Amazon SageMaker
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Protecting Data at Rest Using Encryption

You can use encrypted Amazon Simple Storage Service buckets for model artifacts and data, as well as pass a AWS Key Management Service key to Amazon SageMaker notebooks, training jobs, hyperparameter tuning jobs, batch transform jobs, and endpoints, to encrypt the attached machine learning (ML) storage volume. If you do not specify a AWS KMS key, Amazon SageMaker encrypts storage volumes with a transient key. A transient key is discarded immediately after it is used to encrypt the storage volume.

All instance OS volumes are encrypted with an AWS-managed AWS KMS key.

All ML data volumes for all Amazon SageMaker instances may be encrypted with customer specified AWS KMS keys. ML data volumes are mounted as follows:

  • Notebooks - /home/ec2-user/SageMaker

  • Training - /opt/ml/ and /tmp/

  • Batch - /opt/ml/ and /tmp/

  • Endpoints - /opt/ml/ and /tmp/

Batch and training job containers and their storage are ephemeral in nature. When the job completes, output is uploaded to Amazon S3 (with optional AWS KMS encryption) and the instance is torn down.

Data of a sensitive nature that needs to be encrypted with a customer owned AWS KMS key for compliance reasons should be stored in the ML Amazon EBS volume or Amazon S3, both of which can be KMS encrypted with customer managed keys. Notebook instances mount all default folders used by Jupyter or the algorithm containers onto the ML volume.

The Amazon SageMaker folder in the ML Amazon EBS volume is the default storage location when you open a notebook instance. Amazon SageMaker saves any files within the SageMaker folder. The /sample-notebooks subfolder is located on the OS volume but that location is read only. When you stop a Notebook instance any customizations to the OS (like custom libraries installed or OS level settings) are lost. Consider utilizing lifecycle options to automate any customizations to the default image. If a Notebook instance is stopped, a snapshot of the ML volume is retained by Amazon in the service platform to support resumption. This snapshot is deleted on termination as well as the ML volume, so any data to be persisted beyond the notebook lifecycle should be transferred to customer Amazon S3 buckets.


Certain Nitro-based instances include local storage, dependent on the instance type. Local storage volumes are encrypted using a hardware module on the instance. You can't request a VolumeKmsKeyId when using an instance type with local storage.

For a list of instance types that support local instance storage, see Instance Store Volumes.

For more information about local instance storage encryption, see SSD Instance Store Volumes.

For more information about storage volumes on nitro-based instances, see Amazon EBS and NVMe on Linux Instances.