[feat] Use S3VPCE to prevent S3 access outside of VPC

awslabs · Apr 27, 2023 · f2ee757 · f2ee757
1 parent 1753e5e
commit f2ee757
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml
@@ -1228,7 +1228,9 @@ Outputs:
     Condition: isAppStreamAndCustomDomain
     Value: !Ref Route53HostedZone
 
-  S3VpcEndpoint:
+  S3VPCE:
     Description: S3 interface endpoint
     Condition: isAppStream
-    Value: !Ref S3Endpoint
+    Value: !Ref S3Endpoint
+    Export:
+      Name: !Join [ '', [ Ref: Namespace, '-S3VPCE' ] ]
diff --git a/...base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/...base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml
@@ -122,6 +122,14 @@ Resources:
               - sagemaker:DescribeNotebookInstance
               - sagemaker:StopNotebookInstance
             Resource: '*'
+          - Effect: Deny
+            Action: 's3:*'
+            Resource: '*'
+            Condition:
+              StringNotEquals:
+                aws:SourceVpce:
+                  Fn::ImportValue: !Sub '${SolutionNamespace}-S3VPCE'
+
 
   IAMRoleSageMakerURL:
     Type: 'AWS::IAM::Role'