Logo of Trend Micro

Notebook Data Encrypted With KMS Customer Master Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SageMaker-002

Ensure that your SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over the data-at-rest encryption/decryption process and meet compliance requirements. SageMaker is a fully-managed AWS service that enables data scientists and developers to build, train and deploy machine learning models at any scale. AWS SageMaker removes the barriers that typically slow down data developers who want to use machine learning in the cloud. A SageMaker notebook instance is a fully managed Machine Learning (ML) instance based on the Jupyter Notebook web application.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When you use your own Amazon KMS Customer Master Keys (CMKs) to protect data within your SageMaker notebook instances, you have full control over who can use the encryption keys to access your SageMaker data. Amazon KMS service allows you to easily create, rotate, disable and audit Customer Master Keys created for your SageMaker notebook instances.

Audit

To determine the encryption status and configuration for your Amazon SageMaker notebook instances, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.

03 In the navigation panel, under Notebook, choose Notebook instances.

04 Select the SageMaker notebook instance that you want to examine, then click on its name (link) to access the resource configuration details.

05 On the selected instance configuration page, in the Notebook instance settings section, check the Encryption key attribute value. If the attribute does not have a value assigned, data-at-rest encryption is not currently enabled, therefore you can follow this conformity rule to enable encryption for your notebook instance. If the Encryption key attribute value contains a KMS key ARN, data-at-rest encryption is enabled for the selected SageMaker notebook instance.

06 Click on the ARN (link) of the AWS KMS key set as value for the Encryption key attribute to access the key configuration details.

07 On the AWS KMS key details page, check the Alias attribute value. If the Alias attribute value starts with aws, the storage volumes attached to selected Amazon SageMaker notebook instance are encrypted with the default key (i.e. AWS-managed key).

08 Repeat steps no. 4 – 7 for each SageMaker notebook instance launched within the current AWS region.

09 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-notebook-instances command (OSX/Linux/UNIX) to list the names of all SageMaker notebook instances available within the selected AWS region (US East - N. Virginia): 

aws sagemaker list-notebook-instances
	--region us-east-1
	--query 'NotebookInstances[*].NotebookInstanceName'

02 The command output should return the requested SageMaker instance names: 

[
    "cc-sagemaker-ml-instance",
    "cc-ml-app-data-instance"
]

03 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to examine as identifier and custom query filters to return the ARN of the AWS KMS key used to encrypt data stored on the storage volume(s) attached to the selected SageMaker instance: 

aws sagemaker describe-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-ml-instance
	--query 'KmsKeyId'

04 The command output should return the requested ARN: 

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

If the command output returns null instead of an ARN, there is no AWS KMS key configured for data encryption. To enable encryption for the selected notebook instance, follow the instructions outlined in this conformity rule. If the describe-notebook-instance command output returns an Amazon Resource Name (ARN), as shown in the example above, data-at-rest encryption is enabled for the selected instance, therefore you can continue the audit process with the next step.

05 Run describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as identifier and custom query filters to return the manager name (either "AWS" or "CUSTOMER") of the encryption key used: 

aws aws kms describe-key
	--region us-east-1
	--key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
	--query 'KeyMetadata.KeyManager'

06 The command output should return the selected key manager name: 

"AWS"

If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the selected SageMaker notebook instance data is encrypted using the KMS default key (i.e. AWS-managed key) instead of using an AWS KMS Customer Master Key (CMK).

07 Repeat steps no. 3 – 6 for each SageMaker notebook instance available in the current AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.

Remediation / Resolution

To encrypt an existing AWS SageMaker notebook instance with your own KMS Customer Master Key (CMK), you need to re-create the instance with the necessary encryption configuration. To launch your new SageMaker notebook instance, enable data-at-rest encryption using a KMS CMK and copy your existing data to it. To implement the necessary remediation/resolution process, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your SageMaker instance is provisioned).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click xNext Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the domain data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the SageMaker instance data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: <cmk-alias>”.

12 Once the KMS key has been created, navigate to Amazon SageMaker dashboard at https://console.aws.amazon.com/sagemaker/.

13 In the navigation panel, under Notebook, choose Notebook instances.

14 Click Create notebook instance button from the dashboard top-right menu to start the instance setup process.

15 On Create notebook instance page, within Notebook instance settings section, perform the following actions:

  1. In the Notebook instance name box, provide a name for your new AWS SageMaker notebook instance.
  2. From Notebook instance type dropdown list, select the same instance type as the source notebook instance, which is encrypted with an AWS-managed key.
  3. From Notebook instance type dropdown list, choose the same IAM role as the one created for the source notebook instance.
  4. From VPC – optional dropdown list, choose whether or not to access resources available in your Virtual Private Cloud (VPC) from the notebook instance. Make sure that you configure this setting based on your source notebook instance VPC configuration.
  5. From Lifecycle configuration – optional dropdown list, select the required lifecycle configuration (if applicable) to customize your notebook environment with default scripts and plugins.
  6. From Encryption key – optional dropdown list, select the alias/name of the AWS KMS Customer Master Key (CMK) created earlier in the remediation/resolution section.

16 In the Tags – optional section, set up any necessary tags, based on the tagging scheme implemented for the source notebook instance.

17 Click Create notebook instance to launch your new Amazon SageMaker notebook instance.

18 Once the new notebook instance is created, copy the data from the source instance to the new (destination) instance.

19 Once the data is copied, it is safe to remove the source SageMaker notebook instance from your AWS account to avoid further charges. To delete the required SageMaker instance, perform the following:

  1. Select the notebook instance that you want to remove (see Audit section part I to identify the right SageMaker instance).
  2. Click on the Actions dropdown menu and select the Delete option.
  3. Within Delete <notebook-instance-name> dialog box, click the Delete button to confirm the action.

20 Repeat steps no. 4 - 9 to enable data-at-rest encryption for other Amazon SageMaker notebook instances provisioned in the current region.

21 Within Amazon S3 destination section, from KMS master key dropdown list, select the ID of the AWS KMS Customer Master Key (CMK) created earlier in the remediation section.

22 Click Save to apply the configuration changes. If successful, the AWS console should display the following confirmation message: "Successfully updated delivery stream".

23 Repeat steps no. 14 – 22 to enable data-at-rest encryption using AWS KMS CMKs for other Amazon SageMaker notebook instances available in the current region.

24 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Define the required IAM policy that enables the selected IAM users and/or roles to administer the new CMK and to encrypt/decrypt AWS SageMaker data using the KMS API. Create a new policy document called sagemaker-cmk-iam-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details): 

{
  "Version": "2012-10-17",
  "Id": "aws-sagemaker-cmk-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/cc-sagemaker-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-sagemaker-admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-sagemaker-admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. sagemaker-cmk-iam-policy.json) as command parameter to create the new Amazon KMS CMK: 

aws kms create-key
	--region us-east-1
	--description 'AWS KMS CMK for SageMaker notebook instances'
	--policy file://sagemaker-cmk-iam-policy.json

03 The command output should return the new KMS CMK metadata. Copy the CMK unique ID (KeyID parameter value – highlighted) as this ID will be required later when you need to specify the key required for SageMaker data encryption: 

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "12345678-abcd-1234-abcd-12345678abcd",
        "Description": "AWS KMS CMK for SageMaker notebook instances",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517235762.150,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not return an output): 

aws kms create-alias
	--region us-east-1
	--alias-name alias/sagemaker-ml-data-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd

05 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to re-create as identifier (see Audit section part II to identify the right SageMaker resource) to return the selected instance metadata, information required later when the new SageMaker instance is created: 

aws sagemaker describe-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-ml-instance

06 The command output should return the selected instance configuration metadata: 

{
    "NotebookInstanceStatus": "InService",
    "Url": "cc-sagemaker-ml-instance.notebook.us-east-1.sagemaker.aws",
    "RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180920T140344",
    "NotebookInstanceName": "cc-sagemaker-ml-instance",
    "CreationTime": 1537512973.647,
    "NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-ml-instance",
    "LastModifiedTime": 1537514655.934,
    "InstanceType": "ml.t2.large"
}

07 Run create-notebook-instance command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the source SageMaker notebook instance (see Audit section part II to identify the right resource) with the required encryption configuration (i.e. using an AWS KMS Customer Master Key identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd"): 

aws sagemaker create-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-ml-encrypted-instance
	--instance-type ml.t2.large
	--role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180920T140344
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd

08 If successful, the command output should return the ARN of the new AWS SageMaker notebook instance: 

{
    "NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-ml-encrypted-instance"
}

09 Copy the data from the source SageMaker notebook instance to the destination instance.

10 After your data is copied, it is safe to remove the source SageMaker notebook instance in order to avoid unnecessary AWS costs. To delete the instance, run delete-notebook-instance command (OSX/Linux/UNIX) using the name of the source notebook instance as identifier (the command does not produce an output): 

aws sagemaker delete-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-ml-instance

11 Repeat steps no. 5 – 10 to enable data encryption using AWS KMS Customer Master Keys (CMKs) for other Amazon SageMaker instances available within the current region.

12 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Oct 15, 2018

Related SageMaker rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Notebook Data Encrypted With KMS Customer Master Keys

Risk level: High