Unsecured encryption of SageMaker data at rest High

Unsecured Encryption at rest is detected for the data stored in SageMaker. Make sure that all data in SageMaker at rest.

Detector ID
terraform/unsecured-sagemaker-data-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_sagemaker_notebook_instance" "ni" {
2  name          = "my-notebook-instance"
3  role_arn      = aws_iam_role.test_role.arn
4  instance_type = "ml.t2.medium"
5  root_access = "Disabled"
6  subnet_id = aws_subnet.pike.id
7  # Noncompliant: SageMaker Notebook is not encrypted at rest using KMS CMK.
8  tags = {
9    Name = "foo"
10  }
11}

Compliant example

1resource "aws_sagemaker_notebook_instance" "ni" {
2  name          = "my-notebook-instance"
3  role_arn      = aws_iam_role.test_role.arn
4  instance_type = "ml.t2.medium"
5  root_access = "Disabled"
6  subnet_id = aws_subnet.pike.id
7  # Compliant: SageMaker Notebook is encrypted at rest using KMS CMK.
8  kms_key_id    = "1234abcd-12ab-34cd-56ef-1234567890ab"
9
10  tags = {
11    Name = "foo"
12  }
13}