feat(sagemaker): add sagemaker_endpoint_config_kms_encryption_enabled check (#11797)#11838
feat(sagemaker): add sagemaker_endpoint_config_kms_encryption_enabled check (#11797)#11838goutham-hari wants to merge 2 commits into
Conversation
… check This adds a check to ensure SageMaker Endpoint Configurations are encrypted with a KMS key.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds a new AWS SageMaker check for endpoint configuration KMS encryption, extends the service model to capture ChangesSageMaker KMS Encryption Check
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant SageMakerService
participant Check as sagemaker_endpoint_config_kms_encryption_enabled
participant Report as Check_Report_AWS
SageMakerService->>SageMakerService: _describe_endpoint_config sets kms_key_id
Check->>SageMakerService: read sagemaker_client.endpoint_configs
Check->>Report: create report per endpoint_config
Check->>Check: evaluate kms_key_id
Check->>Report: set status PASS or FAIL
Check->>Check: return list of reports
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
✅ No Conflicts No conflict markers, and the branch merges cleanly into its base. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled.metadata.json`:
- Around line 22-28: The Remediation.Code.CLI field is empty in the SageMaker
endpoint config metadata, so add a non-empty AWS CLI remediation command that
matches the existing NativeIaC/Terraform guidance, using the relevant SageMaker
create-endpoint-config flow with KMS key support. Also ensure
Remediation.Recommendation.Text is present and non-empty, and keep the CLI text
aligned with the remediation intent already expressed in the Other, NativeIaC,
and Terraform blocks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: f0d34913-1fd0-493b-a5b9-6448215a3b46
📒 Files selected for processing (5)
prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/__init__.pyprowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled.metadata.jsonprowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled.pyprowler/providers/aws/services/sagemaker/sagemaker_service.pytests/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled_test.py
Description
This PR introduces a new check,
sagemaker_endpoint_config_kms_encryption_enabled, to ensure that SageMaker Endpoint Configurations have KMS encryption enabled, resolving issue #11797.Motivation and Context
SageMaker Endpoint Configurations may store sensitive data. Encrypting the ML storage volumes with a customer-managed KMS key provides better security and control over the data at rest compared to default AWS-managed encryption.
Changes Made
sagemaker_service.py:kms_key_idproperty to theEndpointConfigmodel._describe_endpoint_configmethod to fetch and storeKmsKeyIdwhen retrieving the Endpoint Config details.sagemaker_endpoint_config_kms_encryption_enabledCheck:kms_key_idis present on each Endpoint Config.PASSorFAILfindings accordingly.Severity: mediumwith associated remediations.sagemaker_endpoint_config_kms_encryption_enabled_test.pyutilizing mocking for empty configs, configs with KMS keys, and configs without KMS keys.sagemaker_service_test.py.Related Issue
Fixes #11797
Summary by CodeRabbit