AWS Security ChangesHomeSearch

AWS sagemaker medium security documentation change

Service: sagemaker · 2025-08-25 · Security-related medium

File: sagemaker/latest/dg/hyperpod-custom-ami-how-to.md

Summary

Added clarification that HyperPod cluster's EBS root volume must be encrypted with the same customer managed KMS key as the custom AMI

Security assessment

The change enforces consistent encryption practices by requiring the same KMS key for both the AMI and EBS root volume. This prevents potential misconfigurations where unencrypted volumes could expose sensitive data. The explicit instruction mitigates risks of accidental data leakage due to inconsistent encryption settings.

Diff

diff --git a/sagemaker/latest/dg/hyperpod-custom-ami-how-to.md b/sagemaker/latest/dg/hyperpod-custom-ami-how-to.md
index ab4d3e75e..9ddd8b7a9 100644
--- a//sagemaker/latest/dg/hyperpod-custom-ami-how-to.md
+++ b//sagemaker/latest/dg/hyperpod-custom-ami-how-to.md
@@ -68 +68 @@ After you have selected a SageMaker HyperPod public AMI, use that as the base AM
-The following sections describe how to build a custom AMI with a customer managed AWS KMS key to encrypt your HyperPod cluster volumes. For more information about customer managed keys in HyperPod and granting the required IAM and KMS key policy permissions, see [Customer managed AWS KMS key encryption for SageMaker HyperPod](./smcluster-cmk.html).
+The following sections describe how to build a custom AMI with a customer managed AWS KMS key to encrypt your HyperPod cluster volumes. For more information about customer managed keys in HyperPod and granting the required IAM and KMS key policy permissions, see [Customer managed AWS KMS key encryption for SageMaker HyperPod](./smcluster-cmk.html). If you plan to use a custom AMI that is encrypted with a customer managed key, ensure that you also encrypt your HyperPod cluster's Amazon EBS root volume with the same key.