More Info:

Ensure that the storage volumes attached to your Amazon SageMaker notebook instances are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over the data-at-rest encryption/decryption process and meet compliance requirements. SageMaker is a fully-managed AWS service that enables data scientists and developers to build, train, and deploy machine learning models at any scale. Amazon SageMaker removes the barriers that typically slow down data developers who want to use machine learning in the cloud. A SageMaker notebook instance is a fully managed Machine Learning (ML) instance based on the Jupyter Notebook application.

Risk Level

High

Address

Cost optimization, Operational Maturity, Security

Compliance Standards

ISO27001, HIPAA

Triage and Remediation

Remediation

To remediate the misconfiguration of Notebook Data Encrypted with KMS Customer Master Keys for AWS DynamoDB using the AWS console, you can follow these step-by-step instructions:

  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and log in using your credentials.

  2. Navigate to DynamoDB: In the AWS Management Console, search for “DynamoDB” in the services search bar and select DynamoDB from the search results.

  3. Select the Table: From the DynamoDB dashboard, select the table where the notebook data is stored that needs to be encrypted with AWS managed keys.

  4. Enable Encryption: Click on the “Manage” tab in the table details page and then click on the “Encryption” tab.

  5. Edit Encryption Settings: Click on the “Edit” button to edit the encryption settings for the DynamoDB table.

  6. Select AWS Managed Key: In the Encryption settings, select “AWS managed key” as the key provider instead of “KMS Customer Master Key”.

  7. Choose AWS Managed CMK: Choose an AWS managed Customer Master Key (CMK) from the list provided. You can select the default AWS managed CMK or create a new one.

  8. Update Encryption Settings: After selecting the AWS managed CMK, click on the “Save” button to update the encryption settings for the DynamoDB table.

  9. Monitor Encryption Status: Once the encryption settings are updated, monitor the status to ensure that the notebook data is now encrypted with the AWS managed key.

By following these steps, you can remediate the misconfiguration of Notebook Data Encrypted with KMS Customer Master Keys for AWS DynamoDB using the AWS console.

Additional Reading: