This is an example of using Cloud Custodian to enfore a policy preventing public, unecrypted SageMaker Notebooks from being deployed. It contains the Custodian policy itself, a Mailer configuration for notifications and a CodePipeline stack to manage deployment.
It is described in detail in a blog post on the KZN website.