Security

Follow AWS security best practices when using Kubeflow on AWS

We highly recommend that you follow AWS security best practices while provisioning any AWS resources.

Default security configuration

Amazon Simple Storage Service (S3)

Block public access

The Amazon S3 bucket created for Kubeflow artifacts has a default “block public access” configuration.

Encryption

When you use Amazon S3 for kubeflow artifact storage, Kubeflow on AWS configures the Amazon S3 bucket to use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). If you prefer to use server-side encryption with AWS Key Management Service (SSE-KMS), you can modify these files to specify an AWS KMS key.

Both SSE-S3 and SSE-KMS provide encryption of objects in the Amazon S3 bucket. You may prefer SSE-KMS if you want to separate the management of encryption keys (via AWS KMS) from management of the Amazon S3 bucket. That separation may provide a stronger security posture. In order to access and use an object in an Amazon S3 bucket, a user needs permission to read the object in the Amazon S3 bucket as well as permission to use the AWS KMS encryption key.

Security resources

Refer to the following documents for more information:

Last modified December 20, 2022: Task/s3nopublic (#518) (100eda73)