Mandate user to enable encryption while Sagemaker notebook creation?

If the user is creating the notebook from the console the encryption is an optional field and we will not be able to enforce it. One alternate way to do this is to use the Boto3 API to create the notebook instance programatically. This way we can check for the encryption or automatically add encryption fields.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sagemaker.html#SageMaker.Client.create_notebook_instance

Sorry I haven't been able to test this yet, but thought it was worth adding:

According to the IAM reference page for Amazon SageMaker, the sagemaker:CreateNotebookInstance action supports specifying the sagemaker:VolumeKmsKey condition key.

Therefore I believe you should be able to prevent users creating notebook instances by modifying their IAM permissions to only allow CreateNotebookInstance where VolumeKmsKey is provided. If you're new to the concept of condition keys in IAM, you can find more info here.

I would mention that even if this works as expected, the error message a user sees when they're prevented from creating the instance will be a pretty generic "Access denied" - so you'll need to educate them on the requirement for a good user experience.