More Info:

Sagemaker Notebook Instance Should Have KMS Key Configured

Risk Level

High

Address

Security

Compliance Standards

ISO27001,HIPAA,NISTCSF,PCIDSS,AWSSSB,RBI_UCB

Triage and Remediation

Sagemaker notebook instance cannot be encrypted after instance is created.To configure the KMS key, delete the existing notebook instance and create a new one by following the below steps.

Using Console

  1. Log in to the AWS Management Console:
    • Open the AWS Management Console and navigate to the SageMaker service.
  2. Create a New Notebook Instance:
    • Click on “Create notebook instance.”
  3. Configure Notebook Instance:
    • Fill in the “Notebook instance name,” “Notebook instance type,” and other required fields.
  4. Configure Encryption:
    • Scroll down to the “Encryption settings” section.
    • Under “KMS key,” select an existing KMS key from the dropdown or enter the KMS key ID manually.
  5. Create the Notebook Instance:
    • After configuring all necessary settings, click on “Create notebook instance.”
To create a SageMaker notebook instance with a specified KMS key, you can use the following CLI command:
aws sagemaker create-notebook-instance \
    --notebook-instance-name <YourNotebookInstanceName> \
    --instance-type <InstanceType> \
    --role-arn <IAMRoleARN> \
    --kms-key-id <KMSKeyID> \
    --volume-size-in-gb <VolumeSize> \
    --default-code-repository <CodeRepositoryURL> \
    --additional-code-repositories <AdditionalCodeRepositories>
Replace the placeholders (<YourNotebookInstanceName>, <InstanceType>, <IAMRoleARN>, <KMSKeyID>, <VolumeSize>, <CodeRepositoryURL>, and <AdditionalCodeRepositories>) with appropriate values.
To create a SageMaker notebook instance with a specified KMS key using a Python script, you’ll need the boto3 library:
  1. Install boto3 (if not already installed):
pip install boto3
  1. Script to Create a Notebook Instance:
import boto3

sagemaker = boto3.client('sagemaker')

def create_notebook_instance():
    response = sagemaker.create_notebook_instance(
        NotebookInstanceName='<YourNotebookInstanceName>',
        InstanceType='<InstanceType>',
        RoleArn='<IAMRoleARN>',
        KmsKeyId='<KMSKeyID>',
        VolumeSizeInGB=<VolumeSize>,
        DefaultCodeRepository='<CodeRepositoryURL>',
        AdditionalCodeRepositories=['<AdditionalCodeRepositories>']
    )
    print(response)

# Replace placeholders with appropriate values
create_notebook_instance()
Replace the placeholders (<YourNotebookInstanceName>, <InstanceType>, <IAMRoleARN>, <KMSKeyID>, <VolumeSize>, <CodeRepositoryURL>, and <AdditionalCodeRepositories>) with appropriate values.