SageMaker endpoint configuration encryption disabled
This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 58b35504-0287-4154-bf69-02c0573deab8
Cloud Provider: AWS
Platform: Terraform
Severity: High
Category: Encryption
Learn More
Description
Amazon SageMaker endpoint configurations should have encryption enabled using a KMS key to protect sensitive data at rest. Without proper encryption, data stored within SageMaker endpoints may be vulnerable to unauthorized access if the underlying storage is compromised. This represents a significant security risk as machine learning endpoints often process and store sensitive information.
To address this vulnerability, specify the kms_key_arn attribute in your SageMaker endpoint configuration. For example, the secure implementation uses the following configuration, where kms_key_arn is specified to enable encryption:
resource "aws_sagemaker_endpoint_configuration" "example" {
// other configuration
kms_key_arn = "aws_kms_key.example.arn"
}
In contrast, the insecure version omits this critical encryption setting.
Compliant Code Examples
resource "aws_sagemaker_endpoint_configuration" "negative" {
name = "my-endpoint-config"
production_variants {
variant_name = "variant-1"
model_name = aws_sagemaker_model.m.name
initial_instance_count = 1
instance_type = "ml.t2.medium"
}
tags = {
Name = "foo"
}
kms_key_arn = "aws_kms_key.example.arn"
}
Non-Compliant Code Examples
resource "aws_sagemaker_endpoint_configuration" "positive" {
name = "my-endpoint-config"
production_variants {
variant_name = "variant-1"
model_name = aws_sagemaker_model.m.name
initial_instance_count = 1
instance_type = "ml.t2.medium"
}
tags = {
Name = "foo"
}
}
