Merge 9cd63ef into 1d2fe14

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml

@@ -1227,3 +1227,8 @@ Outputs:
     Description: Route53 hosted zone
     Condition: isAppStreamAndCustomDomain
     Value: !Ref Route53HostedZone
+
+  S3VpcEndpoint:
+    Description: S3 interface endpoint
+    Condition: isAppStream
+    Value: !Ref S3Endpoint

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml

@@ -79,6 +79,18 @@ Resources:
             Action:
               - 'sts:AssumeRole'
             Resource: 'arn:aws:iam::*:role/swb-*'
+          - Effect: Deny
+            Action: '*'
+            Resource: '*'
+            Condition:
+              StringNotEquals:
+                aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}"
+                aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}"
+              BoolIfExists:
+                aws:ViaAWSService: "false"
+              'Null':
+                aws:ec2InstanceSourceVPC: "false"
+
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml

@@ -101,6 +101,17 @@ Resources:
             Action:
               - 'sts:AssumeRole'
             Resource: 'arn:aws:iam::*:role/swb-*'
+          - Effect: Deny
+            Action: '*'
+            Resource: '*'
+            Condition:
+              StringNotEquals:
+                aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}"
+                aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}"
+              BoolIfExists:
+                aws:ViaAWSService: "false"
+              'Null':
+                aws:ec2InstanceSourceVPC: "false"
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties: