Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)

Error: AWS Sagemaker domain not encrypted using Customer Managed Key
Bridgecrew Policy ID: BC_AWS_GENERAL_107
Checkov Check ID: CKV_AWS_187
Severity: LOW

AWS Sagemaker domain not encrypted using Customer Managed Key


Amazon SageMaker Feature Store enables you to create two types of stores: an online store or offline store. The online store is used for low latency real-time inference use cases whereas the offline store is used for training and batch inference use cases. When you create a feature group for online or offline use you can provide a AWS Key Management Service customer managed key to encrypt all your data at rest. In case you do not provide a AWS KMS key then we ensure that your data is encrypted on the server side using an AWS owned AWS KMS key or AWS managed AWS KMS key.

Fix - Buildtime


  • Resource: aws_sagemaker_domain
  • Argument: kms_key_id - (Optional) The AWS KMS customer managed CMK used to encrypt the EFS volume attached to the domain.
resource "aws_sagemaker_domain" "example" {
  domain_name = "example"
  auth_mode   = "IAM"
  vpc_id      = aws_vpc.test.id
  subnet_ids  = [aws_subnet.test.id]
  + kms_key_id = "ckv_kms"
  default_user_settings {
    execution_role = aws_iam_role.test.arn