AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2025-08-28 · Documentation low

File: sagemaker/latest/dg/encryption-at-rest.md

Summary

Rewrote encryption documentation to clarify default AWS-managed key usage and cross-account requirements. Added explicit list of features using SSE-S3 by default.

Security assessment

The changes clarify encryption implementation details but do not address a specific security vulnerability. The update improves documentation about existing security controls (encryption at rest) without indicating any newly discovered issue.

Diff

diff --git a/sagemaker/latest/dg/encryption-at-rest.md b/sagemaker/latest/dg/encryption-at-rest.md
index f831804be..2891e9d35 100644
--- a//sagemaker/latest/dg/encryption-at-rest.md
+++ b//sagemaker/latest/dg/encryption-at-rest.md
@@ -7 +7,3 @@
-To protect your Amazon SageMaker Studio notebooks and SageMaker notebook instances, along with your model-building data and model artifacts, SageMaker AI encrypts the notebooks, as well as output from Training and Batch Transform jobs. SageMaker AI encrypts these by default using the AWS Managed Key for Amazon S3. This AWS Managed Key for Amazon S3 cannot be shared for cross-account access. For cross-account access, specify your customer managed key while creating SageMaker AI resources so that it can be shared for cross-account access. For data output to Amazon S3 Express One Zone, the data is encrypted with server-side encryption with Amazon S3 managed keys (SSE-S3). The data output to Amazon S3 directory buckets can't be encrypted with server-side encryption with AWS Key Management Service keys (SSE-KMS). For more information on AWS KMS, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html).
+Amazon SageMaker AI automatically encrypts your data using an AWS managed key for Amazon S3 (SSE-S3) by default for the following features: Studio notebooks, notebook instances, model-building data, model artifacts, and output from Training, Batch Transform, and Processing jobs.
+
+For cross-account access, you must specify your own customer managed key when creating SageMaker AI resources, as the default AWS managed key for Amazon S3 can't be shared across accounts. For data output to Amazon S3 Express One Zone, the data is encrypted using server-side encryption with Amazon S3 managed keys (SSE-S3). Additionally, data output to Amazon S3 directory buckets can't be encrypted with server-side encryption using AWS Key Management Service keys (SSE-KMS). For more information on AWS KMS, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)