[New Check]: SageMaker model monitoring schedules are active

[danibarranqueroo]

Existing check search

• I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.

Provider

AWS

New provider name

No response

Service or product area

sagemaker

Suggested check name

sagemaker_models_monitor_enabled

Context and goal

• Security condition to validate: At least one SageMaker monitoring schedule exists in the account/region and is in Scheduled status.
• Why it matters: Model Monitor detects data drift, model quality issues, and bias drift in production. Without active monitoring, model degradation goes undetected and downstream decisions (fraud, access, pricing) silently degrade.
• Resource involved: SageMaker monitoring schedule (MonitoringScheduleStatus, MonitoringType).

Expected behavior

• Resource or scope to evaluate: SageMaker monitoring schedules in the account/region.
• PASS when: at least one monitoring schedule exists and its status is Scheduled.
• FAIL when: no monitoring schedule exists, or all existing schedules are in Pending, Failed, or Stopped status.

References

• AWS docs: https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor.html
• API: sagemaker:ListMonitoringSchedules, sagemaker:DescribeMonitoringSchedule (returns MonitoringScheduleStatus).
• CLI: aws sagemaker list-monitoring-schedules; aws sagemaker describe-monitoring-schedule --monitoring-schedule-name .
• Reference implementation: check_sagemaker_model_monitor_usage in https://github.com/aws-samples/sample-aiml-security-assessment

Suggested severity

Low

Additional implementation notes

No response