For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-sagemaker-endpoint-config-should-specify-kms-key-id-attribute.md.
A documentation index is available at /llms.txt.
SageMaker endpoint configurations should specify a customer-managed AWS KMS key to ensure model artifacts, cached data, and inference outputs are encrypted at rest. This also helps retain control over key rotation, access policies, and audit logging.
Without a defined KmsKeyId, the endpoint may fall back to AWS-managed keys or lack explicit encryption control. This reduces your ability to enforce access restrictions and perform key-specific auditing. For AWS::SageMaker::EndpointConfig resources, Properties.KmsKeyId must be defined and set to a KMS key ARN, alias, or key ID (for example, a Ref to an AWS::KMS::Key). Resources missing KmsKeyId will be flagged.
{"Description":"Basic Hosting entities test. We need models to create endpoint configs.","Mappings":{"RegionMap":{"eu-central-1":{"NullTransformer":"123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"},"us-west-2":{"NullTransformer":"123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"},"us-east-2":{"NullTransformer":"123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"},"us-east-1":{"NullTransformer":"123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"},"eu-west-1":{"NullTransformer":"123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"},"ap-northeast-1":{"NullTransformer":"123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"},"ap-northeast-2":{"NullTransformer":"123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"},"ap-southeast-2":{"NullTransformer":"123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"}}},"Resources":{"Endpoint":{"Type":"AWS::SageMaker::Endpoint","Properties":{"EndpointConfigName":"EndpointConfig.EndpointConfigName"}},"EndpointConfig":{"Type":"AWS::SageMaker::EndpointConfig","Properties":{"EndpointConfigName":"String","KmsKeyId":"String","ProductionVariants":[{"InitialInstanceCount":1,"InitialVariantWeight":1,"InstanceType":"ml.t2.large","ModelName":"Model.ModelName","VariantName":"Model.ModelName"}],"DataCaptureConfig":"DataCaptureConfig"}},"Model":{"Type":"AWS::SageMaker::Model","Properties":{"PrimaryContainer":{"Image":["RegionMap","AWS::Region","NullTransformer"]},"ExecutionRoleArn":"ExecutionRole.Arn"}},"ExecutionRole":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["sagemaker.amazonaws.com"]},"Action":["sts:AssumeRole"]}]},"Path":"/","Policies":[{"PolicyName":"root","PolicyDocument":{"Statement":[{"Action":"*","Resource":"*","Effect":"Allow"}],"Version":"2012-10-17"}}]}}},"Outputs":{"EndpointName":{"Value":"Endpoint.EndpointName"},"EndpointId":{"Value":"Endpoint"}}}
{"Description":"Basic Hosting entities test. We need models to create endpoint configs.","Mappings":{"RegionMap":{"ap-northeast-1":{"NullTransformer":"123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"},"ap-northeast-2":{"NullTransformer":"123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"},"ap-southeast-2":{"NullTransformer":"123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"},"eu-central-1":{"NullTransformer":"123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"},"us-west-2":{"NullTransformer":"123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"},"us-east-2":{"NullTransformer":"123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"},"us-east-1":{"NullTransformer":"123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"},"eu-west-1":{"NullTransformer":"123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"}}},"Resources":{"Endpoint":{"Properties":{"EndpointConfigName":"EndpointConfig.EndpointConfigName"},"Type":"AWS::SageMaker::Endpoint"},"EndpointConfig":{"Type":"AWS::SageMaker::EndpointConfig","Properties":{"ProductionVariants":[{"InitialInstanceCount":1,"InitialVariantWeight":1,"InstanceType":"ml.t2.large","ModelName":"Model.ModelName","VariantName":"Model.ModelName"}]}},"Model":{"Type":"AWS::SageMaker::Model","Properties":{"PrimaryContainer":{"Image":["RegionMap","AWS::Region","NullTransformer"]},"ExecutionRoleArn":"ExecutionRole.Arn"}},"ExecutionRole":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Statement":[{"Effect":"Allow","Principal":{"Service":["sagemaker.amazonaws.com"]},"Action":["sts:AssumeRole"]}],"Version":"2012-10-17"},"Path":"/","Policies":[{"PolicyName":"root","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}}]}}},"Outputs":{"EndpointId":{"Value":"Endpoint"},"EndpointName":{"Value":"Endpoint.EndpointName"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
