Protect Data at Rest Using Encryption

Amazon SageMaker AI automatically encrypts your data using an AWS managed key for Amazon S3 (SSE-S3) by default for the following features: Studio notebooks, notebook instances, model-building data, model artifacts, and output from Training, Batch Transform, and Processing jobs.

For cross-account access, you must specify your own customer managed key when creating SageMaker AI resources, as the default AWS managed key for Amazon S3 can't be shared across accounts. For data output to Amazon S3 Express One Zone, the data is encrypted using server-side encryption with Amazon S3 managed keys (SSE-S3). Additionally, data output to Amazon S3 directory buckets can't be encrypted with server-side encryption using AWS Key Management Service keys (SSE-KMS). For more information on AWS KMS, see What is AWS Key Management Service?

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data Protection

Studio notebooks