01 Define the required IAM policy that enables the selected IAM users and/or roles to administer the new CMK and to encrypt/decrypt AWS SageMaker data using the KMS API. Create a new policy document called sagemaker-cmk-iam-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Version": "2012-10-17",
"Id": "aws-sagemaker-cmk-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root
"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/cc-sagemaker-manager
"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/cc-sagemaker-admin
"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/cc-sagemaker-admin
"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. sagemaker-cmk-iam-policy.json) as command parameter to create the new Amazon KMS CMK:
aws kms create-key
--region us-east-1
--description 'AWS KMS CMK for SageMaker notebook instances'
--policy file://sagemaker-cmk-iam-policy.json
03 The command output should return the new KMS CMK metadata. Copy the CMK unique ID (KeyID parameter value – highlighted) as this ID will be required later when you need to specify the key required for SageMaker data encryption:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "12345678-abcd-1234-abcd-12345678abcd
",
"Description": "AWS KMS CMK for SageMaker notebook instances",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517235762.150,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd",
"AWSAccountId": "123456789012"
}
}
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not return an output):
aws kms create-alias
--region us-east-1
--alias-name alias/sagemaker-ml-data-cmk
--target-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd
05 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to re-create as identifier (see Audit section part II to identify the right SageMaker resource) to return the selected instance metadata, information required later when the new SageMaker instance is created:
aws sagemaker describe-notebook-instance
--region us-east-1
--notebook-instance-name cc-sagemaker-ml-instance
06 The command output should return the selected instance configuration metadata:
{
"NotebookInstanceStatus": "InService",
"Url": "cc-sagemaker-ml-instance.notebook.us-east-1.sagemaker.aws",
"RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180920T140344",
"NotebookInstanceName": "cc-sagemaker-ml-instance",
"CreationTime": 1537512973.647,
"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-ml-instance",
"LastModifiedTime": 1537514655.934,
"InstanceType": "ml.t2.large"
}
07 Run create-notebook-instance command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the source SageMaker notebook instance (see Audit section part II to identify the right resource) with the required encryption configuration (i.e. using an AWS KMS Customer Master Key identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd"):
aws sagemaker create-notebook-instance
--region us-east-1
--notebook-instance-name cc-sagemaker-ml-encrypted-instance
--instance-type ml.t2.large
--role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180920T140344
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd
08 If successful, the command output should return the ARN of the new AWS SageMaker notebook instance:
{
"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-ml-encrypted-instance"
}
09 Copy the data from the source SageMaker notebook instance to the destination instance.
10 After your data is copied, it is safe to remove the source SageMaker notebook instance in order to avoid unnecessary AWS costs. To delete the instance, run delete-notebook-instance command (OSX/Linux/UNIX) using the name of the source notebook instance as identifier (the command does not produce an output):
aws sagemaker delete-notebook-instance
--region us-east-1
--notebook-instance-name cc-sagemaker-ml-instance
11 Repeat steps no. 5 – 10 to enable data encryption using AWS KMS Customer Master Keys (CMKs) for other Amazon SageMaker instances available within the current region.
12 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.