Encrypt Output Data and Storage Volume with Amazon KMS - Amazon SageMaker
Encrypt Output Data using KMSEncrypt Automated Data Labeling ML Compute Instance Storage Volume
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypt Output Data and Storage Volume with Amazon KMS

You can use Amazon Key Management Service (Amazon KMS) to encrypt output data from a labeling job by specifying a customer managed key when you create the labeling job. If you use the API operation CreateLabelingJob to create a labeling job that uses automated data labeling, you can also use a customer managed key to encrypt the storage volume attached to the ML compute instances to run the training and inference jobs.

This section describes the IAM policies you must attach to your customer managed key to enable output data encryption and the policies you must attach to your customer managed key and execution role to use storage volume encryption. To learn more about these options, see Output Data and Storage Volume Encryption.

Encrypt Output Data using KMS

If you specify an Amazon KMS customer managed key to encrypt output data, you must add an IAM policy similar to the following to that key. This policy gives the IAM execution role that you use to create your labeling job permission to use this key to perform all of the actions listed in "Action". To learn more about these actions, see Amazon KMS permissions in the Amazon Key Management Service Developer Guide.

To use this policy, replace the IAM service-role ARN in "Principal" with the ARN of the execution role you use to create the labeling job. When you create a labeling job in the console, this is the role you specify for IAM Role under the Job overview section. When you create a labeling job using CreateLabelingJob, this is ARN you specify for RoleArn.

{
    "Sid": "AllowUseOfKmsKey",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/service-role/example-role"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

Encrypt Automated Data Labeling ML Compute Instance Storage Volume

If you specify a VolumeKmsKeyId to encrypt the storage volume attached to the ML compute instance used for automated data labeling training and inference, you must do the following:

  • Attach permissions described in Encrypt Output Data using KMS to the customer managed key.

  • Attach a policy similar to the following to the IAM execution role you use to create your labeling job. This is the IAM role you specify for RoleArn in CreateLabelingJob. To learn more about the "kms:CreateGrant" action that this policy permits, see CreateGrant in the Amazon Key Management Service API Reference.

{
"Version": "2012-10-17", 
"Statement": 
 [  
   {
    "Effect": "Allow",
    "Action": [
       "kms:CreateGrant"
    ],
    "Resource": "*"
  }
]
}

To learn more about Ground Truth storage volume encryption, see Use Your KMS Key to Encrypt Automated Data Labeling Storage Volume (API Only).