Encrypt Output Data and Storage Volume with AWS KMS - Amazon SageMaker

Encrypt Output Data and Storage Volume with AWS KMS

You can use AWS Key Management Service (AWS KMS) to encrypt output data from a labeling job by specifying an AWS KMS customer managed customer master key (CMK) when you create the labeling job. If you use the API operation CreateLabelingJob to create a labeling job that uses automated data labeling, you can also use a customer managed CMK to encrypt the storage volume attached to the ML compute instances to run the training and inference jobs.

This section describes the IAM policies you must attach to your customer managed CMK to enable output data encryption and the policies you must attach to your CMK and execution role to use storage volume encryption. To learn more about these options, see Output Data and Storage Volume Encryption.

Encrypt Output Data using KMS

If you specify an AWS KMS customer managed CMK to encrypt output data, you must add an IAM policy similar to the following to that key. This policy gives the IAM execution role that you use to create your labeling job permission to use this key to perform all of the actions listed in "Action". To learn more about these actions, see AWS KMS permissions in the AWS Key Management Service Developer Guide.

To use this policy, replace the IAM service-role ARN in "Principal" with the ARN of the execution role you use to create the labeling job. When you create a labeling job in the console, this is the role you specify for IAM Role under the Job overview section. When you create a labeling job using CreateLabelingJob, this is ARN you specify for RoleArn.

{ "Sid": "AllowUseOfKmsKey", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/service-role/example-role" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }

Encrypt Automated Data Labeling ML Compute Instance Storage Volume

If you specify a VolumeKmsKeyId to encrypt the storage volume attached to the ML compute instance used for automated data labeling training and inference, you must do the following:

  • Attach permissions described in Encrypt Output Data using KMS to the customer managed CMK.

  • Attach a policy similar to the following to the IAM execution role you use to create your labeling job. This is the IAM role you specify for RoleArn in CreateLabelingJob. To learn more about the "kms:CreateGrant" action that this policy permits, see CreateGrant in the AWS Key Management Service API Reference.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "*" } ] }

To learn more about Ground Truth storage volume encryption, see Use Your KMS Key to Encrypt Automated Data Labeling Storage Volume (API Only).