For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-sagemaker-data-encryption-disabled.md.
A documentation index is available at /llms.txt.
SageMaker notebook instances must specify a KMS key to encrypt data at rest. This helps protect notebook storage and snapshots from unauthorized access.
Check AWS::SageMaker::NotebookInstance resources for the Properties.KmsKeyId property. It must be defined as a non-empty string that identifies a valid KMS key (key ID, key ARN, or alias). Resources missing KmsKeyId, or with KmsKeyId set to "", will be flagged.
#this code is a correct code for which the query should not find any resultDescription:"Basic NotebookInstance test update to a different instance type"Resources:BasicNotebookInstance:Type:"AWS::SageMaker::NotebookInstance"Properties:InstanceType:"ml.t2.large"RoleArn:!GetAtt ExecutionRole.ArnKmsKeyId:"Key"ExecutionRole:Type:"AWS::IAM::Role"Properties:AssumeRolePolicyDocument:Version:"2012-10-17"Statement:-Effect:"Allow"Principal:Service:- "sagemaker.amazonaws.com"Action:- "sts:AssumeRole"Path:"/"Policies:-PolicyName:"root"PolicyDocument:Version:"2012-10-17"Statement:-Effect:"Allow"Action:"*"Resource:"*"Outputs:BasicNotebookInstanceId:Value:!Ref BasicNotebookInstance
{"Description":"Basic NotebookInstance test update to a different instance type","Resources":{"ExecutionRole":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["sagemaker.amazonaws.com"]},"Action":["sts:AssumeRole"]}]},"Path":"/","Policies":[{"PolicyName":"root","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}}]}},"BasicNotebookInstance":{"Type":"AWS::SageMaker::NotebookInstance","Properties":{"RoleArn":"ExecutionRole.Arn","KmsKeyId":"Key","InstanceType":"ml.t2.large"}}},"Outputs":{"BasicNotebookInstanceId":{"Value":"BasicNotebookInstance"}}}
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)Description:"Basic NotebookInstance test update to a different instance type"Resources:BasicNotebookInstance:Type:"AWS::SageMaker::NotebookInstance"Properties:InstanceType:"ml.t2.large"RoleArn:!GetAtt ExecutionRole.ArnBasicNotebookInstance2:Type:"AWS::SageMaker::NotebookInstance"Properties:InstanceType:"ml.t2.large"RoleArn:!GetAtt ExecutionRole.ArnKmsKeyId:'some-kms-key'BasicNotebookInstance3:Type:"AWS::SageMaker::NotebookInstance"Properties:InstanceType:"ml.t2.large"RoleArn:!GetAtt ExecutionRole.ArnKmsKeyId :""ExecutionRole:Type:"AWS::IAM::Role"Properties:AssumeRolePolicyDocument:Version:"2012-10-17"Statement:-Effect:"Allow"Principal:Service:- "sagemaker.amazonaws.com"Action:- "sts:AssumeRole"Path:"/"Policies:-PolicyName:"root"PolicyDocument:Version:"2012-10-17"Statement:-Effect:"Allow"Action:"*"Resource:"*"Outputs:BasicNotebookInstanceId:Value:!Ref BasicNotebookInstance
{"Description":"Basic NotebookInstance test update to a different instance type","Resources":{"BasicNotebookInstance2":{"Type":"AWS::SageMaker::NotebookInstance","Properties":{"RoleArn":"ExecutionRole.Arn","KmsKeyId":"some-kms-key","InstanceType":"ml.t2.large"}},"BasicNotebookInstance3":{"Properties":{"InstanceType":"ml.t2.large","RoleArn":"ExecutionRole.Arn","KmsKeyId":""},"Type":"AWS::SageMaker::NotebookInstance"},"ExecutionRole":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["sagemaker.amazonaws.com"]},"Action":["sts:AssumeRole"]}]},"Path":"/","Policies":[{"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]},"PolicyName":"root"}]}},"BasicNotebookInstance":{"Type":"AWS::SageMaker::NotebookInstance","Properties":{"InstanceType":"ml.t2.large","RoleArn":"ExecutionRole.Arn"}}},"Outputs":{"BasicNotebookInstanceId":{"Value":"BasicNotebookInstance"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
