Control: 4 SageMaker endpoint production variants should have an initial instance count greater than 1
Description
This control checks whether production variants of an Amazon SageMaker AI endpoint have an initial instance count greater than 1. The control fails if the endpoint's production variants have only 1 initial instance.
Production variants running with an instance count greater than 1 permit multi-AZ instance redundancy managed by SageMaker AI. Deploying resources across multiple Availability Zones is an AWS best practice to provide high availability within your architecture. High availability helps you to recover from security incidents.
Remediation
For more information about the parameters of endpoint configuration, see Create an endpoint configuration in the Amazon SageMaker AI Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_sagemaker_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_sagemaker_4 --shareSQL
This control uses a named query:
with prod_instance_count as ( select distinct arn from aws_sagemaker_endpoint_configuration, jsonb_array_elements(production_variants) as v where (v ->> 'InitialInstanceCount')::int = 1)select c.arn as resource, case when p.arn is null then 'ok' else 'alarm' end as status, case when p.arn is null then title || ' prod instance count is greater than one.' else title || ' prod instance count is not greater than one.' end as reason , region, account_idfrom aws_sagemaker_endpoint_configuration as c left join prod_instance_count as p on p.arn = c.arn;