Existing check search

• I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.

Provider

AWS

New provider name

No response

Service or product area

sagemaker

Suggested check name

sagemaker_sso_configured

Context and goal

• Security condition to validate: Each SageMaker Domain is configured with AuthMode: SSO and references an IdentityStoreId for centralized identity management.
• Why it matters: IAM-mode domains create per-user IAM users/roles managed locally to SageMaker, drifting from the org's IdP and weakening lifecycle controls (offboarding, MFA, session policies). SSO mode anchors access to AWS IAM Identity Center.
• Resource involved: SageMaker Domain (AuthMode, SingleSignOnApplicationArn, IAM Identity Center Identity Store).

Expected behavior

• Resource or scope to evaluate: Each SageMaker Domain in the account.
• PASS when: Domain AuthMode is SSO and is associated with an IAM Identity Center instance (Identity Store ID present).
• FAIL when: Domain AuthMode is IAM, or SSO is set but no Identity Store association exists.

References

• AWS docs: https://docs.aws.amazon.com/sagemaker/latest/dg/onboard-sso-users.html
• API: sagemaker:ListDomains, sagemaker:DescribeDomain (returns AuthMode, SingleSignOnApplicationArn).
• CLI: aws sagemaker list-domains; aws sagemaker describe-domain --domain-id .
• Reference implementation: check_sagemaker_iam_permissions (SSO portion) in https://github.com/aws-samples/sample-aiml-security-assessment

Suggested severity

Medium

Additional implementation notes

No response