Protect Data at Rest Using Encryption - Amazon SageMaker

Protect Data at Rest Using Encryption

To protect your Amazon SageMaker Studio notebooks and SageMaker notebook instances, along with your model-building data and model artifacts, SageMaker encrypts the notebooks, as well as output from Training and Batch Transform jobs. SageMaker encrypts these by default using the AWS Managed Key for Amazon S3. This AWS Managed Key for Amazon S3 cannot be shared for cross-account access. For cross-account access, specify your customer managed key while creating SageMaker resources so that it can be shared for cross-account access. For data output to Amazon S3 Express One Zone, the data is encrypted with server-side encryption with Amazon S3 managed keys (SSE-S3). The data output to Amazon S3 directory buckets can't be encrypted with server-side encryption with AWS Key Management Service keys (SSE-KMS). For more information on AWS KMS, see What is AWS Key Management Service?.