Sagemaker domain not encrypted using Customer Managed Key
Bridgecrew Policy ID: BC_AWS_GENERAL_107
Checkov Check ID: CKV_AWS_187
Severity: LOW
AWS Sagemaker domain not encrypted using Customer Managed Key
Description
Amazon SageMaker Feature Store enables you to create two types of stores: an online store or offline store. The online store is used for low latency real-time inference use cases whereas the offline store is used for training and batch inference use cases. When you create a feature group for online or offline use you can provide a AWS Key Management Service customer managed key to encrypt all your data at rest. In case you do not provide a AWS KMS key then we ensure that your data is encrypted on the server side using an AWS owned AWS KMS key or AWS managed AWS KMS key.
Fix - Buildtime
Terraform
- Resource: aws_sagemaker_domain
- Argument: kms_key_id - (Optional) The AWS KMS customer managed CMK used to encrypt the EFS volume attached to the domain.
resource "aws_sagemaker_domain" "example" {
domain_name = "example"
auth_mode = "IAM"
vpc_id = aws_vpc.test.id
subnet_ids = [aws_subnet.test.id]
+ kms_key_id = "ckv_kms"
default_user_settings {
execution_role = aws_iam_role.test.arn
}
}
Updated 6 months ago