Notebook Data Encrypted With KMS Customer Master Keys
More Info:
Ensure that the storage volumes attached to your Amazon SageMaker notebook instances are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over the data-at-rest encryption/decryption process and meet compliance requirements. SageMaker is a fully-managed AWS service that enables data scientists and developers to build, train, and deploy machine learning models at any scale. Amazon SageMaker removes the barriers that typically slow down data developers who want to use machine learning in the cloud. A SageMaker notebook instance is a fully managed Machine Learning (ML) instance based on the Jupyter Notebook application.Risk Level
HighAddress
Cost optimization, Operational Maturity, SecurityCompliance Standards
ISO27001, HIPAATriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of Notebook Data Encrypted with KMS Customer Master Keys for AWS DynamoDB using the AWS console, you can follow these step-by-step instructions:
- Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and log in using your credentials.
- Navigate to DynamoDB: In the AWS Management Console, search for “DynamoDB” in the services search bar and select DynamoDB from the search results.
- Select the Table: From the DynamoDB dashboard, select the table where the notebook data is stored that needs to be encrypted with AWS managed keys.
- Enable Encryption: Click on the “Manage” tab in the table details page and then click on the “Encryption” tab.
- Edit Encryption Settings: Click on the “Edit” button to edit the encryption settings for the DynamoDB table.
- Select AWS Managed Key: In the Encryption settings, select “AWS managed key” as the key provider instead of “KMS Customer Master Key”.
- Choose AWS Managed CMK: Choose an AWS managed Customer Master Key (CMK) from the list provided. You can select the default AWS managed CMK or create a new one.
- Update Encryption Settings: After selecting the AWS managed CMK, click on the “Save” button to update the encryption settings for the DynamoDB table.
- Monitor Encryption Status: Once the encryption settings are updated, monitor the status to ensure that the notebook data is now encrypted with the AWS managed key.
Using CLI
Using CLI
To remediate the misconfiguration of Notebook Data Encrypted with KMS Customer Master Keys for AWS DynamoDB using AWS CLI, follow these steps:Step 1: Identify the DynamoDB table that has the misconfiguration:Step 2: Update the DynamoDB table to enable encryption with AWS managed keys:Step 3: Verify that the encryption has been updated successfully:By following these steps, you can remediate the misconfiguration of Notebook Data Encrypted with KMS Customer Master Keys for AWS DynamoDB using AWS CLI.
Using Python
Using Python
To remediate the misconfiguration of notebook data being encrypted with KMS Customer Master Keys in AWS DynamoDB using Python, follow these steps:
- Update the DynamoDB Table Encryption: Configure the DynamoDB table to use AWS managed encryption instead of KMS Customer Master Keys. You can do this by updating the table settings to use the default AWS managed encryption.
- Install the AWS SDK for Python (Boto3): If you haven’t already, install the Boto3 library, which is the AWS SDK for Python. You can install it using pip:
- Update the DynamoDB Table Encryption Settings: Use the following Python script to update the encryption settings of the DynamoDB table to use the default AWS managed encryption:
- Run the Python Script: Save the above Python script in a file (e.g.,
update_dynamodb_encryption.py) and run it using the Python interpreter. Make sure to replace'your-region'and'your-table-name'with the actual values for your DynamoDB table.
- Verify the Encryption Settings: After running the script, verify that the encryption settings for the DynamoDB table have been successfully updated to use the default AWS managed encryption. You can check this in the AWS Management Console or by using the Boto3 library to describe the table.