Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Notebook Data Encrypted With KMS Customer Managed Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SageMaker-002

Ensure that the storage volumes attached to your Amazon SageMaker notebook instances are encrypted with KMS Customer Managed Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over the data-at-rest encryption/decryption process and meet compliance requirements. SageMaker is a fully-managed AWS service that enables data scientists and developers to build, train, and deploy machine learning models at any scale. Amazon SageMaker removes the barriers that typically slow down data developers who want to use machine learning in the cloud. A SageMaker notebook instance is a fully managed Machine Learning (ML) instance based on the Jupyter Notebook application.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

By default, the data stored on your Amazon SageMaker notebook instances is encrypted using an AWS managed-key. When you use your own KMS Customer Managed Keys (CMKs) to protect your SageMaker notebook instance data, you have full control over who can use the encryption keys to access your SageMaker data. The Amazon KMS service allows you to easily create, rotate, disable, and audit Customer Managed Keys for your SageMaker notebook instance volumes.


Audit

To determine the encryption status available for your Amazon SageMaker notebook instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Notebook, select Notebook instances.

04 Click on the name (link) of the notebook instance that you want to examine, available in the Name column.

05 In the Permissions and encryption section, check the Encryption key attribute value to find the Customer Managed Key (CMK) used to encrypt the data for the selected notebook instance. If the Encryption key attribute does not have a value, the data on the selected Amazon SageMaker notebook instance is encrypted using an AWS-managed key (default key provided by AWS) instead of using a Customer Managed Key (CMK).

06 Repeat steps no. 4 and 5 for each Amazon SageMaker notebook instance launched within the current AWS region.

07 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

01 Run list-notebook-instances command (OSX/Linux/UNIX) to list the name of each SageMaker notebook instance provisioned in the selected AWS region:

aws sagemaker list-notebook-instances
  --region us-east-1
  --query 'NotebookInstances[*].NotebookInstanceName'

02 The command output should return the requested SageMaker notebook instance names:

[
	"cc-sagemaker-ml-instance",
	"cc-ml-app-data-instance"
]

03 Run describe-notebook-instance command (OSX/Linux/UNIX) with the name of the Amazon SageMaker notebook instance that you want to examine as the identifier parameter and custom output filters to describe the Amazon Resource Name (ARN) of the KMS key used to encrypt data stored on the selected SageMaker instance:

aws sagemaker describe-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance
  --query 'KmsKeyId'

04 The command output should return the requested KMS key ARN:

null

If the describe-notebook-instance command output returns null, as shown in the example above, the data on the selected Amazon SageMaker notebook instance is encrypted using an AWS-managed key (default key provided) instead of using a Customer Managed Key (CMK).

05 Repeat steps no. 3 and 4 for each Amazon SageMaker notebook instance provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To encrypt the data available on an existing Amazon SageMaker notebook instance using your own KMS Customer Master Key (CMK), you must re-create the notebook instance with the necessary encryption configuration, by performing the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Encryption with Amazon KMS Customer Managed Keys",
	"Resources": {
		"VpcNetwork": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": true,
				"EnableDnsSupport": true,
				"InstanceTenancy": "default"
			}
		},
		"SageMakerInstanceExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"sagemaker.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AmazonSageMakerReadOnly"
				]
			}
		},
		"SageMakerNotebookSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"VpcId": {
					"Ref": "VpcNetwork"
				}
			}
		},
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Symmetric Amazon KMS Customer Master Key",
				"EnableKeyRotation": true,
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*",
							"Condition": {
								"Bool": {
									"kms:GrantIsForAWSResource": "true"
								}
							}
						}
					]
				}
			}
		},
		"KMSKEYAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/NotebookInstanceCMK",
				"TargetKeyId": {
					"Ref": "KMSKEY"
				}
			}
		},
		"SageMakerNotebookInstance": {
			"Type": "AWS::SageMaker::NotebookInstance",
			"Properties": {
				"InstanceType": "ml.t2.large",
				"RoleArn": {
					"Fn::GetAtt": [
						"SageMakerInstanceExecutionRole",
						"Arn"
					]
				},
				"SecurityGroupIds": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				],
				"SubnetId": {
					"Ref": "SageMakerNotebookSubnet"
				},
				"KmsKeyId": {
					"Ref": "KMSKEY"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Encryption with Amazon KMS Customer Managed Keys
	Resources:
	VpcNetwork:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 10.0.0.0/16
		EnableDnsHostnames: true
		EnableDnsSupport: true
		InstanceTenancy: default
	SageMakerInstanceExecutionRole:
		Type: AWS::IAM::Role
		Properties:
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- sagemaker.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonSageMakerReadOnly
	SageMakerNotebookSubnet:
		Type: AWS::EC2::Subnet
		Properties:
		VpcId: !Ref 'VpcNetwork'
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeySpec: SYMMETRIC_DEFAULT
		KeyUsage: ENCRYPT_DECRYPT
		Description: Symmetric Amazon KMS Customer Master Key
		EnableKeyRotation: true
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
			- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/kms-key-admin
				Action:
				- kms:Create*
				- kms:Describe*
				- kms:Enable*
				- kms:List*
				- kms:Put*
				- kms:Update*
				- kms:Revoke*
				- kms:Disable*
				- kms:Get*
				- kms:Delete*
				- kms:TagResource
				- kms:UntagResource
				- kms:ScheduleKeyDeletion
				- kms:CancelKeyDeletion
				Resource: '*'
			- Sid: Allow use of the key
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:Encrypt
				- kms:Decrypt
				- kms:ReEncrypt*
				- kms:GenerateDataKey*
				- kms:DescribeKey
				Resource: '*'
			- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:CreateGrant
				- kms:ListGrants
				- kms:RevokeGrant
				Resource: '*'
				Condition:
				Bool:
					kms:GrantIsForAWSResource: 'true'
	KMSKEYAlias:
		Type: AWS::KMS::Alias
		Properties:
		AliasName: alias/NotebookInstanceCMK
		TargetKeyId: !Ref 'KMSKEY'
	SageMakerNotebookInstance:
		Type: AWS::SageMaker::NotebookInstance
		Properties:
		InstanceType: ml.t2.large
		RoleArn: !GetAtt 'SageMakerInstanceExecutionRole.Arn'
		SecurityGroupIds:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
		SubnetId: !Ref 'SageMakerNotebookSubnet'
		KmsKeyId: !Ref 'KMSKEY'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_vpc" "vpc-network" {
	cidr_block = "10.0.0.0/16"
	enable_dns_hostnames = true
	enable_dns_support = true
	instance_tenancy = "default"
}

resource "aws_iam_role" "iam-role" {
	name = "sagemaker-instance-execution-role"
	path = "/"
	managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonSageMakerReadOnly" ]
	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "sagemaker.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF
}

resource "aws_subnet" "sagemaker-notebook-subnet" {
	vpc_id     = aws_vpc.vpc-network.id
	cidr_block = "10.0.1.0/24"
}

resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "KMS Customer Master Key (CMK)"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*",
				"Condition": {
					"Bool": {
						"kms:GrantIsForAWSResource": "true"
					}
				}
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/NotebookInstanceCMK"
}

resource "aws_sagemaker_notebook_instance" "sagemaker-notebook-instance" {
	name            = "cc-prod-notebook-instance"
	instance_type   = "ml.t2.medium"
	role_arn        = aws_iam_role.iam-role.arn
	subnet_id       = aws_subnet.sagemaker-notebook-subnet.id
	security_groups = [ "sg-0abcd1234abcd1234", "sg-01234abcd1234abcd" ]

	# Encryption with Amazon KMS Customer Managed Keys
	kms_key_id = aws_kms_key.kms-key.arn
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 To create your own KMS Customer Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, choose Customer managed keys.

04 Choose Create Key to initiate the key setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric for Key type.
  2. Select KMS for Key usage.
  3. Choose Advanced options, select KMS - recommended for Key material origin, and choose whether to allow your KMS key to be replicated into other AWS cloud regions. If Single-Region key is selected, the AWS region must match the region of your SageMaker notebook instance.
  4. Select Next to continue the key setup process.

06 For Step 2 Add labels, provide the following details:

  1. Provide a unique name (alias) for your KMS key in the Alias box.
  2. (Optional) Enter a short description in the Description box.
  3. (Optional) Choose Add tag from the Tags - optional section to create any necessary tag sets. Tags can be used to categorize and identify your KMS keys and help you track your AWS costs.
  4. Select Next to continue the setup.

07 For Step 3 Define key administrative permissions, perform the following operations:

  1. For Key administrators, select which IAM users and/or roles can administer your new key through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS Management Console.
  2. For Key deletion, choose whether to allow key administrators to delete your KMS key.
  3. Select Next to continue the setup process.

08 For Step 4 Define key usage permissions, perform the following actions:

  1. For Key users, select which IAM users and/or roles can use your KMS key in cryptographic operations.
  2. (Optional) For Other AWS accounts section, specify the AWS accounts that can use your key. To configure cross-account access, choose Add another AWS account and enter the ID of the AWS cloud account that can use your KMS key for cryptographic operations. The administrators of the AWS accounts you specify at this step are responsible for managing the permissions that allow their IAM users and/or roles to use your key.
  3. Select Next to continue the setup.

09 For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer Managed Key (CMK).

10 Once your new KMS Customer Managed Key (CMK) is available, navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

11 In the main navigation panel, under Notebook, select Notebook instances.

12 Click on the name of the notebook instance that you want to re-create (i.e. source instance) and note the instance configuration information such as instance type, platform identifier, IAM permissions, and network configuration.

13 Choose Create notebook instance and perform the following operations to create your new SageMaker notebook instance:

  1. For Notebook instance name, provide a unique name for your new notebook instance.
  2. For Notebook instance type, select the instance type for your notebook instance (must match the instance type of the source, non-compliant notebook instance).
  3. For Platform identifier, select the appropriate software platform (must match the platform used by the source notebook instance).
  4. Choose Additional configuration, select the notebook lifecycle configuration (optional), choose the minimum IMDS version, and specify the volume size of the notebook instance in GB (must match the volume size of the source notebook instance).
  5. For IAM role, choose the IAM role used by the source, non-compliant notebook instance. If you want to create a new role, choose Create role using the role creation wizard and follow the setup process to create your new IAM role.
  6. (Optional) For Root access - optional, choose Disable - Don't give users root access to the notebook to deny root access to your new SageMaker netbook instance.
  7. For Encryption key - optional, select the name (alias) of the Amazon KMS Customer Managed Key (CMK) created earlier in the Remediation process.
  8. (Optional) Choose Network - optional and perform the following actions:
    1. Select the ID of the Virtual Private Cloud (VPC) where you want to deploy your new notebook instance.
    2. Once the VPC network is selected, choose the ID of the appropriate VPC subnet from the Subnet dropdown list.
    3. Select one or more security groups from the Security group(s) list, based on your access policy requirements.
    4. For Direct internet access, select Disable — Access the internet through a VPC to disable direct internet access to your notebook instance. Because internet access is required to download packages and train or host models, make sure that the selected VPC network has a NAT gateway and your security groups allow outbound connections.
  9. (Optional) Choose Git repositories - optional and select any required Git repositories. Repositories are added to your home directory.
  10. (Optional) Choose Tags - optional and create any required tag sets, according to the source instance tagging scheme.
  11. Choose Create notebook instance to launch your new, CMK-encrypted Amazon SageMaker notebook instance.

14 If required, once the new notebook instance is available, you can transfer your data from the source instance to the new (destination) instance.

15 (Optional) You can delete the source notebook instance to avoid further charges. To remove the unneeded SageMaker notebook instance, perform the following actions:

  1. Select the SageMaker notebook instance that you want to remove.
  2. Choose Actions and select Stop to stop the instance.
  3. Once the instance is stopped, choose again Actions and select Delete.
  4. In the confirmation box, choose Delete to remove the notebook instance from your AWS cloud account.

16 Repeat steps no. 12 – 16 for each SageMaker notebook instance encrypted with an AWS-managed key, available within the current AWS region.

17 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Define the IAM policy that enables the selected users and/or roles to manage your new KMS Customer Managed Key (CMK), and to encrypt/decrypt your SageMaker notebook instance data using the KMS API. Create a new policy document (JSON format), name the file sagemaker-instance-cmk-policy.json, and paste the following content (replace \<aws-account-id\> and \<role-name\> with your own AWS details):

{
	"Id": "aws-sagemaker-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion",
				"kms:RotateKeyOnDemand"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) with the policy document created at the previous step (i.e.sagemaker-instance-cmk-policy.json) as value for the --policy parameter, to create your new Amazon KMS Customer Managed Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'CMK for encrypting SageMaker notebook instance data'
  --policy file://sagemaker-instance-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Managed Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

04 Run create-alias command (OSX/Linux/UNIX) to attach an alias to your new Customer Managed Key (CMK). The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/NotebookInstanceCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd

05 Run describe-notebook-instance command (OSX/Linux/UNIX) with the name of the SageMaker notebook instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected notebook instance:

aws sagemaker describe-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

06 The command output should return the requested configuration details. This information is required for launching the new notebook instance:

{
	"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-ml-instance",
	"NotebookInstanceName": "cc-sagemaker-ml-instance",
	"NotebookInstanceStatus": "InService",
	"Url": "cc-sagemaker-ml-instance-paeo.notebook.us-east-1.sagemaker.aws",
	"InstanceType": "ml.t3.large",
	"RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionPolicy-20240320T204001",
	"VolumeSizeInGB": 50,
	"RootAccess": "Disabled",
	"PlatformIdentifier": "notebook-al2-v2",
	"InstanceMetadataServiceConfiguration": {
		"MinimumInstanceMetadataServiceVersion": "2"
	}
}

07 Run create-notebook-instance command (OSX/Linux/UNIX) with the configuration information returned at the previous step to relaunch your Amazon SageMaker notebook instance using a different encryption configuration. To encrypt your SageMaker notebook instance data using a customer-provided KMS key, provide the ARN of the Customer Managed Key (CMK) created earlier in the Remediation process as value for the --kms-key-id parameter:

aws sagemaker create-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-new-sagemaker-ml-instance
  --instance-type ml.t3.large
  --role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20240320T204001
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --subnet-id subnet-abcd1234abcd1234a
  --security-group-ids sg-aabbccdd012345678

08 The command output should return the ARN of the new Amazon SageMaker notebook instance:

{
	"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-new-sagemaker-ml-instance"
}

09 If required, once the new notebook instance is available, you can transfer your data from the source instance to the new (destination) instance.

10 (Optional) You can delete the source notebook instance to avoid further charges. To remove the unnecessary SageMaker notebook instance, run delete-notebook-instance command (OSX/Linux/UNIX), with the name of the notebook instance that you want to delete as the identifier parameter (the command does not produce an output):

aws sagemaker delete-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

11 Repeat steps no. 5 – 10 for each SageMaker notebook instance encrypted with an AWS-managed key, available in the selected AWS region.

12 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Oct 15, 2018