cursus.core.utils.nvme_security

NVMe-aware security patching for SageMaker training and processing steps.

MODSWorkflowHelper._patch_training_step and _patch_processing_step unconditionally inject volume_kms_key from SAIS secure_config. NVMe-backed GPU instances (ml.p4d, ml.g5, ml.g4dn, ml.p3dn, ml.trn, ml.inf, any *d/*dn family) reject VolumeKmsKeyId because they use hardware encryption. This module patches both methods to skip volume_kms_key for those instances while preserving all other security settings.

The processing step patch uses hybrid logic:
  • If processor._skip_volume_kms is explicitly set (True/False), honor it.

  • Otherwise, auto-detect from processor.instance_type via instance_supports_kms().

Reference: OfficeHour-1553, CMLS-Model-1049 Remove once MODSWorkflowHelper ships its own NVMe gate.

install_nvme_aware_security_patch()[source]

Patch MODSWorkflowHelper to be NVMe-aware for both training and processing steps.

For NVMe instances, clears volume_kms_key so it’s excluded from the API request. Uses hybrid logic: config override (processor._skip_volume_kms) > auto-detect from instance_supports_kms(processor.instance_type).

Idempotent — safe to call multiple times. Returns True if the patch was installed (or was already installed), False if dependencies are unavailable.