Skip to content
Ask AI about this
Help improve this page

SageMaker notebook instances should be encrypted using CMK

SageMaker notebook instances store ML models, training data, and exploratory code on attached EBS volumes. The default AWS managed key encrypts this data, but you cannot control its rotation schedule, define key policies, or audit its usage independently through CloudTrail. A CMK gives you direct control over who can decrypt the volume, lets you revoke access instantly by disabling the key, and produces a clear audit trail of every cryptographic operation.

Data science workloads frequently process sensitive datasets including PII, financial records, or healthcare information. Without CMK encryption, you lose the ability to enforce separation of duties between the team that provisions notebooks and the team that controls encryption keys.

Retrofit consideration

Changing the KMS key on an existing SageMaker notebook instance requires stopping the instance, and in some cases recreating it entirely. Terraform will force replacement if kms_key_id is added to an instance that was created without one.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_sagemaker_notebook_instance.

resource "aws_sagemaker_notebook_instance" "this" {
  instance_type   = "ml.t2.medium"
  name            = "pofix-abc123"
  role_arn        = "arn:aws:iam::123456789012:role/example-role"
  security_groups = ["sg-12345678"]
  subnet_id       = "subnet-12345678"

  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

What this control checks

The aws_sagemaker_notebook_instance resource must include kms_key_id set to the ARN of a customer managed KMS key. A configuration passes when kms_key_id is present and references a valid CMK ARN rather than an AWS managed key alias like alias/aws/sagemaker. It fails when kms_key_id is omitted or empty, which causes SageMaker to fall back to the default AWS managed key. The referenced key should exist as an aws_kms_key resource or data source with a key policy granting SageMaker kms:CreateGrant, kms:Decrypt, and kms:GenerateDataKey*.

Common pitfalls

  • Force replacement on existing instances

    Terraform will destroy and recreate the notebook instance when you add kms_key_id to an existing resource. The local EBS volume data doesn't survive the replacement. Back up notebooks to S3 using lifecycle configurations before applying the change.

  • Key policy missing SageMaker grants

    The CMK's key policy must allow SageMaker to use the key. If the policy lacks kms:CreateGrant for the sagemaker.amazonaws.com service principal (or the notebook execution role), instance creation fails with an access denied error even when kms_key_id is correctly set.

  • Using AWS managed key alias passes Terraform but fails control

    Setting kms_key_id to alias/aws/sagemaker or the ARN of the AWS managed SageMaker key passes Terraform validation but fails this compliance control. The check specifically requires a customer managed key where KeyManager equals CUSTOMER.

  • Cross-region key references

    KMS keys are region-specific. Reference a CMK ARN from a different region than the notebook instance and creation will fail. Make sure the aws_kms_key or aws_kms_alias data source targets the same region as the aws_sagemaker_notebook_instance.

Audit evidence

Auditors expect AWS Config rule evaluation results showing all SageMaker notebook instances have a non-null KmsKeyId referencing a customer managed CMK. The aws sagemaker describe-notebook-instance CLI output for each instance should include the KmsKeyId field with a CMK ARN. Cross-referencing that ARN against aws kms describe-key should confirm KeyManager is CUSTOMER, not AWS.

CloudTrail logs for CreateNotebookInstance and UpdateNotebookInstance calls should show KmsKeyId in the request parameters. Compliance scan output from Prowler or Security Hub with the relevant check enabled works as continuous evidence between point-in-time reviews.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: sagemaker_notebook_instance_encrypted_with_kms_cmk

  • AWS Config Managed Rule: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED

  • Checkov Checks: CKV_AWS_187, CKV_AWS_22

  • Powerpipe Control: aws_compliance.control.sagemaker_notebook_instance_encrypted_with_kms_cmk

  • Prowler Check: sagemaker_notebook_instance_encryption_enabled

  • KICS Query: f3674e0c-f6be-43fa-b71c-bf346d1aed99

Last reviewed: 2026-03-09