By using AWS re:Post, you agree to the Terms of Use

Mandate user to enable encryption while Sagemaker notebook creation?


1.We would like to mandate user to enable KMS encryption while creating Sagemaker notebooks, I would like to know any methods via policy or any other way?

2 Answers

If the user is creating the notebook from the console the encryption is an optional field and we will not be able to enforce it. One alternate way to do this is to use the Boto3 API to create the notebook instance programatically. This way we can check for the encryption or automatically add encryption fields.

answered 18 days ago

Sorry I haven't been able to test this yet, but thought it was worth adding:

According to the IAM reference page for Amazon SageMaker, the sagemaker:CreateNotebookInstance action supports specifying the sagemaker:VolumeKmsKey condition key.

Therefore I believe you should be able to prevent users creating notebook instances by modifying their IAM permissions to only allow CreateNotebookInstance where VolumeKmsKey is provided. If you're new to the concept of condition keys in IAM, you can find more info here.

I would mention that even if this works as expected, the error message a user sees when they're prevented from creating the instance will be a pretty generic "Access denied" - so you'll need to educate them on the requirement for a good user experience.

answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions