weixin_39933724
weixin_39933724
2020-11-24 15:47

New Rule: SageMaker - Enable inter-container traffic encryption for training jobs


Description
   Check whether training jobs in Amazon SageMaker have intercontainer traffic encryption enabled

Trigger
   Periodic (because SageMaker jobs are not supported resource type on AWS Config)

Reports on:
   AWS::Account

Rule Parameters:
   None

Scenarios:
  Scenario 1:
  Given: No Amazon SageMaker training jobs exist
   Then: Return NOT_APPLICABLE

  Scenario 2:
  Given: At least one Amazon SageMaker training job exists 
  And:  The training job is not in 'InProgress' or 'Completed' status based on list_training_jobs API
   Then: Return NON_COMPLIANT

  Scenario 3:
  Given: At least one Amazon SageMaker training job exists 
    And: The training job is in 'InProgress' or 'Completed' status based on list_training_jobs API
   And: The training job has `EnableInterContainerTrafficEncryption` set as False in describe_training_job API
   Then: Return NON_COMPLIANT 

  Scenario 4:
  Given: At least one Amazon SageMaker training job exists 
    And: The training job is in 'InProgress' or 'Completed' status based on list_training_jobs API
   And: The training job has `EnableInterContainerTrafficEncryption` set as True in describe_training_job API
   Then: Return COMPLIANT 

该提问来源于开源项目:awslabs/aws-config-rules

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

5条回答

  • weixin_39841610 weixin_39841610 5月前

    Cool stuff!

    Few comments: - you can remove the comment on (because SageMaker jobs are not supported resource type on AWS Config) - Can you find any resource in CFn where we could report on (Config can do that). Otherwise, can you work with the service team to add a new resource type? - Scenario 1, return empty list - Scenario 2, seems to be another check you are making on job which fails. I suggest to return NOT_APPLICABLE on this. - Scenario 3, can you write the annotation you want to return with the NON_COMPLIANT, we can show it to the TEch Writer more easily then.

    点赞 评论 复制链接分享
  • weixin_39933724 weixin_39933724 5月前
    
    Description
       Check whether training jobs in Amazon SageMaker have intercontainer traffic encryption enabled
    
    Trigger
       Periodic 
    
    Reports on:
       AWS::Account
    
    Rule Parameters:
       None
    
    Scenarios:
      Scenario 1:
        Given: No Amazon SageMaker training jobs exist
         Then: Return empty list
    
      Scenario 2:
        Given: At least one Amazon SageMaker training job exists 
          And:  The training job is not in 'InProgress' or 'Completed' status based on list_training_jobs API
         Then: Return NOT_APPLICABLE
    
      Scenario 3:
        Given: At least one Amazon SageMaker training job exists 
          And: The training job is in 'InProgress' or 'Completed' status based on list_training_jobs API
          And: The training job has `EnableInterContainerTrafficEncryption` set as False in describe_training_job API
         Then: Return NON_COMPLIANT (Annotation: Training Job <trainingjob arn> does not have InterContainerTrafficEncryption enabled.)
    
      Scenario 4:
        Given: At least one Amazon SageMaker training job exists 
          And: The training job is in 'InProgress' or 'Completed' status based on list_training_jobs API
          And: The training job has `EnableInterContainerTrafficEncryption` set as True in describe_training_job API
         Then: Return COMPLIANT 
    </trainingjob>

    `

    I did not find any existing CFN resource type which we can use. About adding new resource, I'll ping you privately.

    点赞 评论 复制链接分享
  • weixin_39841610 weixin_39841610 5月前

    Good to go, thanks!

    点赞 评论 复制链接分享
  • weixin_39933724 weixin_39933724 5月前

    I tested the Lambda runtimes and they don't have the latest boto3 package which has the EnableInterContainerTrafficEncryption element in the response. We would have to get that sorted out first before I start writing the rule.

    点赞 评论 复制链接分享
  • weixin_39933724 weixin_39933724 5月前

    .. I've an idea, let me know what you think

    1. I write the Config rule as normal using RDK
    2. I create a Lambda layer which has the latest boto3
    3. I write a Readme.md which explains how to do the step above and attach to the RDK I built in step 1 This way whenever the Lambda runtime gets updated we just remove the layer and the function would work without the Lambda layer.

    Let me know what you think.

    点赞 评论 复制链接分享

相关推荐