SageMaker notebook instance is encrypted with a KMS key
sagemaker_notebook_instance_encryption_enabled
Amazon SageMaker notebook instances are assessed for at-rest encryption using an AWS KMS key. The finding reflects whether a KmsKeyId is configured for the notebook's ML volume encryption.
Risk
Without at-rest encryption using a customer-managed KMS key, data on notebook EBS volumes and snapshots can be exposed via storage access, copied backups, or host compromise, reducing confidentiality and limiting key rotation and revocation controls.
prowler aws --checks sagemaker_notebook_instance_encryption_enabled
Recommendation
Use a customer-managed KMS key for notebook ML volumes by setting KmsKeyId, and apply KMS to related S3 inputs/outputs. Enforce least privilege on key usage, enable rotation, and align key access with defense in depth to protect data at rest.
Remediation
- Open the AWS Console > Amazon SageMaker > Notebook instances
- Select the failing notebook instance and click Stop
- Click Create notebook instance
- Enter name, choose instance type and IAM role
- In Encryption key, select your KMS key
- Create the instance and verify it starts
- Migrate notebooks/data as needed (e.g., via S3)
- Delete the old unencrypted notebook instance
Source Code
Resource Type
AwsSageMakerNotebookInstance