AWS sagemaker documentation change
Summary
Added note about KMS key consistency requirements and necessary IAM permissions when encrypting models.
Security assessment
Documents security requirements for KMS key usage across operations but doesn't reference patched vulnerabilities. Adds security best practice documentation.
Diff
diff --git a/sagemaker/latest/dg/nova-model.md b/sagemaker/latest/dg/nova-model.md index fa7feb5ae..7859b3351 100644 --- a//sagemaker/latest/dg/nova-model.md +++ b//sagemaker/latest/dg/nova-model.md @@ -14,0 +15,8 @@ SageMaker AI offers two environments for customizing Amazon Nova models. +###### Note + +If you provide a KMS key to your Nova model customization training job for encryption in the Amazon-owned output S3 bucket: + + * You must provide the same KMS key when calling subsequent [iterative training jobs](https://docs.aws.amazon.com//sagemaker/latest/dg/nova-iterative-training.html), or when calling the [CreateCustomModel](https://docs.aws.amazon.com//bedrock/latest/APIReference/API_CreateCustomModel.html#bedrock-CreateCustomModel-request-modelKmsKeyArn) API leveraging the encrypted model. + + * The identity calling the `CreateTrainingJob` API (rather than the execution role) must have permissions to `CreateGrant`, `RetireGrant`, `Encrypt`, and `GenerateDataKey` as defined in KMS key policy. +