- Newest
- Most votes
- Most comments
If the user is creating the notebook from the console the encryption is an optional field and we will not be able to enforce it. One alternate way to do this is to use the Boto3 API to create the notebook instance programatically. This way we can check for the encryption or automatically add encryption fields.
Sorry I haven't been able to test this yet, but thought it was worth adding:
According to the IAM reference page for Amazon SageMaker, the sagemaker:CreateNotebookInstance
action supports specifying the sagemaker:VolumeKmsKey
condition key.
Therefore I believe you should be able to prevent users creating notebook instances by modifying their IAM permissions to only allow CreateNotebookInstance
where VolumeKmsKey
is provided. If you're new to the concept of condition keys in IAM, you can find more info here.
I would mention that even if this works as expected, the error message a user sees when they're prevented from creating the instance will be a pretty generic "Access denied" - so you'll need to educate them on the requirement for a good user experience.
Relevant content
- asked a month ago
- asked 8 months ago
- Accepted Answer
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago