let sagemaker_notebookinstances = Resources.*[
	Type == "AWS::SageMaker::NotebookInstance"
]

let sagemaker_models = Resources.*[
	Type == "AWS::SageMaker::Model"
]

let sagemaker_endpointconfigs = Resources.*[
	Type == "AWS::SageMaker::EndpointConfig"
]

rule sagemaker_instance_direct_internet_access when %sagemaker_notebookinstances !empty {
	%sagemaker_notebookinstances {
		Properties {
			DirectInternetAccess exists <<DirectInternetAccess is not configured (i.e. enabled).>>
			when DirectInternetAccess exists {
				DirectInternetAccess == "Disabled" <<DirectInternetAccess is enabled.>>
			}
		}
	}
}

rule sagemaker_instance_storage_encryption when %sagemaker_notebookinstances !empty {
	%sagemaker_notebookinstances {
		Properties {
			KmsKeyId exists <<Encryption is disabled.>>
		}
	}
}

rule sagemaker_instance_vpc_configured when %sagemaker_notebookinstances !empty {
	%sagemaker_notebookinstances {
		Properties {
			SubnetId exists <<SageMaker Notebook Instance not configured with VPC.>>
		}
	}
}

rule sagemaker_instance_root_access when %sagemaker_notebookinstances !empty {
	%sagemaker_notebookinstances {
		Properties {
			RootAccess exists <<RootAccess is not configured (i.e. enabled).>>
			when RootAccess exists {
				RootAccess == "Disabled" <<Root Access is enabled.>>
			}
		}
	}
}

rule sagemaker_model_network_isolation when %sagemaker_models !empty {
	%sagemaker_models {
		Properties {
			EnableNetworkIsolation exists <<EnableNetworkIsolation is not configured (i.e. disabled).>>
			when EnableNetworkIsolation exists {
				EnableNetworkIsolation == true <<Network Isolation is disabled.>>
			}
		}
	}
}

rule sagemaker_model_vpc_settings when %sagemaker_models !empty {
	%sagemaker_models {
		Properties {
			VpcConfig exists <<Vpc Config is not configured.>>
		}
	}
}

rule sagemaker_endpoint_configuration_encryption_at_rest_enabled when %sagemaker_endpointconfigs !empty {
	%sagemaker_endpointconfigs {
		Properties {
			KmsKeyId exists <<Encryption is disabled.>>
		}
	}
}