AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2026-06-07 · Documentation low

File: sagemaker/latest/dg/model-customize-mtrl-encryption-at-rest.md

Summary

Removed note about unsupported encryption context and added DescribeKey action to CloudTrail monitoring list

Security assessment

The removal of the encryption context limitation note might indicate feature changes but doesn't explicitly address security vulnerabilities. The addition of DescribeKey logging enhances security documentation by clarifying audit capabilities for KMS key access monitoring, which helps with security compliance and forensics.

Diff

diff --git a/sagemaker/latest/dg/model-customize-mtrl-encryption-at-rest.md b/sagemaker/latest/dg/model-customize-mtrl-encryption-at-rest.md
index 5489725a5..81dc075bb 100644
--- a//sagemaker/latest/dg/model-customize-mtrl-encryption-at-rest.md
+++ b//sagemaker/latest/dg/model-customize-mtrl-encryption-at-rest.md
@@ -202,4 +201,0 @@ Use the `aws:SourceArn` or `aws:SourceAccount` condition keys in your KMS key po
-###### Note
-
-Customer-supplied encryption context is not supported. You can use the platform-defined encryption context keys in your KMS key policy to scope down access to specific jobs.
-
@@ -215,0 +212,2 @@ You can use AWS CloudTrail to monitor AWS KMS API calls made on behalf of your m
+  * `DescribeKey` – Logged when the job describes the KMS key for validation.
+