AWS::SageMaker::FeatureGroup OnlineStoreSecurityConfig - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::SageMaker::FeatureGroup OnlineStoreSecurityConfig

The security configuration for OnlineStore.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "KmsKeyId" : String }


KmsKeyId: String



The Amazon Key Management Service (KMS) key ARN that SageMaker Feature Store uses to encrypt the Amazon S3 objects at rest using Amazon S3 server-side encryption.

The caller (either user or IAM role) of CreateFeatureGroup must have below permissions to the OnlineStore KmsKeyId:

  • "kms:Encrypt"

  • "kms:Decrypt"

  • "kms:DescribeKey"

  • "kms:CreateGrant"

  • "kms:RetireGrant"

  • "kms:ReEncryptFrom"

  • "kms:ReEncryptTo"

  • "kms:GenerateDataKey"

  • "kms:ListAliases"

  • "kms:ListGrants"

  • "kms:RevokeGrant"

The caller (either user or IAM role) to all DataPlane operations (PutRecord, GetRecord, DeleteRecord) must have the following permissions to the KmsKeyId:

  • "kms:Decrypt"

Required: No

Type: String

Maximum: 2048

Update requires: Replacement