turbot/steampipe-mod-aws-compliance

Control: 4 SageMaker endpoint production variants should have an initial instance count greater than 1

Description

This control checks whether production variants of an Amazon SageMaker AI endpoint have an initial instance count greater than 1. The control fails if the endpoint's production variants have only 1 initial instance.

Production variants running with an instance count greater than 1 permit multi-AZ instance redundancy managed by SageMaker AI. Deploying resources across multiple Availability Zones is an AWS best practice to provide high availability within your architecture. High availability helps you to recover from security incidents.

Remediation

For more information about the parameters of endpoint configuration, see Create an endpoint configuration in the Amazon SageMaker AI Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_sagemaker_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_sagemaker_4 --share

SQL

This control uses a named query:

with prod_instance_count as (
select
distinct arn
from
aws_sagemaker_endpoint_configuration,
jsonb_array_elements(production_variants) as v
where
(v ->> 'InitialInstanceCount')::int = 1
)
select
c.arn as resource,
case
when p.arn is null then 'ok'
else 'alarm'
end as status,
case
when p.arn is null then title || ' prod instance count is greater than one.'
else title || ' prod instance count is not greater than one.'
end as reason
, region, account_id
from
aws_sagemaker_endpoint_configuration as c
left join prod_instance_count as p on p.arn = c.arn;

Tags