From f2ee757b24c96a88afb542bf4ae33127838ebe10 Mon Sep 17 00:00:00 2001 From: Tyler Mikev Date: Thu, 27 Apr 2023 16:09:26 -0500 Subject: [PATCH] [feat] Use S3VPCE to prevent S3 access outside of VPC --- .../src/templates/onboard-account.cfn.yml | 6 ++++-- .../service-catalog/sagemaker-notebook-instance.cfn.yml | 8 ++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml index d9c6bb3b11..573bc78aa1 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml @@ -1228,7 +1228,9 @@ Outputs: Condition: isAppStreamAndCustomDomain Value: !Ref Route53HostedZone - S3VpcEndpoint: + S3VPCE: Description: S3 interface endpoint Condition: isAppStream - Value: !Ref S3Endpoint \ No newline at end of file + Value: !Ref S3Endpoint + Export: + Name: !Join [ '', [ Ref: Namespace, '-S3VPCE' ] ] \ No newline at end of file diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml index d267db875f..3b45a4b769 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml @@ -122,6 +122,14 @@ Resources: - sagemaker:DescribeNotebookInstance - sagemaker:StopNotebookInstance Resource: '*' + - Effect: Deny + Action: 's3:*' + Resource: '*' + Condition: + StringNotEquals: + aws:SourceVpce: + Fn::ImportValue: !Sub '${SolutionNamespace}-S3VPCE' + IAMRoleSageMakerURL: Type: 'AWS::IAM::Role'