kmsKeyId property
The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to
encrypt the model artifacts at rest using Amazon S3 server-side encryption.
The KmsKeyId
can be any of the following formats:
-
// KMS Key ID
"1234abcd-12ab-34cd-56ef-1234567890ab"
-
// Amazon Resource Name (ARN) of a KMS Key
"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
-
// KMS Key Alias
"alias/ExampleAlias"
-
// Amazon Resource Name (ARN) of a KMS Key Alias
"arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias"
kms:Encrypt
. If
you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key
for Amazon S3 for your role's account. Amazon SageMaker uses server-side
encryption with KMS-managed keys for OutputDataConfig
. If you
use a bucket policy with an s3:PutObject
permission that only
allows objects with server-side encryption, set the condition key of
s3:x-amz-server-side-encryption
to "aws:kms"
. For
more information, see KMS-Managed
Encryption Keys in the Amazon Simple Storage Service Developer
Guide.
The KMS key policy must grant permission to the IAM role that you specify in
your CreateTrainingJob
, CreateTransformJob
, or
CreateHyperParameterTuningJob
requests. For more information,
see Using
Key Policies in AWS KMS in the AWS Key Management Service Developer
Guide.
Implementation
final String? kmsKeyId;