-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feat] Use S3VPCE to prevent S3 access outside of VPC #1183
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## develop #1183 +/- ##
========================================
Coverage 52.19% 52.19%
========================================
Files 344 344
Lines 17177 17177
Branches 2646 2646
========================================
Hits 8965 8965
Misses 7219 7219
Partials 993 993 Continue to review full report in Codecov by Sentry.
|
This reverts commit 6db5a8f.
* git actions to origin (awslabs#1139) * chore(deps): bump golang.org/x/sys (awslabs#1138) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20201026173827-119d4633e4d1 to 0.1.0. - [Release notes](https://github.com/golang/sys/releases) - [Commits](https://github.com/golang/sys/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: FernandoAranda <fernandoarandacarrillo@gmail.com> * Revert "chore(deps): bump golang.org/x/sys (awslabs#1138)" (awslabs#1140) This reverts commit c836c57. Co-authored-by: Fernando Aranda <farandac@amazon.com> * fix: s3 CLI command fix (awslabs#1149) * docs: remove Docusaurus and use IG (awslabs#1150) * fix: sagemaker autostop (awslabs#1153) * fix: autostop sagemaker fix for non TRE/no study mounting (awslabs#1154) * Minor documentation updates to reconcile differences between AWS website and Repository. Additionally included step for the Cloud9 installation instructions to specify a public subnet for VPC installation. If you do not you cannot use AWS Managed Temporary Credentials and will break the install of Cloud9 without a very verbose error message. (awslabs#1151) * chore(deps): bump golang.org/x/sys from 0.0.0-20201026173827-119d4633e4d1 to 0.1.0 in /addons/addon-raas-s3-copy/packages/s3-synchronizer (awslabs#1152) * fix: go mod format (awslabs#1163) * Add elasticmapreduce:AddTags permission to LaunchConstraint role (awslabs#1164) * fix: upgrade goland in buildspec (awslabs#1166) * fix: upgrade code build image for target env deploy project (awslabs#1168) * revert: revert Go version upgrade (awslabs#1169) * Update deploy-integ-appstream-egress.yml (awslabs#1172) * Update deploy-integ-appstream-egress.yml Added OIDC config for role assumption * Update deploy-integ.yml Adding OIDC changes to deploy-integ.yml * Update deploy-integ-appstream-egress.yml Delete comments * Update deploy-integ.yml replace hardcoded region * Update README.md Updating readme * OIDC permissions (awslabs#1173) * Add permissions to deploys * trigger unit tests --------- Co-authored-by: Marianna Ghirardelli <ghirard@amazon.com> * chore(deps): bump xml2js and aws-sdk in /scripts/load-test-workspaces (awslabs#1171) Bumps [xml2js](https://github.com/Leonidas-from-XIV/node-xml2js) to 0.5.0 and updates ancestor dependency [aws-sdk](https://github.com/aws/aws-sdk-js). These dependencies need to be updated together. Updates `xml2js` from 0.4.19 to 0.5.0 - [Release notes](https://github.com/Leonidas-from-XIV/node-xml2js/releases) - [Commits](Leonidas-from-XIV/node-xml2js@0.4.19...0.5.0) Updates `aws-sdk` from 2.814.0 to 2.1354.0 - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Changelog](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-js@v2.814.0...v2.1354.0) --- updated-dependencies: - dependency-name: xml2js dependency-type: indirect - dependency-name: aws-sdk dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tyler Mikev <112508158+aws-tyler@users.noreply.github.com> * fix: Make SageMaker IAM policy case insensitive (awslabs#1177) * chore(release): 5.2.8 (awslabs#1178) * chore(release): 5.2.8 * mend --------- Co-authored-by: Fernando Aranda <farandac@amazon.com> * Atmikev/creds restrictions (awslabs#1181) * Added SourceVPC boundaries for EC2 Linux, Windows, and EMR * Exporting S3 VpcEndpoint value from onboarding * Removing EMR changes * chore(release): 5.2.9 (awslabs#1182) * chore(release): 5.2.9 * chore(release): 5.2.9 * [feat] Use S3VPCE to prevent S3 access outside of VPC (awslabs#1183) * docs: Add Beta * fix: add OwnershipControls for LoggingBucket (awslabs#1185) * Revert "[feat] Use S3VPCE to prevent S3 access outside of VPC" (awslabs#1187) * chore(release): 5.2.10 (awslabs#1188) * [chore] Add conditionals for TRE permission boundaries (awslabs#1186) * [chore] Add conditionals for TRE permission boundaries * Updated cypress integration test configs * docs: Add Beta * Add an S3 Endpoint for Non-TRE deployments (awslabs#1189) * Update templates * always populate SolutionName * There is no isAppStream in EMR * Always autopopulate the value for SolutionName * Added script to reroute S3 connections through VPC * chore(release): 5.2.11 (awslabs#1191) * Deny all non-admins access to user list. * Omit the 'external-researcher' user role as it isn't included in the response from api/user-roles * fix: BYOB role updates for VPCE restrictions (awslabs#1197) * fix: BYOB role updates for VPCE restrictions * fix: making projectId required for BYOB (awslabs#1198) * fix: add missing proj ID for integ tests * chore: update pipeline test config (awslabs#1199) * docs: Add Beta * chore(release): v6.0.0 (awslabs#1200) * chore(release): 6.0.0 * EMR AL2 upgrade (awslabs#1205) * feat: remove hail provisioning from EMR and upgrade to AL2 * feat: swap to EMR installed JupyterHub instead of installing our own. * docs: Add Beta * chore(deps): bump fast-xml-parser, @aws-sdk/client-appstream, @aws-sdk/client-ec2 and @aws-sdk/client-s3 (awslabs#1207) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) to 4.2.5 and updates ancestor dependencies [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser), [@aws-sdk/client-appstream](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-appstream), [@aws-sdk/client-ec2](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-ec2) and [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3). These dependencies need to be updated together. Updates `fast-xml-parser` from 4.2.4 to 4.2.5 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.2.4...v4.2.5) Updates `@aws-sdk/client-appstream` from 3.350.0 to 3.369.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-appstream/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.369.0/clients/client-appstream) Updates `@aws-sdk/client-ec2` from 3.350.0 to 3.369.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-ec2/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.369.0/clients/client-ec2) Updates `@aws-sdk/client-s3` from 3.350.0 to 3.369.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.369.0/clients/client-s3) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-type: indirect - dependency-name: "@aws-sdk/client-appstream" dependency-type: direct:production - dependency-name: "@aws-sdk/client-ec2" dependency-type: direct:production - dependency-name: "@aws-sdk/client-s3" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sanket Dharwadkar <sdharwad@amazon.com> Co-authored-by: Kevin Park <103979972+kpark277@users.noreply.github.com> * chore(deps-dev): bump word-wrap in /scripts/load-test-workspaces (awslabs#1210) * chore(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 in /scripts/app-stream (awslabs#1211) * test: extend emr e2e test timeout to 20 min (awslabs#1214) * chore(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 in /main/end-to-end-tests (awslabs#1212) * feat: add IMDSv2 support on AMI creation (awslabs#1215) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: jane yu <118856243+janeyuaws@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: FernandoAranda <fernandoarandacarrillo@gmail.com> Co-authored-by: Fernando Aranda <farandac@amazon.com> Co-authored-by: Sanket Dharwadkar <sdharwad@amazon.com> Co-authored-by: Marianna Ghirardelli <43092418+maghirardelli@users.noreply.github.com> Co-authored-by: spensireli <spencerconklin92@gmail.com> Co-authored-by: Kevin Park <103979972+kpark277@users.noreply.github.com> Co-authored-by: Tyler Mikev <112508158+aws-tyler@users.noreply.github.com> Co-authored-by: Marianna Ghirardelli <ghirard@amazon.com> Co-authored-by: GitHub Action <action@github.com>
Added
aws:SourceVpce
check onto SageMaker cloud formation template's permission boundary.