compliance.tf
Compliance ControlsAmazon SageMaker

SageMaker endpoint configuration encryption should be enabled

SageMaker endpoint instances store model artifacts, inference inputs, and intermediate computation data on attached storage volumes. Without a customer-managed KMS key, this data relies on default platform encryption that you cannot audit, rotate, or revoke independently. If an attacker gains access to the underlying storage, a customer-managed key lets you disable decryption immediately by revoking the key policy or disabling the key.

A dedicated KMS key also produces CloudTrail events for every Decrypt and GenerateDataKey call, giving you a clear signal when endpoint volumes are being read. That visibility matters when endpoints process PII, PHI, or cardholder data.

Retrofit consideration

Changing kms_key_arn on an existing aws_sagemaker_endpoint_configuration forces resource replacement, which requires updating the associated aws_sagemaker_endpoint to point to the new configuration. Plan for brief downtime or a blue-green deployment.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_sagemaker_endpoint_configuration.

resource "aws_sagemaker_endpoint_configuration" "this" {
  name = "pofix-abc123"

  production_variants {
    initial_instance_count = 2
    instance_type          = "ml.t2.medium"
    model_name             = "example-sagemaker-model"
    variant_name           = "AllTraffic"
  }

  kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

What this control checks

The aws_sagemaker_endpoint_configuration resource must have kms_key_arn set to a non-empty ARN. It fails when the argument is omitted or empty. Any non-empty ARN pointing to an active, symmetric KMS key passes. The KMS key must also grant kms:Decrypt and kms:GenerateDataKey to the SageMaker execution role; without those grants the endpoint fails at launch even though the control passes at configuration time.

Common pitfalls

Endpoint configuration replacement forces endpoint update

Get the sequencing wrong here and your endpoint ends up pointing at a configuration that no longer exists. kms_key_arn is ForceNew on aws_sagemaker_endpoint_configuration, so Terraform destroys and recreates it on change. Update endpoint_config_name on aws_sagemaker_endpoint in the same apply, or the endpoint will reference a deleted resource.

KMS key policy missing SageMaker principal

Endpoint creation fails with AccessDeniedException at deploy time if the KMS key policy doesn't grant kms:Decrypt, kms:GenerateDataKey, and kms:CreateGrant to the SageMaker execution role or the sagemaker.amazonaws.com service principal. Setting kms_key_arn satisfies the control, but the missing grants surface as a runtime failure, not a Terraform error.

Cross-region KMS keys are not supported

SageMaker requires the KMS key to reside in the same AWS region as the endpoint configuration. Specifying a multi-region replica key ARN from a different region causes CreateEndpointConfig to fail. Make sure aws_kms_key and aws_sagemaker_endpoint_configuration share the same provider region.

Default AWS-managed key does not satisfy this control

Some teams assume the default aws/sagemaker managed key is sufficient. This control checks specifically for a customer-provided kms_key_arn. If the argument is omitted, SageMaker may use the AWS-managed key transparently, but the control still reports a failure because no explicit key ARN was configured.

Audit evidence

Auditors expect Config rule results showing each AWS::SageMaker::EndpointConfig resource as COMPLIANT, confirming KmsKeyId is populated. The SageMaker console shows the KMS key ARN on each endpoint configuration's detail page and works as a screenshot artifact. CloudTrail should have sagemaker:CreateEndpointConfig events with the KmsKeyId parameter set. Cross-referencing the KMS key policy confirms it restricts usage to the intended SageMaker execution roles and that key rotation is enabled.

Framework-specific interpretation

SOC 2: CC6.1 and CC6.6 cover logical access security and encryption of data at rest. During a SOC 2 Type II examination, auditors ask to see documented encryption controls for data stores holding confidential information. A customer-managed KMS key on SageMaker endpoint volumes is the evidence that supports those criteria.

PCI DSS v4.0: For SageMaker endpoints that process or cache cardholder data during inference, Requirements 3.4 and 3.5 both apply: 3.4 says stored account data must be rendered unreadable, and 3.5 says cryptographic keys must be protected and managed securely. A customer-managed KMS key with a restricted key policy addresses both objectives.

HIPAA Omnibus Rule 2013: 164.312(a)(2)(iv) addresses encryption of ePHI at rest as an addressable implementation specification under the HIPAA Security Rule. For SageMaker endpoints handling health data, a customer-managed KMS key satisfies this specification and provides a clear artifact to document during an audit.

GDPR: Article 32 calls for appropriate technical measures to secure data in processing. Encrypting ML inference data at rest with a customer-controlled key limits exposure when underlying storage is accessed without authorization, supporting the data protection by design principle Article 25 establishes.

NIST SP 800-53 Rev 5: Customer-managed KMS encryption on endpoint volumes maps to both SC-28 and SC-12. SC-28 addresses unauthorized disclosure of data at rest; SC-12 covers cryptographic key establishment and management. A dedicated key with a scoped key policy satisfies both controls.

FedRAMP Moderate Baseline Rev 4: SC-28 covers protection of information at rest. FedRAMP Moderate expects encryption of sensitive federal data using FIPS 140-2 validated modules. AWS KMS operates FIPS-validated HSMs, so a customer-managed KMS key on SageMaker endpoint volumes satisfies this requirement.

Related controls

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: sagemaker_endpoint_configuration_encryption_at_rest_enabled
  • AWS Config Managed Rule: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
  • Checkov Check: CKV_AWS_98
  • Powerpipe Control: aws_compliance.control.sagemaker_endpoint_configuration_encryption_at_rest_enabled
  • KICS Query: 58b35504-0287-4154-bf69-02c0573deab8

Last reviewed: 2026-03-09

S3 public access should be blocked at bucket level

Previous Page

SageMaker endpoint production variants should have an initial instance count greater than 1

Next Page

On this page

ImplementationWhat this control checksCommon pitfallsAudit evidenceFramework-specific interpretationRelated controlsTool mappings

Ask AI about this

Help improve this page