Protect Data at Rest Using Encryption - Amazon SageMaker AI
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Protect Data at Rest Using Encryption

Amazon SageMaker AI automatically encrypts your data using an Amazon managed key for Amazon S3 (SSE-S3) by default for the following features: Studio notebooks, notebook instances, model-building data, model artifacts, and output from Training, Batch Transform, and Processing jobs.

For cross-account access, you must specify your own customer managed key when creating SageMaker AI resources, as the default Amazon managed key for Amazon S3 can't be shared across accounts. For data output to Amazon S3 Express One Zone, the data is encrypted using server-side encryption with Amazon S3 managed keys (SSE-S3). Additionally, data output to Amazon S3 directory buckets can't be encrypted with server-side encryption using Amazon Key Management Service keys (SSE-KMS). For more information on Amazon KMS, see What is Amazon Key Management Service?

Topics