include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_sagemaker/CfnNotebookInstance.html[aws_cdk.aws_sagemaker.CfnNotebookInstance]:

[source,python]
----
from aws_cdk import (
    aws_sagemaker as sagemaker
)

class CfnSagemakerStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        sagemaker.CfnNotebookInstance(
            self, "Sensitive",
            instance_type="instanceType",
            role_arn="roleArn"
        )  # Sensitive, no KMS key is set by default; thus, encryption is disabled
----

== Compliant Solution

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_sagemaker/CfnNotebookInstance.html[aws_cdk.aws_sagemaker.CfnNotebookInstance]:

[source,python]
----
from aws_cdk import (
    aws_sagemaker as sagemaker,
    aws_kms as kms
)

class CfnSagemakerStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        my_key = kms.Key(self, "Key")
        sagemaker.CfnNotebookInstance(
            self, "Compliant",
            instance_type="instanceType",
            role_arn="roleArn",
            kms_key_id=my_key.key_id
        )
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Omitting `kms_key_id` disables encryption of SageMaker notebook instances. Make sure it is safe here.


endif::env-github,rspecator-view[]