[chore] Add conditionals for TRE permission boundaries (#1186)

* [chore] Add conditionals for TRE permission boundaries * Updated cypress integration test configs
awslabs · May 2, 2023 · 27980eb · 27980eb
1 parent fcee7bb
commit 27980eb
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 12 deletions.
diff --git a/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml
@@ -1227,3 +1227,10 @@ Outputs:
     Description: Route53 hosted zone
     Condition: isAppStreamAndCustomDomain
     Value: !Ref Route53HostedZone
+
+  S3VPCE:
+    Description: S3 interface endpoint
+    Condition: isAppStream
+    Value: !Ref S3Endpoint
+    Export:
+      Name: !Join [ '', [ Ref: Namespace, '-S3VPCE' ] ]
diff --git a/...packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml b/...packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml
@@ -79,6 +79,22 @@ Resources:
             Action:
               - 'sts:AssumeRole'
             Resource: 'arn:aws:iam::*:role/swb-*'
+          - !If
+            - AppStreamEnabled
+            - Effect: Deny
+              Action: '*'
+              Resource: '*'
+              Condition:
+                StringNotEquals:
+                  aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}"
+                  aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}"
+                BoolIfExists:
+                  aws:ViaAWSService: "false"
+                'Null':
+                  aws:ec2InstanceSourceVPC: "false"
+            - !Ref 'AWS::NoValue'
+
+
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:

diff --git a/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml b/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml
@@ -101,6 +101,20 @@ Resources:
             Action:
               - 'sts:AssumeRole'
             Resource: 'arn:aws:iam::*:role/swb-*'
+          - !If
+            - AppStreamEnabled
+            - Effect: Deny
+              Action: '*'
+              Resource: '*'
+              Condition:
+                StringNotEquals:
+                  aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}"
+                  aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}"
+                BoolIfExists:
+                  aws:ViaAWSService: "false"
+                'Null':
+                  aws:ec2InstanceSourceVPC: "false"
+            - !Ref 'AWS::NoValue'
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:

diff --git a/...base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/...base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml
@@ -122,6 +122,17 @@ Resources:
               - sagemaker:DescribeNotebookInstance
               - sagemaker:StopNotebookInstance
             Resource: '*'
+          - !If
+            - AppStreamEnabled
+            - Effect: Deny
+              Action: 's3:*'
+              Resource: '*'
+              Condition:
+                StringNotEquals:
+                  aws:SourceVpce:
+                    Fn::ImportValue: !Sub '${SolutionNamespace}-S3VPCE'
+            - !Ref 'AWS::NoValue'
+
 
   IAMRoleSageMakerURL:
     Type: 'AWS::IAM::Role'

diff --git a/main/end-to-end-tests/cypress.github.appstream-egress.json b/main/end-to-end-tests/cypress.github.appstream-egress.json
@@ -9,19 +9,19 @@
     "cognitoClientId": "3do9bsosfmol7r7hdnutbn5tup",
     "workspaces": {
       "sagemaker": {
-        "workspaceTypeName": "SageMaker Notebook-v6",
-        "configuration": "AppStream-SageMaker",
+        "workspaceTypeName": "SageMaker Notebook-v11",
+        "configuration": "SageMaker-v11",
         "projectId": "TRE-Project"
       },
       "ec2": {
         "linux": {
-          "workspaceTypeName": "EC2 Linux-v4",
-          "configuration": "AppStream-Linux",
+          "workspaceTypeName": "EC2 Linux-v9",
+          "configuration": "Linux-v9",
           "projectId": "TRE-Project"
         },
         "windows": {
-          "workspaceTypeName": "EC2 Windows-v4",
-          "configuration": "AppStream-Windows",
+          "workspaceTypeName": "EC2 Windows-v9",
+          "configuration": "Windows-v9",
           "projectId": "TRE-Project"
         }
       },

diff --git a/main/end-to-end-tests/cypress.github.json b/main/end-to-end-tests/cypress.github.json
@@ -9,19 +9,19 @@
     "cognitoClientId": "6dmj4qhbihtkigcbsjo346hjmi",
     "workspaces": {
       "sagemaker": {
-        "workspaceTypeName": "SageMaker Notebook-v9",
-        "configuration": "e2etest-config-with-autostop",
+        "workspaceTypeName": "SageMaker Notebook-v12",
+        "configuration": "SageMaker",
         "projectId": "e2eTestProject"
       },
       "ec2": {
         "windows": {
-          "workspaceTypeName": "EC2 Windows-v4",
-          "configuration": "ec2-windows-e2e",
+          "workspaceTypeName": "EC2 Windows-v9",
+          "configuration": "Windows",
           "projectId": "e2eTestProject"
         },
         "linux": {
-          "workspaceTypeName": "EC2 Linux-v3",
-          "configuration": "ec2-linux-e2e",
+          "workspaceTypeName": "EC2 Linux-v8",
+          "configuration": "Linux-v8",
           "projectId": "e2eTestProject"
         }
       },