SageMaker endpoint config should specify KmsKeyId attribute
This product is not supported for your selected
Datadog site. (
).
Id: 44034eda-1c3f-486a-831d-e09a7dd94354
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Encryption
Learn More
Description
SageMaker endpoint configurations should specify a customer-managed AWS KMS key to ensure model artifacts, cached data, and inference outputs are encrypted at rest. This also helps retain control over key rotation, access policies, and audit logging.
Without a defined KmsKeyId, the endpoint may fall back to AWS-managed keys or lack explicit encryption control. This reduces your ability to enforce access restrictions and perform key-specific auditing. For AWS::SageMaker::EndpointConfig resources, Properties.KmsKeyId must be defined and set to a KMS key ARN, alias, or key ID (for example, a Ref to an AWS::KMS::Key). Resources missing KmsKeyId will be flagged.
Secure configuration example:
MyEndpointConfig:
Type: AWS::SageMaker::EndpointConfig
Properties:
EndpointConfigName: my-endpoint-config
KmsKeyId: !Ref MyKmsKey
ProductionVariants:
- VariantName: AllTraffic
ModelName: my-model
InitialInstanceCount: 1
InstanceType: ml.m5.large
Compliant Code Examples
Description: "Basic Hosting entities test. We need models to create endpoint configs."
Mappings:
RegionMap:
"us-west-2":
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
"us-east-2":
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
"us-east-1":
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
"eu-west-1":
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
"ap-northeast-1":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
"ap-northeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
"ap-southeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
"eu-central-1":
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
Resources:
Endpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt EndpointConfig.EndpointConfigName
EndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
DataCaptureConfig: DataCaptureConfig
EndpointConfigName: String
KmsKeyId: String
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
ModelName: !GetAtt Model.ModelName
VariantName: !GetAtt Model.ModelName
Model:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"]
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
EndpointId:
Value: !Ref Endpoint
EndpointName:
Value: !GetAtt Endpoint.EndpointName
{
"Description": "Basic Hosting entities test. We need models to create endpoint configs.",
"Mappings": {
"RegionMap": {
"eu-central-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
},
"us-west-2": {
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
},
"us-east-2": {
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
},
"us-east-1": {
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
},
"eu-west-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-1": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
},
"ap-southeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
}
}
},
"Resources": {
"Endpoint": {
"Type": "AWS::SageMaker::Endpoint",
"Properties": {
"EndpointConfigName": "EndpointConfig.EndpointConfigName"
}
},
"EndpointConfig": {
"Type": "AWS::SageMaker::EndpointConfig",
"Properties": {
"EndpointConfigName": "String",
"KmsKeyId": "String",
"ProductionVariants": [
{
"InitialInstanceCount": 1,
"InitialVariantWeight": 1,
"InstanceType": "ml.t2.large",
"ModelName": "Model.ModelName",
"VariantName": "Model.ModelName"
}
],
"DataCaptureConfig": "DataCaptureConfig"
}
},
"Model": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"PrimaryContainer": {
"Image": [
"RegionMap",
"AWS::Region",
"NullTransformer"
]
},
"ExecutionRoleArn": "ExecutionRole.Arn"
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
}
]
}
}
},
"Outputs": {
"EndpointName": {
"Value": "Endpoint.EndpointName"
},
"EndpointId": {
"Value": "Endpoint"
}
}
}
Non-Compliant Code Examples
{
"Description": "Basic Hosting entities test. We need models to create endpoint configs.",
"Mappings": {
"RegionMap": {
"ap-northeast-1": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
},
"ap-southeast-2": {
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
},
"eu-central-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
},
"us-west-2": {
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
},
"us-east-2": {
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
},
"us-east-1": {
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
},
"eu-west-1": {
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
}
}
},
"Resources": {
"Endpoint": {
"Properties": {
"EndpointConfigName": "EndpointConfig.EndpointConfigName"
},
"Type": "AWS::SageMaker::Endpoint"
},
"EndpointConfig": {
"Type": "AWS::SageMaker::EndpointConfig",
"Properties": {
"ProductionVariants": [
{
"InitialInstanceCount": 1,
"InitialVariantWeight": 1,
"InstanceType": "ml.t2.large",
"ModelName": "Model.ModelName",
"VariantName": "Model.ModelName"
}
]
}
},
"Model": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"PrimaryContainer": {
"Image": [
"RegionMap",
"AWS::Region",
"NullTransformer"
]
},
"ExecutionRoleArn": "ExecutionRole.Arn"
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"EndpointId": {
"Value": "Endpoint"
},
"EndpointName": {
"Value": "Endpoint.EndpointName"
}
}
}
Description: "Basic Hosting entities test. We need models to create endpoint configs."
Mappings:
RegionMap:
"us-west-2":
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
"us-east-2":
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
"us-east-1":
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
"eu-west-1":
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
"ap-northeast-1":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
"ap-northeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
"ap-southeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
"eu-central-1":
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
Resources:
Endpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt EndpointConfig.EndpointConfigName
EndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
ModelName: !GetAtt Model.ModelName
VariantName: !GetAtt Model.ModelName
Model:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"]
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
EndpointId:
Value: !Ref Endpoint
EndpointName:
Value: !GetAtt Endpoint.EndpointName
