Skip to content

feat(sagemaker): add sagemaker_endpoint_config_kms_encryption_enabled check (#11797)#11838

Open
goutham-hari wants to merge 2 commits into
prowler-cloud:masterfrom
goutham-hari:sagemaker-endpoint-config-kms
Open

feat(sagemaker): add sagemaker_endpoint_config_kms_encryption_enabled check (#11797)#11838
goutham-hari wants to merge 2 commits into
prowler-cloud:masterfrom
goutham-hari:sagemaker-endpoint-config-kms

Conversation

@goutham-hari

@goutham-hari goutham-hari commented Jul 4, 2026

Copy link
Copy Markdown

Description

This PR introduces a new check, sagemaker_endpoint_config_kms_encryption_enabled, to ensure that SageMaker Endpoint Configurations have KMS encryption enabled, resolving issue #11797.

Motivation and Context

SageMaker Endpoint Configurations may store sensitive data. Encrypting the ML storage volumes with a customer-managed KMS key provides better security and control over the data at rest compared to default AWS-managed encryption.

Changes Made

  • Extended sagemaker_service.py:
    • Added kms_key_id property to the EndpointConfig model.
    • Updated the _describe_endpoint_config method to fetch and store KmsKeyId when retrieving the Endpoint Config details.
  • Implemented sagemaker_endpoint_config_kms_encryption_enabled Check:
    • Validates if the kms_key_id is present on each Endpoint Config.
    • Generates PASS or FAIL findings accordingly.
    • Included a metadata definition specifying Severity: medium with associated remediations.
  • Automated Tests:
    • Developed test coverage in sagemaker_endpoint_config_kms_encryption_enabled_test.py utilizing mocking for empty configs, configs with KMS keys, and configs without KMS keys.
    • Verified no regression in sagemaker_service_test.py.

Related Issue

Fixes #11797

Summary by CodeRabbit

  • New Features
    • Added a SageMaker endpoint configuration security check to ensure KMS encryption at rest is enabled via a configured KMS key.
    • SageMaker endpoint details now retain the associated KMS key so the check can report encryption status per endpoint configuration.
  • Tests
    • Added tests for no endpoint configs, KMS-enabled configs (PASS), and missing KMS configs (FAIL), including expected status details and resource identifiers.
  • Documentation
    • Added check metadata with guidance and remediation examples.

… check

This adds a check to ensure SageMaker Endpoint Configurations are encrypted with a KMS key.
@goutham-hari goutham-hari requested a review from a team as a code owner July 4, 2026 01:54
@github-actions github-actions Bot added provider/aws Issues/PRs related with the AWS provider metadata-review labels Jul 4, 2026
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d775ef76-852a-4e5e-96ab-84045eb9b277

📥 Commits

Reviewing files that changed from the base of the PR and between 4cf0c7a and 4a2fe78.

📒 Files selected for processing (1)
  • prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled.metadata.json

📝 Walkthrough

Walkthrough

Adds a new AWS SageMaker check for endpoint configuration KMS encryption, extends the service model to capture KmsKeyId, and adds metadata and tests for PASS/FAIL behavior.

Changes

SageMaker KMS Encryption Check

Layer / File(s) Summary
Service model KMS key capture
prowler/providers/aws/services/sagemaker/sagemaker_service.py
EndpointConfig gains an optional kms_key_id field, populated from KmsKeyId during _describe_endpoint_config.
Check implementation and metadata
prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/...
New check class iterates endpoint configs, reports PASS when kms_key_id is set and FAIL otherwise, with accompanying metadata JSON and package init file.
Test coverage for new check
tests/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled_test.py
Tests validate no results for empty configs, PASS results when kms_key_id is set, and FAIL results when it is missing.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant SageMakerService
  participant Check as sagemaker_endpoint_config_kms_encryption_enabled
  participant Report as Check_Report_AWS

  SageMakerService->>SageMakerService: _describe_endpoint_config sets kms_key_id
  Check->>SageMakerService: read sagemaker_client.endpoint_configs
  Check->>Report: create report per endpoint_config
  Check->>Check: evaluate kms_key_id
  Check->>Report: set status PASS or FAIL
  Check->>Check: return list of reports
Loading

Suggested reviewers: danibarranqueroo

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly names the new SageMaker KMS-encryption check and matches the PR's main change.
Description check ✅ Passed The description covers context, implementation, and the related issue, though it omits the template's review steps and checklist.
Linked Issues check ✅ Passed The PR implements the requested SageMaker endpoint config KmsKeyId check, severity, and PASS/FAIL behavior for #11797.
Out of Scope Changes check ✅ Passed The changes stay focused on the new SageMaker check, its supporting service field, metadata, and tests with no clear extras.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the community Opened by the Community label Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

No Conflicts

No conflict markers, and the branch merges cleanly into its base.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled.metadata.json`:
- Around line 22-28: The Remediation.Code.CLI field is empty in the SageMaker
endpoint config metadata, so add a non-empty AWS CLI remediation command that
matches the existing NativeIaC/Terraform guidance, using the relevant SageMaker
create-endpoint-config flow with KMS key support. Also ensure
Remediation.Recommendation.Text is present and non-empty, and keep the CLI text
aligned with the remediation intent already expressed in the Other, NativeIaC,
and Terraform blocks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f0d34913-1fd0-493b-a5b9-6448215a3b46

📥 Commits

Reviewing files that changed from the base of the PR and between efb86bb and 4cf0c7a.

📒 Files selected for processing (5)
  • prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/__init__.py
  • prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled.metadata.json
  • prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled.py
  • prowler/providers/aws/services/sagemaker/sagemaker_service.py
  • tests/providers/aws/services/sagemaker/sagemaker_endpoint_config_kms_encryption_enabled/sagemaker_endpoint_config_kms_encryption_enabled_test.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community Opened by the Community metadata-review new-check provider/aws Issues/PRs related with the AWS provider

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[New Check]: Ensure SageMaker endpoint configurations use KMS encryption

2 participants