-
Notifications
You must be signed in to change notification settings - Fork 60
/
sagemaker.sp
398 lines (362 loc) · 14.2 KB
/
sagemaker.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
locals {
conformance_pack_sagemaker_common_tags = merge(local.aws_compliance_common_tags, {
service = "AWS/SageMaker"
})
}
control "sagemaker_notebook_instance_encrypted_with_kms_cmk" {
title = "SageMaker notebook instances should be encrypted using CMK"
description = "This control checks if SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys."
query = query.sagemaker_notebook_instance_encrypted_with_kms_cmk
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_notebook_instance_direct_internet_access_disabled" {
title = "SageMaker notebook instances should not have direct internet access"
description = "Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access."
query = query.sagemaker_notebook_instance_direct_internet_access_disabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
cis_controls_v8_ig1 = "true"
cisa_cyber_essentials = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
hipaa_final_omnibus_security_rule_2013 = "true"
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
})
}
control "sagemaker_notebook_instance_encryption_at_rest_enabled" {
title = "SageMaker notebook instance encryption should be enabled"
description = "To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook."
query = query.sagemaker_notebook_instance_encryption_at_rest_enabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
cisa_cyber_essentials = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
gxp_eu_annex_11 = "true"
hipaa_final_omnibus_security_rule_2013 = "true"
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
})
}
control "sagemaker_endpoint_configuration_encryption_at_rest_enabled" {
title = "SageMaker endpoint configuration encryption should be enabled"
description = "To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint."
query = query.sagemaker_endpoint_configuration_encryption_at_rest_enabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
cisa_cyber_essentials = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
gxp_eu_annex_11 = "true"
hipaa_final_omnibus_security_rule_2013 = "true"
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
})
}
control "sagemaker_model_in_vpc" {
title = "SageMaker models should be in a VPC"
description = "Manage access to the AWS Cloud by ensuring SageMaker models are within an Amazon Virtual Private Cloud (Amazon VPC)."
query = query.sagemaker_model_in_vpc
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_model_network_isolation_enabled" {
title = "SageMaker models should have network isolation enabled"
description = "SageMaker models are internet-enabled by default. Network isolation should be enabled to avoid external network access to your inference containers."
query = query.sagemaker_model_network_isolation_enabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_notebook_instance_in_vpc" {
title = "SageMaker notebook instances should be in a VPC"
description = "Manage access to the AWS Cloud by ensuring SageMaker notebook instances are within an Amazon Virtual Private Cloud (Amazon VPC)."
query = query.sagemaker_notebook_instance_in_vpc
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_notebook_instance_root_access_disabled" {
title = "SageMaker notebook instances root access should be disabled"
description = "Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommeneded to disable root access to restrict users from accessing and editing all the files."
query = query.sagemaker_notebook_instance_root_access_disabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_training_job_in_vpc" {
title = "SageMaker training jobs should be in VPC"
description = "Manage access to the AWS Cloud by ensuring SageMaker training jobs are within an Amazon Virtual Private Cloud (Amazon VPC)."
query = query.sagemaker_training_job_in_vpc
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_training_job_inter_container_traffic_encryption_enabled" {
title = "SageMaker training jobs should be enabled with inter-container traffic encryption"
description = "Inter-container traffic encryption shoule be used to protect data that is transmitted between instances while performing distributed training. This control in compliant when inter-container traffic encryption is enabled."
query = query.sagemaker_training_job_inter_container_traffic_encryption_enabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_training_job_network_isolation_enabled" {
title = "SageMaker training jobs should have network isolation enabled"
description = "SageMaker training jobs are internet-enabled by default. Network isolation should be enabled to avoid external network access to your training."
query = query.sagemaker_training_job_network_isolation_enabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
control "sagemaker_training_job_volume_and_data_encryption_enabled" {
title = "SageMaker training jobs volumes and outputs should have KMS encryption enabled"
description = "Ensure that SageMaker training jobs have volumes and outputs with KMS encryption enabled in order to have a more granular control over the data-at-rest encryption/decryption process and to meet compliance requirements."
query = query.sagemaker_training_job_volume_and_data_encryption_enabled
tags = merge(local.conformance_pack_sagemaker_common_tags, {
other_checks = "true"
})
}
query "sagemaker_notebook_instance_encrypted_with_kms_cmk" {
sql = <<-EOQ
select
i.arn as resource,
case
when kms_key_id is null then 'alarm'
when k.key_manager = 'CUSTOMER' then 'ok'
else 'alarm'
end as status,
case
when kms_key_id is null then i.title || ' encryption disabled.'
when k.key_manager = 'CUSTOMER' then i.title || ' encryption at rest with CMK enabled.'
else i.title || ' encryption at rest with CMK disabled.'
end as reason
${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "i.")}
from
aws_sagemaker_notebook_instance as i
left join aws_kms_key as k on k.arn = i.kms_key_id;
EOQ
}
query "sagemaker_notebook_instance_direct_internet_access_disabled" {
sql = <<-EOQ
select
arn as resource,
case
when direct_internet_access = 'Enabled' then 'alarm'
else 'ok'
end status,
case
when direct_internet_access = 'Enabled' then title || ' direct internet access enabled.'
else title || ' direct internet access disabled.'
end reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_notebook_instance;
EOQ
}
query "sagemaker_notebook_instance_encryption_at_rest_enabled" {
sql = <<-EOQ
select
arn as resource,
case
when kms_key_id is null then 'alarm'
else 'ok'
end as status,
case
when kms_key_id is null then title || ' encryption at rest enabled'
else title || ' encryption at rest not enabled'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_notebook_instance;
EOQ
}
query "sagemaker_endpoint_configuration_encryption_at_rest_enabled" {
sql = <<-EOQ
select
arn as resource,
case
when kms_key_id is null then 'alarm'
else 'ok'
end as status,
case
when kms_key_id is null then title || ' encryption at rest disabled.'
else title || ' encryption at rest enabled.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_endpoint_configuration;
EOQ
}
query "sagemaker_model_in_vpc" {
sql = <<-EOQ
select
arn as resource,
case
when vpc_config is not null then 'ok'
else 'alarm'
end as status,
case
when vpc_config is not null then title || ' in VPC.'
else title || ' not in VPC.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_model;
EOQ
}
query "sagemaker_model_network_isolation_enabled" {
sql = <<-EOQ
select
arn as resource,
case
when enable_network_isolation then 'ok'
else 'alarm'
end as status,
case
when enable_network_isolation then title || ' network isolation enabled.'
else title || ' network isolation disabled.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_model;
EOQ
}
query "sagemaker_notebook_instance_in_vpc" {
sql = <<-EOQ
select
arn as resource,
case
when subnet_id is not null then 'ok'
else 'alarm'
end as status,
case
when subnet_id is not null then title || ' in VPC.'
else title || ' not in VPC.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_notebook_instance;
EOQ
}
query "sagemaker_notebook_instance_root_access_disabled" {
sql = <<-EOQ
select
arn as resource,
case
when root_access = 'Disabled' then 'ok'
else 'alarm'
end as status,
case
when root_access = 'Disabled' then title || ' root access disabled.'
else title || ' root access enabled.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_notebook_instance;
EOQ
}
query "sagemaker_training_job_in_vpc" {
sql = <<-EOQ
select
arn as resource,
case
when vpc_config is not null then 'ok'
else 'alarm'
end as status,
case
when vpc_config is not null then title || ' in VPC.'
else title || ' not in VPC.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_training_job;
EOQ
}
query "sagemaker_training_job_inter_container_traffic_encryption_enabled" {
sql = <<-EOQ
select
arn as resource,
case
when enable_inter_container_traffic_encryption then 'ok'
else 'alarm'
end as status,
case
when enable_inter_container_traffic_encryption then title || ' inter-container traffic encryption enabled.'
else title || ' inter-container traffic encryption disabled.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_training_job;
EOQ
}
query "sagemaker_training_job_network_isolation_enabled" {
sql = <<-EOQ
select
arn as resource,
case
when enable_network_isolation then 'ok'
else 'alarm'
end as status,
case
when enable_network_isolation then title || ' network isolation enabled.'
else title || ' network isolation disabled.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_training_job;
EOQ
}
query "sagemaker_training_job_volume_and_data_encryption_enabled" {
sql = <<-EOQ
select
arn as resource,
case
when output_data_config ->> 'KmsKeyId' is null or output_data_config ->> 'KmsKeyId' = '' then 'alarm'
else 'ok'
end as status,
case
when output_data_config ->> 'KmsKeyId' is null or output_data_config ->> 'KmsKeyId' = '' then title || ' volume and output data encryption disabled.'
else title || ' volume and output data encryption enabled.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_sagemaker_training_job;
EOQ
}