├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── sagemaker-domain-with-vpc.yaml /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Creating Amazon SageMaker Domains using AWS CloudFormation 2 | 3 | Amazon SageMaker Studio (https://docs.aws.amazon.com/sagemaker/latest/dg/gs-studio.html) is the first fully integrated development environment (IDE) for machine learning (ML). 4 | It provides a single, web-based visual interface where you can perform all ML development steps required to build, train, tune, debug, deploy, and monitor models. 5 | 6 | AWS CloudFormation (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycle, by treating infrastructure as code. 7 | 8 | In this repository, we want to provide an AWS CloudFormation template for safely deploying a SageMaker Domain in a VPC. This template is configured to include all required permissions for SageMaker Studio, SageMaker Canvas, and other functionalities. 9 | 10 | ## How to run from Management Console 11 | 12 | 1. Download the template in this repository, [here](./sagemaker-domain-with-vpc.yaml) 13 | 2. Head over to [AWS CloudFormation Console](https://console.amazon.com/cloudformation), make sure you're in the right region 14 | 3. Click “Create Stack”, select “Choose an existing template”, and “Upload a template file”. 15 | 4. Upload the template filedownloaded in step 1 16 | 5. Provide the required parameters, click “Next”, confirm you allow the creation of IAM resources by selecting the checkbox, then click “Create” 17 | 6. Wait until completed. You're done! 🎉️ 18 | 19 | ## How to run from command line 20 | 21 | `aws cloudformation deploy --stack-name --template-file sagemaker-domain-with-vpc.yaml --capabilities CAPABILITY_IAM` 22 | 23 | ## Security 24 | 25 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 26 | 27 | ## License 28 | 29 | This library is licensed under the MIT-0 License. See the [LICENSE](LICENSE) file. 30 | -------------------------------------------------------------------------------- /sagemaker-domain-with-vpc.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Description: This CloudFormation template establishes a secure, fully enclosed Amazon SageMaker Studio environment tailored for workshops or projects requiring stringent security measures. It configures essential networking resources within a Virtual Private Cloud (VPC) to ensure no direct internet access is necessary. The template methodically sets up two private subnets, associated route tables, and multiple VPC endpoints, enabling private connections to critical AWS services. This infrastructure supports seamless, secure operations of the SageMaker Studio domain, catering specifically to scenarios that demand high security and data privacy. 3 | 4 | Parameters: 5 | UserProfileName: 6 | Type: String 7 | Description: User profile name 8 | Default: "admin" 9 | DomainName: 10 | Type: String 11 | Description: The domain name of the Admin Sagemaker Studio instance 12 | Default: "canvas-domain" 13 | S3BucketPrefix: 14 | Type: String 15 | Description: The prefix for the S3 bucket. Suffix will be -REGION-ACCOUNT_ID 16 | Default: "sagemaker" 17 | VPCCidr: 18 | Type: String 19 | Description: "Enter a valid CIDR block (e.g., 10.0.0.0/16)" 20 | AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/(3[0-2]|[1-2]?[0-9])$ 21 | ConstraintDescription: "Must be a valid CIDR block in the format x.x.x.x/x" 22 | Default: "10.0.0.0/16" 23 | 24 | Resources: 25 | ### S3 BUCKET 26 | S3BucketManagementRole: 27 | Type: AWS::IAM::Role 28 | Properties: 29 | AssumeRolePolicyDocument: 30 | Version: "2012-10-17" 31 | Statement: 32 | - Effect: Allow 33 | Principal: 34 | Service: 35 | - lambda.amazonaws.com 36 | Action: 37 | - sts:AssumeRole 38 | Path: / 39 | ManagedPolicyArns: 40 | - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 41 | Policies: 42 | - PolicyName: S3BucketManagementPolicy 43 | PolicyDocument: 44 | Version: "2012-10-17" 45 | Statement: 46 | - Effect: Allow 47 | Action: 48 | - s3:GetBucketCORS 49 | - s3:PutBucketCORS 50 | - s3:CreateBucket 51 | - s3:ListBucket 52 | Resource: !Sub "arn:aws:s3:::${S3BucketPrefix}-${AWS::Region}-${AWS::AccountId}" 53 | S3BucketManagementFunction: 54 | Type: AWS::Lambda::Function 55 | Properties: 56 | Handler: index.handler 57 | Role: !GetAtt S3BucketManagementRole.Arn 58 | Runtime: python3.12 59 | Timeout: 30 60 | MemorySize: 128 61 | Code: 62 | ZipFile: | 63 | import json 64 | import boto3 65 | import botocore 66 | import cfnresponse 67 | import os 68 | 69 | s3 = boto3.client('s3') 70 | 71 | def handler(event, context): 72 | bucket_name = event['ResourceProperties']['BucketName'] 73 | cors_configuration = { 74 | 'CORSRules': [{ 75 | 'AllowedHeaders': ['*'], 76 | 'AllowedMethods': ['POST', 'PUT', 'GET', 'HEAD', 'DELETE'], 77 | 'AllowedOrigins': ['https://*.sagemaker.aws'], 78 | 'ExposeHeaders': [ 79 | 'ETag', 'x-amz-delete-marker', 'x-amz-id-2', 80 | 'x-amz-request-id', 'x-amz-server-side-encryption', 81 | 'x-amz-version-id' 82 | ] 83 | }] 84 | } 85 | 86 | try: 87 | # Check if the bucket exists 88 | s3.head_bucket(Bucket=bucket_name) 89 | s3.put_bucket_cors(Bucket=bucket_name, CORSConfiguration=cors_configuration) 90 | except botocore.exceptions.ClientError as e: 91 | # If a 404 error occurs, then the bucket does not exist 92 | if e.response['Error']['Code'] == '404': 93 | try: 94 | # Create the bucket 95 | s3.create_bucket( 96 | Bucket=bucket_name, 97 | CreateBucketConfiguration={'LocationConstraint': os.getenv("AWS_REGION")} 98 | ) 99 | # Set the CORS configuration 100 | s3.put_bucket_cors(Bucket=bucket_name, CORSConfiguration=cors_configuration) 101 | except botocore.exceptions.ClientError as e: 102 | # If an error occurs during bucket creation or CORS setting, return an error 103 | print(f"Error creating or setting CORS for bucket {bucket_name}: {e}") 104 | cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)}, bucket_name) 105 | return 106 | else: 107 | # If any other error occurs, return an error 108 | print(f"Error accessing bucket {bucket_name}: {e}") 109 | cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)}, bucket_name) 110 | return 111 | except Exception as e: 112 | # If any other unexpected error occurs, return an error 113 | print(f"Unexpected error: {e}") 114 | cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)}, bucket_name) 115 | return 116 | 117 | cfnresponse.send(event, context, cfnresponse.SUCCESS, {'BucketName': bucket_name}, bucket_name) 118 | S3BucketCustomResource: 119 | Type: Custom::ManageS3Bucket 120 | Properties: 121 | ServiceToken: !GetAtt S3BucketManagementFunction.Arn 122 | BucketName: !Sub "${S3BucketPrefix}-${AWS::Region}-${AWS::AccountId}" 123 | 124 | ### RESOURCES FOR NECESSARY NETWORKING INFRASTRUCTURE 125 | SageMakerVPC: 126 | Type: AWS::EC2::VPC 127 | Properties: 128 | CidrBlock: !Ref VPCCidr 129 | EnableDnsSupport: true 130 | EnableDnsHostnames: true 131 | Tags: 132 | - Key: Name 133 | Value: !Sub '${AWS::StackName}-vpc' 134 | SageMakerPrivateSubnet1: 135 | Type: AWS::EC2::Subnet 136 | Properties: 137 | VpcId: 138 | Ref: SageMakerVPC 139 | CidrBlock: 10.0.0.0/24 140 | AvailabilityZone: !Select 141 | - 0 142 | - Fn::GetAZs: !Ref 'AWS::Region' 143 | Tags: 144 | - Key: Name 145 | Value: !Sub '${AWS::StackName}-private-subnet1' 146 | SageMakerPrivateSubnet2: 147 | Type: AWS::EC2::Subnet 148 | Properties: 149 | VpcId: 150 | Ref: SageMakerVPC 151 | CidrBlock: 10.0.1.0/24 152 | AvailabilityZone: !Select 153 | - 1 154 | - Fn::GetAZs: !Ref 'AWS::Region' 155 | Tags: 156 | - Key: Name 157 | Value: !Sub '${AWS::StackName}-private-subnet2' 158 | SageMakerPrivateRouteTable: 159 | Type: AWS::EC2::RouteTable 160 | Properties: 161 | VpcId: !Ref SageMakerVPC 162 | Tags: 163 | - Key: Name 164 | Value: !Sub '${AWS::StackName}-private-routetable' 165 | SageMakerPrivateSubnet1RouteTableAssociation: 166 | Type: AWS::EC2::SubnetRouteTableAssociation 167 | Properties: 168 | SubnetId: 169 | Ref: SageMakerPrivateSubnet1 170 | RouteTableId: 171 | Ref: SageMakerPrivateRouteTable 172 | SageMakerPrivateSubnet2RouteTableAssociation: 173 | Type: AWS::EC2::SubnetRouteTableAssociation 174 | Properties: 175 | SubnetId: 176 | Ref: SageMakerPrivateSubnet2 177 | RouteTableId: 178 | Ref: SageMakerPrivateRouteTable 179 | SageMakerSecurityGroup: 180 | Type: 'AWS::EC2::SecurityGroup' 181 | Properties: 182 | SecurityGroupEgress: 183 | - Description: All traffic is allowed outbound 184 | IpProtocol: '-1' 185 | CidrIp: 0.0.0.0/0 186 | GroupDescription: 'Security Group for SageMaker Studio' 187 | VpcId: !Ref SageMakerVPC 188 | Tags: 189 | - Key: Name 190 | Value: studio-security-group 191 | SageMakerSecurityGroupSelfIngress: 192 | Type: AWS::EC2::SecurityGroupIngress 193 | Properties: 194 | Description: Self-ingress to enable communication between intances within the same SG 195 | IpProtocol: '-1' 196 | SourceSecurityGroupId: !Ref SageMakerSecurityGroup 197 | GroupId: !Ref SageMakerSecurityGroup 198 | VPCEndpointSecurityGroup: 199 | Type: AWS::EC2::SecurityGroup 200 | Properties: 201 | GroupDescription: Allow TLS for VPC Endpoint 202 | VpcId: !Ref SageMakerVPC 203 | Tags: 204 | - Key: Name 205 | Value: !Sub ${AWS::StackName}-endpoint-security-group 206 | EndpointSecurityGroupIngress: 207 | Type: AWS::EC2::SecurityGroupIngress 208 | Properties: 209 | IpProtocol: tcp 210 | FromPort: 443 211 | ToPort: 443 212 | GroupId: !Ref VPCEndpointSecurityGroup 213 | SourceSecurityGroupId: !Ref SageMakerSecurityGroup 214 | VPCEndpointS3: 215 | Type: AWS::EC2::VPCEndpoint 216 | Properties: 217 | ServiceName: !Sub com.amazonaws.${AWS::Region}.s3 218 | VpcEndpointType: Gateway 219 | VpcId: !Ref SageMakerVPC 220 | PolicyDocument: 221 | Version: 2012-10-17 222 | Statement: 223 | - Effect: Allow 224 | Principal: '*' 225 | Action: '*' 226 | Resource: '*' 227 | RouteTableIds: 228 | - !Ref SageMakerPrivateRouteTable 229 | VPCEndpointSageMakerAPI: 230 | Type: AWS::EC2::VPCEndpoint 231 | Properties: 232 | PolicyDocument: 233 | Version: 2012-10-17 234 | Statement: 235 | - Effect: Allow 236 | Principal: '*' 237 | Action: '*' 238 | Resource: '*' 239 | VpcEndpointType: Interface 240 | PrivateDnsEnabled: true 241 | SubnetIds: 242 | - !Ref SageMakerPrivateSubnet1 243 | - !Ref SageMakerPrivateSubnet2 244 | SecurityGroupIds: 245 | - !Ref VPCEndpointSecurityGroup 246 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sagemaker.api' 247 | VpcId: !Ref SageMakerVPC 248 | VPCEndpointSageMakerRuntime: 249 | Type: AWS::EC2::VPCEndpoint 250 | Properties: 251 | PolicyDocument: 252 | Version: 2012-10-17 253 | Statement: 254 | - Effect: Allow 255 | Principal: '*' 256 | Action: '*' 257 | Resource: '*' 258 | VpcEndpointType: Interface 259 | PrivateDnsEnabled: true 260 | SubnetIds: 261 | - !Ref SageMakerPrivateSubnet1 262 | - !Ref SageMakerPrivateSubnet2 263 | SecurityGroupIds: 264 | - !Ref VPCEndpointSecurityGroup 265 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sagemaker.runtime' 266 | VpcId: !Ref SageMakerVPC 267 | VPCEndpointSageMakerStudio: 268 | Type: AWS::EC2::VPCEndpoint 269 | Properties: 270 | PolicyDocument: 271 | Version: 2012-10-17 272 | Statement: 273 | - Effect: Allow 274 | Principal: '*' 275 | Action: '*' 276 | Resource: '*' 277 | VpcEndpointType: Interface 278 | PrivateDnsEnabled: true 279 | SubnetIds: 280 | - !Ref SageMakerPrivateSubnet1 281 | - !Ref SageMakerPrivateSubnet2 282 | SecurityGroupIds: 283 | - !Ref VPCEndpointSecurityGroup 284 | ServiceName: !Sub 'aws.sagemaker.${AWS::Region}.studio' 285 | VpcId: !Ref SageMakerVPC 286 | VPCEndpointSTS: 287 | Type: 'AWS::EC2::VPCEndpoint' 288 | Properties: 289 | PolicyDocument: 290 | Version: 2012-10-17 291 | Statement: 292 | - Effect: Allow 293 | Principal: '*' 294 | Action: '*' 295 | Resource: '*' 296 | VpcEndpointType: Interface 297 | PrivateDnsEnabled: true 298 | SubnetIds: 299 | - !Ref SageMakerPrivateSubnet1 300 | - !Ref SageMakerPrivateSubnet2 301 | SecurityGroupIds: 302 | - !Ref VPCEndpointSecurityGroup 303 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sts' 304 | VpcId: !Ref SageMakerVPC 305 | VPCEndpointCloudWatch: 306 | Type: 'AWS::EC2::VPCEndpoint' 307 | Properties: 308 | PolicyDocument: 309 | Version: 2012-10-17 310 | Statement: 311 | - Effect: Allow 312 | Principal: '*' 313 | Action: '*' 314 | Resource: '*' 315 | VpcEndpointType: Interface 316 | PrivateDnsEnabled: true 317 | SubnetIds: 318 | - !Ref SageMakerPrivateSubnet1 319 | - !Ref SageMakerPrivateSubnet2 320 | SecurityGroupIds: 321 | - !Ref VPCEndpointSecurityGroup 322 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.monitoring' 323 | VpcId: !Ref SageMakerVPC 324 | VPCEndpointCloudWatchLogs: 325 | Type: 'AWS::EC2::VPCEndpoint' 326 | Properties: 327 | PolicyDocument: 328 | Version: 2012-10-17 329 | Statement: 330 | - Effect: Allow 331 | Principal: '*' 332 | Action: '*' 333 | Resource: '*' 334 | VpcEndpointType: Interface 335 | PrivateDnsEnabled: true 336 | SubnetIds: 337 | - !Ref SageMakerPrivateSubnet1 338 | - !Ref SageMakerPrivateSubnet2 339 | SecurityGroupIds: 340 | - !Ref VPCEndpointSecurityGroup 341 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' 342 | VpcId: !Ref SageMakerVPC 343 | VPCEndpointECR: 344 | Type: 'AWS::EC2::VPCEndpoint' 345 | Properties: 346 | PolicyDocument: 347 | Version: 2012-10-17 348 | Statement: 349 | - Effect: Allow 350 | Principal: '*' 351 | Action: '*' 352 | Resource: '*' 353 | VpcEndpointType: Interface 354 | PrivateDnsEnabled: true 355 | SubnetIds: 356 | - !Ref SageMakerPrivateSubnet1 357 | - !Ref SageMakerPrivateSubnet2 358 | SecurityGroupIds: 359 | - !Ref VPCEndpointSecurityGroup 360 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.dkr' 361 | VpcId: !Ref SageMakerVPC 362 | VPCEndpointKMS: 363 | Type: 'AWS::EC2::VPCEndpoint' 364 | Properties: 365 | PolicyDocument: 366 | Version: 2012-10-17 367 | Statement: 368 | - Effect: Allow 369 | Principal: '*' 370 | Action: '*' 371 | Resource: '*' 372 | VpcEndpointType: Interface 373 | PrivateDnsEnabled: true 374 | SubnetIds: 375 | - !Ref SageMakerPrivateSubnet1 376 | - !Ref SageMakerPrivateSubnet2 377 | SecurityGroupIds: 378 | - !Ref VPCEndpointSecurityGroup 379 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.kms' 380 | VpcId: !Ref SageMakerVPC 381 | VPCEndpointECRAPI: 382 | Type: 'AWS::EC2::VPCEndpoint' 383 | Properties: 384 | PolicyDocument: 385 | Version: 2012-10-17 386 | Statement: 387 | - Effect: Allow 388 | Principal: '*' 389 | Action: '*' 390 | Resource: '*' 391 | VpcEndpointType: Interface 392 | PrivateDnsEnabled: true 393 | SubnetIds: 394 | - !Ref SageMakerPrivateSubnet1 395 | - !Ref SageMakerPrivateSubnet2 396 | SecurityGroupIds: 397 | - !Ref VPCEndpointSecurityGroup 398 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.api' 399 | VpcId: !Ref SageMakerVPC 400 | VPCEndpointEC2: 401 | Type: 'AWS::EC2::VPCEndpoint' 402 | Properties: 403 | PolicyDocument: 404 | Version: 2012-10-17 405 | Statement: 406 | - Effect: Allow 407 | Principal: '*' 408 | Action: '*' 409 | Resource: '*' 410 | VpcEndpointType: Interface 411 | PrivateDnsEnabled: true 412 | SubnetIds: 413 | - !Ref SageMakerPrivateSubnet1 414 | - !Ref SageMakerPrivateSubnet2 415 | SecurityGroupIds: 416 | - !Ref VPCEndpointSecurityGroup 417 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2' 418 | VpcId: !Ref SageMakerVPC 419 | 420 | ## Canvas-specific VPC Endpoints 421 | VPCEndpointAppAutoScaling: 422 | Type: 'AWS::EC2::VPCEndpoint' 423 | Properties: 424 | PolicyDocument: 425 | Version: 2012-10-17 426 | Statement: 427 | - Effect: Allow 428 | Principal: '*' 429 | Action: '*' 430 | Resource: '*' 431 | VpcEndpointType: Interface 432 | PrivateDnsEnabled: true 433 | SubnetIds: 434 | - !Ref SageMakerPrivateSubnet1 435 | - !Ref SageMakerPrivateSubnet2 436 | SecurityGroupIds: 437 | - !Ref VPCEndpointSecurityGroup 438 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.application-autoscaling' 439 | VpcId: !Ref SageMakerVPC 440 | VPCEndpointAthena: 441 | Type: 'AWS::EC2::VPCEndpoint' 442 | Properties: 443 | PolicyDocument: 444 | Version: 2012-10-17 445 | Statement: 446 | - Effect: Allow 447 | Principal: '*' 448 | Action: '*' 449 | Resource: '*' 450 | VpcEndpointType: Interface 451 | PrivateDnsEnabled: true 452 | SubnetIds: 453 | - !Ref SageMakerPrivateSubnet1 454 | - !Ref SageMakerPrivateSubnet2 455 | SecurityGroupIds: 456 | - !Ref VPCEndpointSecurityGroup 457 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.athena' 458 | VpcId: !Ref SageMakerVPC 459 | VPCEndpointRedshift: 460 | Type: 'AWS::EC2::VPCEndpoint' 461 | Properties: 462 | VpcEndpointType: Interface 463 | PrivateDnsEnabled: true 464 | SubnetIds: 465 | - !Ref SageMakerPrivateSubnet1 466 | - !Ref SageMakerPrivateSubnet2 467 | SecurityGroupIds: 468 | - !Ref VPCEndpointSecurityGroup 469 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.redshift-data' 470 | VpcId: !Ref SageMakerVPC 471 | VPCEndpointSecretsManager: 472 | Type: 'AWS::EC2::VPCEndpoint' 473 | Properties: 474 | PolicyDocument: 475 | Version: 2012-10-17 476 | Statement: 477 | - Effect: Allow 478 | Principal: '*' 479 | Action: '*' 480 | Resource: '*' 481 | VpcEndpointType: Interface 482 | PrivateDnsEnabled: true 483 | SubnetIds: 484 | - !Ref SageMakerPrivateSubnet1 485 | - !Ref SageMakerPrivateSubnet2 486 | SecurityGroupIds: 487 | - !Ref VPCEndpointSecurityGroup 488 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.secretsmanager' 489 | VpcId: !Ref SageMakerVPC 490 | VPCEndpointSSM: 491 | Type: 'AWS::EC2::VPCEndpoint' 492 | Properties: 493 | PolicyDocument: 494 | Version: 2012-10-17 495 | Statement: 496 | - Effect: Allow 497 | Principal: '*' 498 | Action: '*' 499 | Resource: '*' 500 | VpcEndpointType: Interface 501 | PrivateDnsEnabled: true 502 | SubnetIds: 503 | - !Ref SageMakerPrivateSubnet1 504 | - !Ref SageMakerPrivateSubnet2 505 | SecurityGroupIds: 506 | - !Ref VPCEndpointSecurityGroup 507 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm' 508 | VpcId: !Ref SageMakerVPC 509 | VPCEndpointTextract: 510 | Type: 'AWS::EC2::VPCEndpoint' 511 | Properties: 512 | PolicyDocument: 513 | Version: 2012-10-17 514 | Statement: 515 | - Effect: Allow 516 | Principal: '*' 517 | Action: '*' 518 | Resource: '*' 519 | VpcEndpointType: Interface 520 | PrivateDnsEnabled: true 521 | SubnetIds: 522 | - !Ref SageMakerPrivateSubnet1 523 | - !Ref SageMakerPrivateSubnet2 524 | SecurityGroupIds: 525 | - !Ref VPCEndpointSecurityGroup 526 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.textract' 527 | VpcId: !Ref SageMakerVPC 528 | VPCEndpointComprehend: 529 | Type: 'AWS::EC2::VPCEndpoint' 530 | Properties: 531 | PolicyDocument: 532 | Version: 2012-10-17 533 | Statement: 534 | - Effect: Allow 535 | Principal: '*' 536 | Action: '*' 537 | Resource: '*' 538 | VpcEndpointType: Interface 539 | PrivateDnsEnabled: true 540 | SubnetIds: 541 | - !Ref SageMakerPrivateSubnet1 542 | - !Ref SageMakerPrivateSubnet2 543 | SecurityGroupIds: 544 | - !Ref VPCEndpointSecurityGroup 545 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.comprehend' 546 | VpcId: !Ref SageMakerVPC 547 | VPCEndpointRekognition: 548 | Type: 'AWS::EC2::VPCEndpoint' 549 | Properties: 550 | PolicyDocument: 551 | Version: 2012-10-17 552 | Statement: 553 | - Effect: Allow 554 | Principal: '*' 555 | Action: '*' 556 | Resource: '*' 557 | VpcEndpointType: Interface 558 | PrivateDnsEnabled: true 559 | SubnetIds: 560 | - !Ref SageMakerPrivateSubnet1 561 | - !Ref SageMakerPrivateSubnet2 562 | SecurityGroupIds: 563 | - !Ref VPCEndpointSecurityGroup 564 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.rekognition' 565 | VpcId: !Ref SageMakerVPC 566 | VPCEndpointGlue: 567 | Type: 'AWS::EC2::VPCEndpoint' 568 | Properties: 569 | PolicyDocument: 570 | Version: 2012-10-17 571 | Statement: 572 | - Effect: Allow 573 | Principal: '*' 574 | Action: '*' 575 | Resource: '*' 576 | VpcEndpointType: Interface 577 | PrivateDnsEnabled: true 578 | SubnetIds: 579 | - !Ref SageMakerPrivateSubnet1 580 | - !Ref SageMakerPrivateSubnet2 581 | SecurityGroupIds: 582 | - !Ref VPCEndpointSecurityGroup 583 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.glue' 584 | VpcId: !Ref SageMakerVPC 585 | VPCEndpointRDS: 586 | Type: 'AWS::EC2::VPCEndpoint' 587 | Properties: 588 | PolicyDocument: 589 | Version: 2012-10-17 590 | Statement: 591 | - Effect: Allow 592 | Principal: '*' 593 | Action: '*' 594 | Resource: '*' 595 | VpcEndpointType: Interface 596 | PrivateDnsEnabled: true 597 | SubnetIds: 598 | - !Ref SageMakerPrivateSubnet1 599 | - !Ref SageMakerPrivateSubnet2 600 | SecurityGroupIds: 601 | - !Ref VPCEndpointSecurityGroup 602 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.rds' 603 | VpcId: !Ref SageMakerVPC 604 | VPCEndpointBedrock: 605 | Type: 'AWS::EC2::VPCEndpoint' 606 | Properties: 607 | PolicyDocument: 608 | Version: 2012-10-17 609 | Statement: 610 | - Effect: Allow 611 | Principal: '*' 612 | Action: '*' 613 | Resource: '*' 614 | VpcEndpointType: Interface 615 | PrivateDnsEnabled: true 616 | SubnetIds: 617 | - !Ref SageMakerPrivateSubnet1 618 | - !Ref SageMakerPrivateSubnet2 619 | SecurityGroupIds: 620 | - !Ref VPCEndpointSecurityGroup 621 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.bedrock-runtime' 622 | VpcId: !Ref SageMakerVPC 623 | VPCEndpointKendra: 624 | Type: 'AWS::EC2::VPCEndpoint' 625 | Properties: 626 | PolicyDocument: 627 | Version: 2012-10-17 628 | Statement: 629 | - Effect: Allow 630 | Principal: '*' 631 | Action: '*' 632 | Resource: '*' 633 | VpcEndpointType: Interface 634 | PrivateDnsEnabled: true 635 | SubnetIds: 636 | - !Ref SageMakerPrivateSubnet1 637 | - !Ref SageMakerPrivateSubnet2 638 | SecurityGroupIds: 639 | - !Ref VPCEndpointSecurityGroup 640 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.kendra' 641 | VpcId: !Ref SageMakerVPC 642 | 643 | ### SAGEMAKER STUDIO RESOURCES 644 | StudioDomain: 645 | Type: AWS::SageMaker::Domain 646 | Properties: 647 | AuthMode: IAM 648 | AppNetworkAccessType: "VpcOnly" 649 | DefaultUserSettings: 650 | StudioWebPortal: ENABLED 651 | DefaultLandingUri: "studio::" 652 | ExecutionRole: !GetAtt SageMakerExecutionRole.Arn 653 | SecurityGroups: 654 | - !Ref SageMakerSecurityGroup 655 | DomainName: !Ref DomainName 656 | SubnetIds: 657 | - !Ref SageMakerPrivateSubnet1 658 | - !Ref SageMakerPrivateSubnet2 659 | VpcId: !Ref SageMakerVPC 660 | SageMakerExecutionRole: 661 | Type: AWS::IAM::Role 662 | Properties: 663 | RoleName: !Sub 'AmazonSageMakerExecutionRole-${AWS::StackName}' 664 | AssumeRolePolicyDocument: 665 | Version: '2012-10-17' 666 | Statement: 667 | - Effect: Allow 668 | Principal: 669 | Service: 670 | - sagemaker.amazonaws.com 671 | - events.amazonaws.com 672 | - bedrock.amazonaws.com 673 | - redshift.amazonaws.com 674 | Action: 675 | - sts:AssumeRole 676 | Path: / 677 | ManagedPolicyArns: 678 | # Canvas-specific policies below 679 | - arn:aws:iam::aws:policy/AmazonSageMakerFullAccess 680 | - arn:aws:iam::aws:policy/AmazonSageMakerCanvasFullAccess 681 | - arn:aws:iam::aws:policy/AmazonSageMakerCanvasDataPrepFullAccess 682 | - arn:aws:iam::aws:policy/AmazonSageMakerCanvasAIServicesAccess 683 | - arn:aws:iam::aws:policy/AmazonSageMakerCanvasBedrockAccess 684 | - arn:aws:iam::aws:policy/service-role/AmazonSageMakerCanvasDirectDeployAccess 685 | Policies: 686 | - PolicyName: AmazonS3Access 687 | PolicyDocument: 688 | Version: "2012-10-17" 689 | Statement: 690 | - Effect: Allow 691 | Action: 692 | - s3:PutObject 693 | - s3:GetObject 694 | - s3:DeleteObject 695 | - s3:ListBucket 696 | - s3:GetObject 697 | - s3:PutObject 698 | - s3:DeleteObject 699 | - s3:GetObjectVersion 700 | - s3:GetBucketCors 701 | - s3:GetBucketLocation 702 | - s3:AbortMultipartUpload 703 | Resource: 704 | - arn:aws:s3:::sagemaker-* 705 | - arn:aws:s3:::sagemaker-*/canvas 706 | - arn:aws:s3:::sagemaker-*/canvas/* 707 | - arn:aws:s3:::sagemaker-*/Canvas 708 | - arn:aws:s3:::sagemaker-*/Canvas/* 709 | - arn:aws:s3:::*SageMaker* 710 | - arn:aws:s3:::*Sagemaker* 711 | - arn:aws:s3:::*sagemaker* 712 | - !Sub "arn:aws:s3:::${S3BucketPrefix}-${AWS::Region}-${AWS::AccountId}" 713 | - !Sub "arn:aws:s3:::${S3BucketPrefix}-${AWS::Region}-${AWS::AccountId}/*" 714 | - PolicyName: SecurityAndNetworking 715 | PolicyDocument: 716 | Version: "2012-10-17" 717 | Statement: 718 | - Effect: Allow 719 | Action: 720 | - ec2:DescribeNetworkInterfaces 721 | - ec2:DescribeSubnets 722 | - ec2:DescribeSecurityGroups 723 | - ec2:DescribeVpcs 724 | - ec2:DescribeVpcEndpoints 725 | - ec2:DescribeVpcEndpointServices 726 | - ec2:DescribeRouteTables 727 | - kms:ListAliases 728 | Resource: "*" 729 | - Effect: Allow 730 | Action: 731 | - kms:CreateGrant 732 | - kms:Decrypt 733 | - kms:DescribeKey 734 | - kms:Encrypt 735 | - kms:ReEncrypt* 736 | - kms:GenerateDataKey 737 | - kms:GenerateDataKeyWithoutPlaintext 738 | Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*" 739 | - PolicyName: PutMetricData 740 | PolicyDocument: 741 | Version: "2012-10-17" 742 | Statement: 743 | - Effect: Allow 744 | Action: 745 | - cloudwatch:PutMetricData 746 | Resource: "*" 747 | - PolicyName: SageMakerPermissions 748 | PolicyDocument: 749 | Version: "2012-10-17" 750 | Statement: 751 | - Effect: Allow 752 | Action: 753 | - sagemaker:DescribeApp 754 | - sagemaker:DescribeDomain 755 | - sagemaker:DescribeSpace 756 | - sagemaker:DescribeUserProfile 757 | - sagemaker:ListUserProfiles 758 | - sagemaker:ListApps 759 | - sagemaker:ListDomains 760 | - sagemaker:ListSpaces 761 | - sagemaker:ListTags 762 | - sagemaker:ListUserProfiles 763 | Resource: "*" 764 | - Effect: Allow 765 | Action: 766 | - sagemaker:CreateApp 767 | - sagemaker:DeleteApp 768 | - sagemaker:CreatePresignedDomainUrl 769 | Resource: 770 | # arn:aws:sagemaker:{Region}:{Account}:app/{DomainId}/{UserProfileName}/{AppType}/{AppName} 771 | - !Sub "arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:app/*/*/Canvas/*" 772 | - !Sub "arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:app/*/*/canvas/*" 773 | - Effect: Allow 774 | Action: 775 | - sagemaker:AddTags 776 | Resource: 777 | - !Sub "arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:*/*" 778 | 779 | ### SageMaker Canvas Extra Settings 780 | LambdaExecutionRole: 781 | Type: "AWS::IAM::Role" 782 | Properties: 783 | AssumeRolePolicyDocument: 784 | Version: 2012-10-17 785 | Statement: 786 | - Effect: Allow 787 | Principal: 788 | Service: 789 | - lambda.amazonaws.com 790 | Action: 791 | - "sts:AssumeRole" 792 | Path: / 793 | ManagedPolicyArns: 794 | - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 795 | Policies: 796 | - PolicyName: "SageMakerCanvasExtraSettingsPolicy" 797 | PolicyDocument: 798 | Version: 2012-10-17 799 | Statement: 800 | - Effect: Allow 801 | Action: "sagemaker:UpdateDomain" 802 | Resource: !GetAtt StudioDomain.DomainArn 803 | - Effect: Allow 804 | Action: "iam:PassRole" 805 | Resource: "*" 806 | - Effect: Allow 807 | Action: 808 | - 'logs:CreateLogGroup' 809 | - 'logs:CreateLogStream' 810 | - 'logs:PutLogEvents' 811 | Resource: '*' 812 | EnableCanvasSettingsLambda: 813 | Type: AWS::Lambda::Function 814 | DependsOn: StudioDomain 815 | Properties: 816 | FunctionName: CFEnableSagemakerCanvasSettings 817 | Code: 818 | ZipFile: | 819 | # Function: CFEnableSagemakerCanvasSettings 820 | # Purpose: Enables Sagemaker Canvas Settings 821 | import json 822 | import boto3 823 | import cfnresponse 824 | 825 | client = boto3.client('sagemaker') 826 | 827 | def lambda_handler(event, context): 828 | response_status = cfnresponse.SUCCESS 829 | sagemaker_domain_id = event['ResourceProperties']['SageMakerDomainId'] 830 | sagemaker_execution_role = event['ResourceProperties']['SageMakerExecutionRoleArn'] 831 | canvas_bucket_artifacts = event['ResourceProperties']['CanvasBucketName'] 832 | 833 | try: 834 | if 'RequestType' in event and event['RequestType'] == 'Create': 835 | client.update_domain( 836 | DomainId=sagemaker_domain_id, 837 | DefaultUserSettings={ 838 | 'CanvasAppSettings': { 839 | 'WorkspaceSettings': {'S3ArtifactPath': f's3://{canvas_bucket_artifacts}/'}, 840 | 'TimeSeriesForecastingSettings': {'Status': 'ENABLED'}, 841 | 'ModelRegisterSettings': {'Status': 'ENABLED'}, 842 | 'DirectDeploySettings': {'Status': 'ENABLED'}, 843 | 'KendraSettings': {'Status': 'DISABLED'}, # Change to ENABLED when you want to use Kendra for RAG 844 | 'GenerativeAiSettings': {'AmazonBedrockRoleArn':sagemaker_execution_role}, 845 | # Uncomment and modify the below if you need to add OAuth for Salesforce or Snowflake 846 | # 'IdentityProviderOAuthSettings': [ 847 | # { 848 | # 'DataSourceName': 'SalesforceGenie'|'Snowflake', 849 | # 'Status': 'ENABLED'|'DISABLED', 850 | # 'SecretArn': 'string' 851 | # }, 852 | # ], 853 | } 854 | } 855 | ) 856 | cfnresponse.send(event, context, response_status, {}, '') 857 | except Exception as e: 858 | cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)}, context.log_stream_name) 859 | 860 | Description: Enable Sagemaker Canvas Settings 861 | Handler: index.lambda_handler 862 | MemorySize: 128 863 | Role: !GetAtt LambdaExecutionRole.Arn 864 | Runtime: python3.12 865 | Timeout: 10 866 | EnableCanvasSettings: 867 | Type: Custom::ResourceForEnablingSageMakerCanvasSettings 868 | Properties: 869 | ServiceToken: !GetAtt EnableCanvasSettingsLambda.Arn 870 | SageMakerDomainId: !GetAtt StudioDomain.DomainId 871 | SageMakerExecutionRoleArn: !GetAtt SageMakerExecutionRole.Arn 872 | CanvasBucketName: !Sub "${S3BucketPrefix}-${AWS::Region}-${AWS::AccountId}" 873 | 874 | ### ADMIN USER PROFILE 875 | UserProfile: 876 | Type: AWS::SageMaker::UserProfile 877 | DependsOn: EnableCanvasSettings 878 | Properties: 879 | DomainId: !Ref StudioDomain 880 | UserProfileName: !Ref UserProfileName 881 | UserSettings: 882 | ExecutionRole: !GetAtt SageMakerExecutionRole.Arn 883 | 884 | Outputs: 885 | SageMakerVPC: 886 | Description: "Reference to the SageMaker VPC" 887 | Value: !Ref SageMakerVPC 888 | Export: 889 | Name: !Sub '${AWS::StackName}-VPC' 890 | 891 | SageMakerSubnet1: 892 | Description: "Reference to the first private subnet" 893 | Value: !Ref SageMakerPrivateSubnet1 894 | Export: 895 | Name: !Sub '${AWS::StackName}-Subnet1' 896 | 897 | SageMakerSubnet2: 898 | Description: "Reference to the second private subnet" 899 | Value: !Ref SageMakerPrivateSubnet2 900 | Export: 901 | Name: !Sub '${AWS::StackName}-Subnet2' 902 | 903 | StudioDomainArn: 904 | Description: "The ARN of the SageMaker Studio Domain" 905 | Value: !GetAtt StudioDomain.DomainArn 906 | Export: 907 | Name: SageMakerDomainArn 908 | 909 | SageMakerDomainID: 910 | Value: !GetAtt StudioDomain.DomainId 911 | Description: SageMaker Domain ID 912 | Export: 913 | Name: SageMakerDomainId 914 | 915 | UserProfileArn: 916 | Description: "The ARN of the User Profile" 917 | Value: !GetAtt UserProfile.UserProfileArn 918 | 919 | SageMakerExecutionRoleName: 920 | Value: !Ref SageMakerExecutionRole 921 | Description: Name of the SageMaker Execution Role used by SageMaker 922 | Export: 923 | Name: SageMakerExecutionRoleName 924 | --------------------------------------------------------------------------------