Skip to content

SageMaker MLOps

Note: This documentation is also available in a rendered format here.

Deploys a unified ML training and deployment pipeline with cross-account model promotion. The training construct provisions a CodePipeline that builds and registers model packages from seed code in CodeCommit, while the deploy construct uses EventBridge to trigger CDK-based deployments when new model versions are approved. Supports optional manual approval gates and cross-account deployment stacks for staging and production environments. Common scenarios include end-to-end MLOps workflows where models are trained in a development account, registered in a shared model registry, and promoted to staging and production accounts through automated pipelines.

Deployed Resources

This module deploys and integrates the following resources:

SageMaker Model Package Group - Registry for versioned model packages produced by the training pipeline.

Amazon S3 Model Bucket - Stores model artifacts, training data references, and pipeline outputs.

AWS CodeCommit Repository - Source repository containing training and deployment seed code.

AWS CodeBuild Project (Training) - Builds and executes the SageMaker training pipeline from seed code.

AWS CodePipeline (Training) - Orchestrates the training workflow from source checkout through model registration.

AWS CodeBuild Project (Deploy) - Executes CDK deployment of inference infrastructure when a model version is approved.

Amazon EventBridge Rule - Triggers the deploy pipeline when a model package status changes to Approved.

Manual Approval Action (Optional) - CodePipeline approval gate before production deployment.

Cross-Account Deployment Stacks (Optional) - CloudFormation stacks deployed to staging and production accounts for model hosting.

AWS KMS Key - Customer-managed encryption key for S3 bucket, CodePipeline artifacts, and model artifacts.

AWS IAM Roles - Execution roles for CodePipeline, CodeBuild, SageMaker training, and cross-account deployment.

AWS SSM Parameters - Publishes model package group ARN, bucket name, and pipeline ARNs for cross-module integration.

  • SageMaker Endpoint — Deploys real-time inference endpoints from model packages registered by this module's training pipeline
  • SageMaker Model Monitoring — Monitors endpoints deployed by this module for data quality, model quality, bias, and explainability drift
  • SageMaker Studio Domain — Provides SageMaker domain tagging context for resource governance
  • Data Lake — Deploy data lake buckets that training jobs can read training data from

Security/Compliance Details

This module is designed in alignment with MDAA security/compliance principles and CDK nag rulesets. Additional review is recommended prior to production deployment, ensuring organization-specific compliance requirements are met.

  • Encryption at Rest:
    • S3 model bucket encrypted with customer-managed KMS key
    • CodePipeline artifacts encrypted with KMS
    • Model artifacts encrypted at rest in the model registry
  • Encryption in Transit:
    • All S3 access enforced over HTTPS via bucket policy
    • Inter-container traffic encryption enabled for distributed training jobs
    • CodePipeline and CodeBuild communicate over TLS
  • Least Privilege:
    • SageMaker training role scoped to specific S3 paths and KMS key
    • CodeBuild deploy role limited to CloudFormation and target account assume-role
    • Cross-account roles use external ID conditions where applicable
  • Separation of Duties:
    • Training and deployment pipelines use separate IAM roles
    • Cross-account deployment requires explicit role assumption
    • Optional manual approval gate separates training from production deployment
  • Network Isolation:
    • CodeBuild projects support VPC configuration for private network access
    • SageMaker training jobs can be configured for VPC isolation

Configuration

MDAA Config

Add the following snippet to your mdaa.yaml under the modules: section of a domain/env in order to use this module:

sagemaker-mlops: # Module Name can be customized
  module_path: '@aws-mdaa/sagemaker-mlops' # Must match module NPM package name
  module_configs:
    - ./sagemaker-mlops.yaml # Filename/path can be customized

Module Config Samples and Variants

Copy the contents of the relevant sample config below into the ./sagemaker-mlops.yaml file referenced in the MDAA config snippet above.

Minimal Configuration

Start here for a single-account training pipeline with default settings and no cross-account deployment.

sample-config-minimal.yaml

# Minimal config for the SageMaker MLOps module.
# Contains only the required properties for a basic training
# and deployment pipeline.

training:
  # SageMaker project name for the training pipeline
  projectName: test-training-minimal

  # Path to training seed code directory or zip file.
  # Point this to your project's training seed code directory.
  seedCodePath: "../test/test-seed-code.zip"

deploy:
  # SageMaker project name for the deployment pipeline
  projectName: test-deploy-minimal

  # Model Package Group name
  modelPackageGroupName: test-mpg

  # Model bucket name
  modelBucketName: test-bucket

  # Path to deploy seed code directory or zip file.
  # Point this to your project's deploy seed code directory.
  seedCodePath: "../test/test-seed-code.zip"

Comprehensive Configuration

Use this as a reference when you need cross-account model promotion, manual approval gates, VPC isolation, and full control over training and deployment pipeline settings.

sample-config-comprehensive.yaml

# Comprehensive config for the SageMaker MLOps module.
# Deploys a unified training and deployment pipeline with
# cross-account promotion, VPC isolation, EventBridge-triggered
# deployments, and multi-environment endpoint rollout.

training:
  # SageMaker project name for the training pipeline
  projectName: test-training-project

  # (Optional) SageMaker domain ID for Studio integration tagging
  # Often created by the SageMaker Studio Domain module.
  # Example SSM: ssm:/{{org}}/{{domain}}/<sm_studio_domain_module_name>/domain-id
  domainId: d-test123

  # (Optional) SageMaker domain ARN for Studio integration tagging
  # Often created by the SageMaker Studio Domain module.
  # Example SSM: ssm:/{{org}}/{{domain}}/<sm_studio_domain_module_name>/domain-arn
  domainArn: arn:{{partition}}:sagemaker:{{region}}:{{account}}:domain/d-test123

  # (Optional) Enable network isolation for training jobs
  enableNetworkIsolation: false

  # (Optional) Enable inter-container traffic encryption
  enableInterContainerEncryption: true

  # Path to training seed code directory or zip file.
  # Point this to your project's training seed code directory.
  seedCodePath: "../test/test-seed-code.zip"

  # (Optional) Pre-prod account ID for cross-account model
  # registry access
  preProdAccountId: '{{context:account-2}}'

  # (Optional) Prod account ID for cross-account model
  # registry access
  prodAccountId: '{{context:account-3}}'

  # (Optional) Dev environment VPC configuration
  devEnvironment:
    # Often created by your VPC/networking stack.
    # Example SSM: ssm:/path/to/vpc/id
    vpcId: vpc-dev
    # Often created by your VPC/networking stack.
    # Example SSM: ssm:/path/to/subnet/id
    subnetIds:
      - subnet-dev-1
      - subnet-dev-2
    # Often created by your VPC/networking stack.
    # Example SSM: ssm:/path/to/security-group/id
    securityGroupIds:
      - sg-dev-1

deploy:
  # SageMaker project name for the deployment pipeline
  projectName: test-deploy-project

  # (Optional) SageMaker domain ID
  # Often created by the SageMaker Studio Domain module.
  # Example SSM: ssm:/{{org}}/{{domain}}/<sm_studio_domain_module_name>/domain-id
  domainId: d-test123

  # (Optional) SageMaker domain ARN
  # Often created by the SageMaker Studio Domain module.
  # Example SSM: ssm:/{{org}}/{{domain}}/<sm_studio_domain_module_name>/domain-arn
  domainArn: arn:{{partition}}:sagemaker:{{region}}:{{account}}:domain/d-test123

  # (Optional) Model Package Group name — auto-wired from
  # training construct when omitted
  modelPackageGroupName: test-model-package-group

  # (Optional) Model bucket name — auto-wired from training
  # construct when omitted
  modelBucketName: test-model-bucket

  # (Optional) Pipeline bucket name — set when using
  # CfnPipeline-based training where model artifacts may live
  # in a different bucket
  pipelineBucketName: test-pipeline-bucket

  # (Optional) Enable network isolation for endpoints
  enableNetworkIsolation: false

  # (Optional) Enable manual approval gate before production
  enableManualApproval: true

  # (Optional) Enable EventBridge trigger on model package
  # approval
  enableEventBridgeTrigger: true

  # (Optional) Enable data capture on deployed endpoints
  enableDataCapture: true

  # Path to deploy seed code directory or zip file.
  # Point this to your project's deploy seed code directory.
  seedCodePath: "../test/test-seed-code.zip"

  # (Optional) Dev environment VPC configuration
  devEnvironment:
    vpcId: vpc-dev
    subnetIds:
      - subnet-dev-1
    securityGroupIds:
      - sg-dev-1

  # (Optional) Pre-prod environment for cross-account deployment
  preProdEnvironment:
    accountId: '{{context:account-2}}'
    region: '{{region}}'
    vpcId: vpc-preprod
    subnetIds:
      - subnet-pp-1
    securityGroupIds:
      - sg-pp-1

  # (Optional) Prod environment for cross-account deployment
  prodEnvironment:
    accountId: '{{context:account-3}}'
    region: '{{region}}'
    vpcId: vpc-prod
    subnetIds:
      - subnet-prod-1
    securityGroupIds:
      - sg-prod-1

Build Policies (Private Registry)

Use this variant when the CodeBuild pipelines need access to a private npm registry (e.g. CodeArtifact) or other AWS services during npm install. Demonstrates both inline policy documents and managed policy ARN references.

sample-config-build-policies.yaml

# Config for the SageMaker MLOps module with custom build policies.
# Uses buildPolicies to grant CodeBuild IAM permissions for accessing
# a private npm registry (e.g. CodeArtifact) during npm install.
# The registry authentication logic lives in the user's buildspec, not in MDAA.

training:
  projectName: test-training-bp

  seedCodePath: '../test/test-seed-code.zip'

  # Grant CodeBuild access to a private registry.
  # The buildspec should call `aws codeartifact login` (or equivalent) before npm install.
  buildPolicies:
    - policyDocument:
        Statement:
          - Effect: Allow
            Action: codeartifact:GetAuthorizationToken
            Resource: 'arn:{{partition}}:codeartifact:{{region}}:{{account}}:domain/mdaa'
          - Effect: Allow
            Action:
              - codeartifact:GetRepositoryEndpoint
              - codeartifact:ReadFromRepository
            Resource: 'arn:{{partition}}:codeartifact:{{region}}:{{account}}:repository/mdaa/mdaa-npm'
          - Effect: Allow
            Action: sts:GetServiceBearerToken
            Resource: '*'
            Condition:
              StringEquals:
                'sts:AWSServiceName': codeartifact.amazonaws.com
      suppressions:
        - id: AwsSolutions-IAM5
          reason: 'sts:GetServiceBearerToken requires Resource:* conditioned on sts:AWSServiceName=codeartifact.amazonaws.com'

deploy:
  projectName: test-deploy-bp

  modelPackageGroupName: test-mpg
  modelBucketName: test-bucket

  seedCodePath: '../test/test-seed-code.zip'

  # Reference an existing managed policy by ARN.
  buildPolicies:
    - policyArn: 'arn:{{partition}}:iam::{{account}}:policy/CodeArtifactReadOnly'