--- title: SageMaker endpoint config should specify KmsKeyId attribute description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SageMaker endpoint config should specify KmsKeyId attribute --- # SageMaker endpoint config should specify KmsKeyId attribute {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-sagemaker-endpoint-config-should-specify-kms-key-id-attribute` **Provider:** AWS **Platform:** CloudFormation **Severity:** Medium **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-endpointconfig.html) ### Description{% #description %} SageMaker endpoint configurations should specify a customer-managed AWS KMS key to ensure model artifacts, cached data, and inference outputs are encrypted at rest. This also helps retain control over key rotation, access policies, and audit logging. Without a defined `KmsKeyId`, the endpoint may fall back to AWS-managed keys or lack explicit encryption control. This reduces your ability to enforce access restrictions and perform key-specific auditing. For `AWS::SageMaker::EndpointConfig` resources, `Properties.KmsKeyId` must be defined and set to a KMS key ARN, alias, or key ID (for example, a `Ref` to an `AWS::KMS::Key`). Resources missing `KmsKeyId` will be flagged. Secure configuration example: ```yaml MyEndpointConfig: Type: AWS::SageMaker::EndpointConfig Properties: EndpointConfigName: my-endpoint-config KmsKeyId: !Ref MyKmsKey ProductionVariants: - VariantName: AllTraffic ModelName: my-model InitialInstanceCount: 1 InstanceType: ml.m5.large ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Description: "Basic Hosting entities test. We need models to create endpoint configs." Mappings: RegionMap: "us-west-2": "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" "us-east-2": "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" "us-east-1": "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" "eu-west-1": "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" "ap-northeast-1": "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" "ap-northeast-2": "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" "ap-southeast-2": "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" "eu-central-1": "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" Resources: Endpoint: Type: "AWS::SageMaker::Endpoint" Properties: EndpointConfigName: !GetAtt EndpointConfig.EndpointConfigName EndpointConfig: Type: "AWS::SageMaker::EndpointConfig" Properties: DataCaptureConfig: DataCaptureConfig EndpointConfigName: String KmsKeyId: String ProductionVariants: - InitialInstanceCount: 1 InitialVariantWeight: 1.0 InstanceType: ml.t2.large ModelName: !GetAtt Model.ModelName VariantName: !GetAtt Model.ModelName Model: Type: "AWS::SageMaker::Model" Properties: PrimaryContainer: Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"] ExecutionRoleArn: !GetAtt ExecutionRole.Arn ExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "sagemaker.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" Policies: - PolicyName: "root" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "*" Resource: "*" Outputs: EndpointId: Value: !Ref Endpoint EndpointName: Value: !GetAtt Endpoint.EndpointName ``` ```json { "Description": "Basic Hosting entities test. We need models to create endpoint configs.", "Mappings": { "RegionMap": { "eu-central-1": { "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" }, "us-west-2": { "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" }, "us-east-2": { "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" }, "us-east-1": { "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" }, "eu-west-1": { "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" }, "ap-northeast-1": { "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" }, "ap-northeast-2": { "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" }, "ap-southeast-2": { "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" } } }, "Resources": { "Endpoint": { "Type": "AWS::SageMaker::Endpoint", "Properties": { "EndpointConfigName": "EndpointConfig.EndpointConfigName" } }, "EndpointConfig": { "Type": "AWS::SageMaker::EndpointConfig", "Properties": { "EndpointConfigName": "String", "KmsKeyId": "String", "ProductionVariants": [ { "InitialInstanceCount": 1, "InitialVariantWeight": 1, "InstanceType": "ml.t2.large", "ModelName": "Model.ModelName", "VariantName": "Model.ModelName" } ], "DataCaptureConfig": "DataCaptureConfig" } }, "Model": { "Type": "AWS::SageMaker::Model", "Properties": { "PrimaryContainer": { "Image": [ "RegionMap", "AWS::Region", "NullTransformer" ] }, "ExecutionRoleArn": "ExecutionRole.Arn" } }, "ExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "sagemaker.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "Policies": [ { "PolicyName": "root", "PolicyDocument": { "Statement": [ { "Action": "*", "Resource": "*", "Effect": "Allow" } ], "Version": "2012-10-17" } } ] } } }, "Outputs": { "EndpointName": { "Value": "Endpoint.EndpointName" }, "EndpointId": { "Value": "Endpoint" } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Description: "Basic Hosting entities test. We need models to create endpoint configs." Mappings: RegionMap: "us-west-2": "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" "us-east-2": "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" "us-east-1": "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" "eu-west-1": "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" "ap-northeast-1": "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" "ap-northeast-2": "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" "ap-southeast-2": "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" "eu-central-1": "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" Resources: Endpoint: Type: "AWS::SageMaker::Endpoint" Properties: EndpointConfigName: !GetAtt EndpointConfig.EndpointConfigName EndpointConfig: Type: "AWS::SageMaker::EndpointConfig" Properties: ProductionVariants: - InitialInstanceCount: 1 InitialVariantWeight: 1.0 InstanceType: ml.t2.large ModelName: !GetAtt Model.ModelName VariantName: !GetAtt Model.ModelName Model: Type: "AWS::SageMaker::Model" Properties: PrimaryContainer: Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"] ExecutionRoleArn: !GetAtt ExecutionRole.Arn ExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "sagemaker.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" Policies: - PolicyName: "root" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "*" Resource: "*" Outputs: EndpointId: Value: !Ref Endpoint EndpointName: Value: !GetAtt Endpoint.EndpointName ``` ```json { "Description": "Basic Hosting entities test. We need models to create endpoint configs.", "Mappings": { "RegionMap": { "ap-northeast-1": { "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" }, "ap-northeast-2": { "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" }, "ap-southeast-2": { "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" }, "eu-central-1": { "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" }, "us-west-2": { "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" }, "us-east-2": { "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" }, "us-east-1": { "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" }, "eu-west-1": { "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" } } }, "Resources": { "Endpoint": { "Properties": { "EndpointConfigName": "EndpointConfig.EndpointConfigName" }, "Type": "AWS::SageMaker::Endpoint" }, "EndpointConfig": { "Type": "AWS::SageMaker::EndpointConfig", "Properties": { "ProductionVariants": [ { "InitialInstanceCount": 1, "InitialVariantWeight": 1, "InstanceType": "ml.t2.large", "ModelName": "Model.ModelName", "VariantName": "Model.ModelName" } ] } }, "Model": { "Type": "AWS::SageMaker::Model", "Properties": { "PrimaryContainer": { "Image": [ "RegionMap", "AWS::Region", "NullTransformer" ] }, "ExecutionRoleArn": "ExecutionRole.Arn" } }, "ExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "sagemaker.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ], "Version": "2012-10-17" }, "Path": "/", "Policies": [ { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } } ] } } }, "Outputs": { "EndpointId": { "Value": "Endpoint" }, "EndpointName": { "Value": "Endpoint.EndpointName" } } } ```