- Knowledge Base
- Amazon Web Services
- Amazon SageMaker
- Endpoints Encrypted With KMS Customer Managed Keys
Ensure that the Amazon ECR images associated with your SageMaker endpoints are encrypted with KMS Customer Managed Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over the data-at-rest encryption/decryption process and meet compliance requirements. In Amazon SageMaker, endpoints are used to provision resources and deploy models.
By default, the data stored on the associated Amazon ECR images is encrypted using an AWS managed-key. When you use your own KMS Customer Managed Keys (CMKs) to protect your data, you have full control over who can use the encryption keys to access this data. The Amazon KMS service allows you to easily create, rotate, disable, and audit Customer Managed Keys for your AWS cloud resources.
Audit
To determine the encryption status available for your Amazon SageMaker endpoints, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.
03 In the main navigation panel, under Inference, select Endpoints.
04 Click on the name (link) of the SageMaker endpoint that you want to examine, available in the Name column.
05 Select the Settings tab to access the configuration settings available for the selected endpoint.
06 In the Endpoint configuration settings section, under Endpoint configuration, check the Encryption key attribute value to find the Customer Managed Key (CMK) used to encrypt the associated Amazon ECR image. If the Encryption key attribute does not have a value, the Amazon ECR image associated with the selected SageMaker endpoint is encrypted using an AWS-managed key (default key provided by AWS) instead of using a Customer Managed Key (CMK).
07 Repeat steps no. 4 - 6 for each Amazon SageMaker endpoint available within the current AWS region.
08 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.
Using AWS CLI
01 Run list-endpoints command (OSX/Linux/UNIX) to list the name of each Amazon SageMaker endpoint available in the selected AWS region:
aws sagemaker list-endpoints --region us-east-1 --query 'Endpoints[*].EndpointName'
02 The command output should return the requested SageMaker endpoint names:
[ "cc-ml-sagemaker-endpoint", "cc-ml-production-endpoint" ]
03 Run describe-endpoint command (OSX/Linux/UNIX) with the name of the Amazon SageMaker endpoint that you want to examine as the identifier parameter and custom output filters to describe the name of the associated endpoint configuration:
aws sagemaker describe-endpoint --region us-east-1 --endpoint-name cc-ml-sagemaker-endpoint --query 'EndpointConfigName'
04 The command output should return the requested endpoint configuration name:
"cc-ml-endpoint-config"
05 Run describe-endpoint-config command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of the KMS key utilized by the endpoint configuration to encrypt the associated Amazon ECR image:
aws sagemaker describe-endpoint-config --region us-east-1 --endpoint-config-name cc-ml-sagemaker-endpoint-config --query 'KmsKeyId'
06 The command output should return the requested KMS key ARN:
null
If the describe-endpoint-config command output returns null, as shown in the example above, the Amazon ECR image associated with the selected SageMaker endpoint is encrypted using an AWS-managed key (default key provided by AWS) instead of using a Customer Managed Key (CMK).
07 Repeat steps no. 3 - 6 for each Amazon SageMaker endpoint available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Audit process for other regions.
Remediation / Resolution
To ensure that your Amazon SageMaker endpoint data is encrypted with Amazon KMS Customer Managed Keys (CMKs), perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 To create your own KMS Customer Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.
03 In the main navigation panel, choose Customer managed keys.
04 Choose Create Key to initiate the key setup process.
05 For Step 1 Configure key, perform the following actions:
- Choose Symmetric for Key type.
- Select KMS for Key usage.
- Choose Advanced options, select KMS - recommended for Key material origin, and choose whether to allow your KMS key to be replicated into other AWS cloud regions. If Single-Region key is selected, the AWS region must match the region of your SageMaker endpoint.
- Select Next to continue the key setup process.
06 For Step 2 Add labels, provide the following details:
- Provide a unique name (alias) for your KMS key in the Alias box.
- (Optional) Enter a short description in the Description box.
- (Optional) Choose Add tag from the Tags - optional section to create any necessary tag sets. Tags can be used to categorize and identify your KMS keys and help you track your AWS costs.
- Select Next to continue the setup.
07 For Step 3 Define key administrative permissions, perform the following operations:
- For Key administrators, select which IAM users and/or roles can administer your new key through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS Management Console.
- For Key deletion, choose whether to allow key administrators to delete your KMS key.
- Select Next to continue the setup process.
08 For Step 4 Define key usage permissions, perform the following actions:
- For Key users, select which IAM users and/or roles can use your KMS key in cryptographic operations.
- (Optional) For Other AWS accounts section, specify the AWS accounts that can use your key. To configure cross-account access, choose Add another AWS account and enter the ID of the AWS cloud account that can use your KMS key for cryptographic operations. The administrators of the AWS accounts you specify at this step are responsible for managing the permissions that allow their IAM users and/or roles to use your key.
- Select Next to continue the setup.
09 For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer Managed Key (CMK).
10 Once your new KMS Customer Managed Key (CMK) is available, navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.
11 In the main navigation panel, under Inference, select Endpoints.
12 Select the SageMaker endpoint that you want to configure and choose Update endpoint.
13 Choose Create a new endpoint configuration from the Change the Endpoint configuration section to re-create the endpoint configuration with the appropriate encryption settings.
14 In the New endpoint configuration section, perform the following operations:
- For Endpoint configuration name, provide a unique name for your new endpoint configuration.
- For Type of endpoint, select the correct endpoint type (must match the endpoint type of the source, non-compliant endpoint configuration).
- For Encryption key - optional, select the name (alias) of the Amazon KMS Customer Managed Key (CMK) created earlier in the Remediation process.
- (Optional) For Async Invocation Config - optional, configure the necessary Async Invocation settings (must match the source endpoint configuration settings).
- (Optional) For Data capture - optional, select Enable data capture to enable the Data Capture monitoring feature.
- For Variants, specify the model that you want to host and the resources chosen to deploy for hosting it (must match the source endpoint configuration settings).
- Choose Create endpoint configuration to create your new, compliant endpoint configuration.
15 Choose Update endpoint to apply the new endpoint configuration.
16 Repeat steps no. 12 – 15 for each SageMaker endpoint that you want to configure, available within the current AWS region.
17 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Define the IAM policy that enables the selected users and/or roles to manage your new KMS Customer Managed Key (CMK), and to encrypt/decrypt the associated Amazon ECR image data using the KMS API. Create a new policy document (JSON format), name the file sagemaker-endpoint-cmk-policy.json, and paste the following content (replace \<aws-account-id\> and \<role-name\> with your own AWS details):
{ "Id": "aws-sagemaker-cmk-policy", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:RotateKeyOnDemand" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }
02 Run create-key command (OSX/Linux/UNIX) with the policy document created at the previous step (i.e.sagemaker-endpoint-cmk-policy.json) as value for the --policy parameter, to create your new Amazon KMS Customer Managed Key (CMK):
aws kms create-key --region us-east-1 --description 'Amazon SageMaker Endpoint CMK' --policy file://sagemaker-endpoint-cmk-policy.json --query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Managed Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
04 Run create-alias command (OSX/Linux/UNIX) to attach an alias to your new Customer Managed Key (CMK). The alias must start with the prefix "alias/" (the command does not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/SageMakerEndpointCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
05 Run create-endpoint-config command (OSX/Linux/UNIX) to create a new endpoint configuration with the appropriate encryption settings. To encrypt the Amazon ECR image associated with your SageMaker endpoint using a customer-provided KMS key, provide the ARN of the Customer Managed Key (CMK) created earlier in the Remediation process as value for the --kms-key-id parameter:
aws sagemaker create-endpoint-config --region us-east-1 --endpoint-config-name cc-ml-encrypted-endpoint-config --production-variants VariantName="cc-prod-variant",ModelName="cc-ml-model",InitialInstanceCount=1,InstanceType="ml.m4.xlarge",InitialVariantWeight=1.0 --kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
06 The command output should return the Amazon Resource Name (ARN) of the new endpoint configuration:
{ "EndpointConfigArn": "arn:aws:sagemaker:us-east-1:123456789012:endpoint-config/cc-ml-encrypted-endpoint-config" }
07 Run update-endpoint command (OSX/Linux/UNIX) to apply the SageMaker endpoint configuration created at the previous steps:
aws sagemaker update-endpoint --region us-east-1 --endpoint-name cc-ml-sagemaker-endpoint --endpoint-config-name cc-ml-encrypted-endpoint-config --retain-all-variant-properties
08 The command output should return the ARN of the updated SageMaker endpoint:
{ "EndpointArn": "arn:aws:sagemaker:us-east-1:123456789012:endpoint/cc-ml-sagemaker-endpoint" }
09 Repeat steps no. 5 – 8 for each SageMaker endpoint that you want to configure, available in the selected AWS region.
10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Amazon SageMaker FAQs
- Control root access to a SageMaker notebook instance
- Serverless Inference
- Update a serverless endpoint
- AWS Command Line Interface (CLI) Documentation
- list-endpoints
- describe-endpoint
- describe-endpoint-config
- create-endpoint-config
- update-endpoint
- create-key
- create-alias