AWS sagemaker documentation change
Summary
Clarified KMS key usage for EBS volume encryption, added configuration comments, and specified requirements when using different keys for root/instance storage volumes
Security assessment
The changes provide clearer documentation about encryption key management options (customer-managed vs AWS-owned keys) and emphasize proper KMS key policy configuration when using multiple keys. While this relates to security best practices, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/sagemaker/latest/dg/hyperpod-custom-ami-cluster-management.md b/sagemaker/latest/dg/hyperpod-custom-ami-cluster-management.md index d18c67f1a..3c43c1de5 100644 --- a//sagemaker/latest/dg/hyperpod-custom-ami-cluster-management.md +++ b//sagemaker/latest/dg/hyperpod-custom-ami-cluster-management.md @@ -121 +121 @@ Customer managed key example -The following example shows how to create a cluster with a custom AMI while specifying your own AWS KMS customer managed key for encrypting the cluster's Amazon EBS volumes. If your custom AMI is encrypted with a customer managed key, ensure that you specify the same key for the root volume encryption. +The following example shows how to create a cluster with a custom AMI while specifying your own AWS KMS customer managed key for encrypting the cluster's Amazon EBS volumes. It is possible to specify different customer managed keys for the root volume and the instance storage volume. If you don't use customer managed keys in the `InstanceStorageConfigs` field, then an AWS owned KMS key is used to encrypt the volumes. If you use different keys for the root volume and secondary instance storage volumes, then set the required KMS key policies on both of your keys. @@ -139,0 +140 @@ The following example shows how to create a cluster with a custom AMI while spec + # Root volume configuration @@ -145,0 +147 @@ The following example shows how to create a cluster with a custom AMI while spec + # Instance storage volume configuration @@ -197 +199 @@ Customer managed key example -The following example shows how to update and scale up your cluster with a custom AMI while specifying your own AWS KMS customer managed key for encrypting the cluster's Amazon EBS volumes. If your custom AMI is encrypted with a customer managed key, ensure that you specify the same key for the root volume encryption. +The following example shows how to update and scale up your cluster with a custom AMI while specifying your own AWS KMS customer managed key for encrypting the cluster's Amazon EBS volumes. It is possible to specify different customer managed keys for the root volume and the instance storage volume. If you don't use customer managed keys in the `InstanceStorageConfigs` field, then an AWS owned KMS key is used to encrypt the volumes. If you use different keys for the root volume and secondary instance storage volumes, then set the required KMS key policies on both of your keys. @@ -212,0 +215 @@ The following example shows how to update and scale up your cluster with a custo + # Root volume configuration @@ -218,0 +222 @@ The following example shows how to update and scale up your cluster with a custo + # Instance storage volume configuration