SageMaker.17: Feature group offline stores KMS encryption

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub SageMaker.17 check?

SageMaker.17 fails when a Feature Store feature group's offline store is not encrypted with a customer-managed AWS KMS key. Default S3 encryption is not enough — the control specifically wants a CMK.

Why does SageMaker.17 matter?

The offline store is an append-only S3 archive: every write to the online store also lands a timestamped copy in S3. A feature group feeding a busy model can accumulate hundreds of gigabytes of historical customer features in a bucket nobody watches. A customer-managed key puts that archive under your key policy and audit trail, rather than an opaque default.

How do I fix SageMaker.17?

List feature groups and check the offline store's KMS key configuration.
Because encryption cannot be retrofitted, create a new feature group with a CMK set on the offline store at creation.
Wire up the KMS key policy and the IAM role so SageMaker can encrypt and decrypt end to end.
Migrate the data to the new group and default future feature groups to a CMK in your IaC.

Remediation script · bash

# Disable root across every notebook that has it on (mutable on a stopped instance).
for n in $(aws sagemaker list-notebook-instances \
    --query 'NotebookInstances[].NotebookInstanceName' --output text); do
  root=$(aws sagemaker describe-notebook-instance --notebook-instance-name "$n" \
    --query 'RootAccess' --output text)
  if [ "$root" = "Enabled" ]; then
    aws sagemaker stop-notebook-instance --notebook-instance-name "$n"
    aws sagemaker wait notebook-instance-stopped --notebook-instance-name "$n"
    aws sagemaker update-notebook-instance --notebook-instance-name "$n" --root-access Disabled
    aws sagemaker start-notebook-instance --notebook-instance-name "$n"
    echo "$n: root access disabled"
  fi
done

# Immutable settings need a rebuild. Recreate a notebook locked down: private subnet,
# no direct internet. (DirectInternetAccess and SubnetId cannot be changed in place.)
aws sagemaker create-notebook-instance \
  --notebook-instance-name ml-feature-exploration \
  --instance-type ml.t3.medium \
  --role-arn arn:aws:iam::111122223333:role/SageMakerExecution \
  --subnet-id subnet-0ab12cd34ef56 \
  --security-group-ids sg-0aa11bb22cc33 \
  --direct-internet-access Disabled \
  --root-access Disabled

Full walkthrough (console steps, edge cases and verification) in the lesson Harden SageMaker and ML workloads.

Is SageMaker.17 a false positive?

A bucket showing SSE-S3 or an AWS-owned key still fails — SageMaker.17 requires a customer-managed KMS key specifically, set when the offline store is created.

Full lesson Harden SageMaker and ML workloads Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for SageMaker controls ↗ Check your own account for SageMaker.17 →

Part of the learning path Lock down access

SageMaker.1 A SageMaker notebook has direct internet access
SageMaker.2 A SageMaker notebook is not launched in a VPC
SageMaker.3 Users have root access on a SageMaker notebook
SageMaker.4 Endpoint variants should have > 1 instance
SageMaker.5 Models should have network isolation enabled
SageMaker.8 Notebook instances should run supported platforms
SageMaker.9 Data quality jobs inter-container encryption
SageMaker.10 Explainability jobs inter-container encryption
SageMaker.11 Data quality jobs network isolation
SageMaker.12 Model bias jobs network isolation
SageMaker.13 Model quality jobs inter-container encryption
SageMaker.14 Monitoring schedules network isolation