cloudsploit/plugins/aws/sagemaker/notebookDataEncrypted.js at 51f5c0e946b372babefeec36a52d0b7e11660f2e · aquasecurity/cloudsploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
var async = require('async');
var helpers = require('../../../helpers/aws');

module.exports = {
    title: 'Notebook Data Encrypted',
    category: 'AI & ML',
    owasp: ['LLM07', 'LLM02', 'LLM10'],
    domain: 'Compute',
    severity: 'High',
    description: 'Ensure Notebook data is encrypted',
    more_info: 'An optional encryption key can be supplied during Notebook Instance creation.',
    recommended_action: 'An existing KMS key should be supplied during Notebook Instance creation.',
    link: 'https://docs.aws.amazon.com/sagemaker/latest/dg/API_CreateNotebookInstance.html#API_CreateNotebookInstance_RequestSyntax',
    apis: ['SageMaker:listNotebookInstances'],
    compliance: {
        hipaa: 'All data in HIPAA environments must be encrypted, including ' +
                'data at rest. SageMaker encryption ensures Notebook data is ' +
                'encrypted at rest.'
    },
    realtime_triggers: ['sagemaker:CreateNotebookInstance', 'sagemaker:DeleteNotebookInstance'],

    run: function(cache, settings, callback) {
        var results = [];
        var source = {};
        var regions = helpers.regions(settings);

        async.each(regions.sagemaker, function(region, rcb){
            var listNotebookInstances = helpers.addSource(cache, source,
                ['sagemaker', 'listNotebookInstances', region]);

            if (!listNotebookInstances) return rcb();

            if (listNotebookInstances.err) {
                helpers.addResult(results, 3,
                    'Unable to query for Notebook Instances: ' +
                    helpers.addError(listNotebookInstances), region);
                return rcb();
            }

            if (!listNotebookInstances.data || !listNotebookInstances.data.length) {
                helpers.addResult(
                    results, 0, 'No Notebook Instances Found', region);
                return rcb();
            }

            for (var i in listNotebookInstances.data) {
                var instance = listNotebookInstances.data[i];
                var instanceArn = instance.NotebookInstanceArn;

                if (!instance.KmsKeyId){
                    helpers.addResult(results, 2,
                        'KMS key not found for Notebook Instance', region, instanceArn);
                } else {
                    helpers.addResult(results, 0,
                        'KMS key found for Notebook Instance', region, instanceArn);
                }
            }

            rcb();
        }, function(){
            callback(null, results, source);
        });
    }
};