turbot/aws_compliance

Query: sagemaker_notebook_instance_encrypted_with_kms_cmk

Usage

powerpipe query aws_compliance.query.sagemaker_notebook_instance_encrypted_with_kms_cmk

SQL

with sagemaker_notebook_instances as (
select
arn,
region,
account_id,
kms_key_id,
title,
tags,
_ctx
from
aws_sagemaker_notebook_instance
),
kms_keys as (
select
arn,
key_manager,
enabled
from
aws_kms_key
)
select
i.arn as resource,
case
when kms_key_id is null then 'alarm'
when k.key_manager = 'CUSTOMER' then 'ok'
else 'alarm'
end as status,
case
when kms_key_id is null then i.title || ' encryption disabled.'
when k.key_manager = 'CUSTOMER' then i.title || ' encryption at rest with CMK enabled.'
else i.title || ' encryption at rest with CMK disabled.'
end as reason,
i.region,
i.account_id
from
sagemaker_notebook_instances as i
left join kms_keys as k on i.kms_key_id = k.arn;

Controls

The query is being used by the following controls: