If the user is creating the notebook from the console the encryption is an optional field and we will not be able to enforce it. One alternate way to do this is to use the Boto3 API to create the notebook instance programatically. This way we can check for the encryption or automatically add encryption fields.
Sorry I haven't been able to test this yet, but thought it was worth adding:
According to the IAM reference page for Amazon SageMaker, the sagemaker:CreateNotebookInstance action supports specifying the sagemaker:VolumeKmsKey condition key.
Therefore I believe you should be able to prevent users creating notebook instances by modifying their IAM permissions to only allow CreateNotebookInstance where VolumeKmsKey is provided. If you're new to the concept of condition keys in IAM, you can find more info here.
I would mention that even if this works as expected, the error message a user sees when they're prevented from creating the instance will be a pretty generic "Access denied" - so you'll need to educate them on the requirement for a good user experience.
Relevant questions
Enable RDS Encryption with minimal downtime after creation
Accepted Answerasked 2 years agoRunning concurrent sessions from SageMaker notebooks on Glue Dev Endpoints.
Accepted Answerasked 2 years agoIAM Policy to enforce KMS encryption when
asked 4 months agoSageMaker Multi Model endpoint creation fails while creating for model built on container sagemaker-scikit-learn:0.23-1-cpu-py3
asked 3 months agoUploading a Dataframe to AWS S3 Bucket from SageMaker
Accepted Answerasked 3 years agoMandate user to enable encryption while Sagemaker notebook creation?
asked 19 days agoSagemaker Notebook from Dev Endpoint
asked 6 months agoSagemaker Jupyter Studio Notebook public sharing
Accepted Answerasked a month agoRun different notebooks present in same Sagemaker notebook instance with lifecycle configurations based on different lambda triggers
asked 4 months agoEnforce Encryption on SNS creation by SCP
asked 5 months ago