prowler-cloud/prowler

[New Check]: SageMaker model monitoring schedules are active

Open

#11052 opened on May 6, 2026

View on GitHub
 (2 comments) (0 reactions) (1 assignee)Python (8,957 stars) (1,322 forks)batch import
feature-requestgood first issuenew-checkprovider/aws

Description

Existing check search

  • I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.

Provider

AWS

New provider name

No response

Service or product area

sagemaker

Suggested check name

sagemaker_models_monitor_enabled

Context and goal

  • Security condition to validate: At least one SageMaker monitoring schedule exists in the account/region and is in Scheduled status.
  • Why it matters: Model Monitor detects data drift, model quality issues, and bias drift in production. Without active monitoring, model degradation goes undetected and downstream decisions (fraud, access, pricing) silently degrade.
  • Resource involved: SageMaker monitoring schedule (MonitoringScheduleStatus, MonitoringType).

Expected behavior

  • Resource or scope to evaluate: SageMaker monitoring schedules in the account/region.
  • PASS when: at least one monitoring schedule exists and its status is Scheduled.
  • FAIL when: no monitoring schedule exists, or all existing schedules are in Pending, Failed, or Stopped status.

References

Suggested severity

Low

Additional implementation notes

No response

Contributor guide

Tech stack
pythonaws
Domain
cloudsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic AWS knowledgePython experienceFamiliarity with Prowler's check structure
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
Review existing SageMaker checks in prowler/providers/aws/services/sagemaker. Implement a new check using boto3 to call list monitoring schedules and describe monitoring schedule, then evaluate if at least one schedule is in Scheduled status. Refer to the reference implementation from aws samples/sample aiml security assessment for guidance. Check issue comments for any additional context.