Nilesh Kumar

A source of confusion many times- skimmed information from various resources: Key Type Rotation Expiration AWS managed CMK (format  aws /service-name) Required, automatically rotated every three years (1095 days). No manual process. No AWS owned CMKs (Customer Managed Keys) Optional, if enabled, rotated every one year (365 days). The Key Rotation option only appears if  Origin  under Cryptographic configuration is  AWS_KMS No AWS owned CMKs (aka imported keys)/ BYOK Manual. No automatic rotation for asymmetric CMKs, CMKs with imported material or CMKs with custom key stores Yes References: https://aws.amazon.com/kms/ faqs/ https://docs.aws.amazon.com/ kms/latest/developerguide/ concepts.html https://docs.aws.amazon.com/ kms/latest/developerguide/ rotate-keys.html

We are going to look into some best security architecture of AWS Sagemaker. By default AWS Sagemker is a managed service and everything is managed by the AWS, and not the customer. We'll talk about Artifact management and availability patterns, in this part. Image courtesy- AWS Artifact management patterns:   1. The DS should not be able to download packages from Internet, but only from private repos. 2. All model artifacts should be versioned and archived by enabling S3 versioning 3. Use version control systems and repository management for all artifacts   Auditability patterns: 1. All Sagemaker API calls are logged in ASW Cloudtrail. 2.  Cloudtrail S3 data events should be enabled for S3 data and model artifacts auditing. 3. Anytime user launch Notebook, tag that infrastructure for tracking purposes. Sample deployment: