Ensure all data stored in SageMaker is securely encrypted at rest

Error: Data stored in SageMaker is not securely encrypted at rest

Bridgecrew Policy ID: BC_AWS_GENERAL_14
Checkov Check ID: CKV_AWS_22
Severity: HIGH

Data stored in SageMaker is not securely encrypted at rest


Amazon SageMaker enables you to pass a KMS key to SageMaker notebooks, securing the following resources:

  • Storage volume
  • Processing jobs
  • Training jobs
  • Hyperparameter tuning jobs
  • Batch transform jobs
  • Endpoints

By applying encryption at-rest you ensure that the data stored on your AWS SageMaker notebook instances meet regulatory requirements and protect your SageMaker data at rest.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon SageMaker console.
  3. Select Notebook instances, then click Create Notebook Instance.
  4. On the Create Notebook Instance page, provide the required information.
  5. The Encryption key lets you encrypt data on the ML storage volume attached to the notebook instance using an AWS Key Management Service (AWS KMS) key. If you plan to store sensitive information on the ML storage volume, consider encrypting the information.

CLI Command

To create a SageMaker notebook instance:

--notebook-instance-name <value>
--instance-type <value>
--kms-key-id <value>

Fix - Buildtime


  • Resource: aws_sagemaker_notebook_instance
  • Attribute: kms_key_id - (Optional) The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.
resource "aws_sagemaker_notebook_instance" "example" {
  name          = "my-notebook-instance"
+ kms_key_id    = <value>