bug fixing and README corrections

Makefile

@@ -23,13 +23,16 @@ NAT_GW_SN_CIDR ?= 10.2.2.0/24
 SAGEMAKER_SN_CIDR ?= 10.2.3.0/24
 
 
-# Stack name used when deploying the app for manual testing
+# Stack name used when deploying or deleting the stack
 APP_STACK_NAME ?= sagemaker-studio-demo
 
 PYTHON := $(shell /usr/bin/which python$(PY_VERSION))
 
 .DEFAULT_GOAL := package
 
+delete:
+	aws cloudformation delete-stack \
+		--stack-name $(APP_STACK_NAME)
 build:
 
 package: build 

README.md

@@ -15,8 +15,6 @@ All these specific requirements are covered in the solution.
 # SageMaker security
 You can apply all the same security and compliance approaches and best practices (authentication, authorization, VPC, network isolation, control and monitoring) as a consistent set of Amazon security features to Amazon SageMaker workloads and Amazon SageMaker Studio specifically. 
 
-## SageMaker-related approaches for security, access control and restriction
-
 ## Network isolation
 Common approaches for network isolation can also be applied to SageMaker workloads:
 - you can enable [network isolation](https://docs.aws.amazon.com/vpc/index.html): Containers that run with network isolation cannot make any outbound network calls.
@@ -136,6 +134,10 @@ For more information, see [11].
 ### Without VPC
 All the traffic goes through the Elastic Network Interface (ENI) attached to the managed EC2 instance, which is running in Amazon SageMaker managed VPC.
 
+![Notebook instance without VPC](design/notebook-instance-without-vpc.png)
+
+All traffic goes via the ENI within an Amazon SageMaker managed VPC.
+
 ### Private attached VPC with direct internet access
 2 ENI attached to the managed EC2 instance:
 
@@ -235,8 +237,8 @@ The solution deploys the following resources:
 
 ## S3 resources
 The solution deploys two Amazon S3 buckets: 
-- `<project_name>-data`  
-- `<project_name>-models`
+- `<project_name>-<region>-data`  
+- `<project_name>-<region>-models`
 
 Both buckets have a bucket policy attached. The bucket policy explicitly denies all access to the bucket which does not come from the designated VPC endpoint.
 The Amazon S3 VPC endpoint has also a policy attached to it. This policy allows access the the two S3 buckets (`model` and `data`) only.
@@ -279,30 +281,30 @@ make deploy
 
 Follow with a **temporary fix**: 
 1. Add the route to the Firewall VPC endpoint to the Internet Gateway route table:
+Please replace the variables with corresponding values from `VPC` CloudFormation stack output.
 ```bash
-DEST_CIDR=10.2.2.0/24
-FIREWALL_VPCE=vpce-0df2998d6ec900ccc
-IGW_RTB=rtb-097a3cafaa421ddcc
+NAT_SN_CIDR= # NATGWSubnetCIDR
+FIREWALL_VPCE= # Endpoint from the NetworkFirewallEndpointIds list correspoinding to the Firewall subnet
+IGW_RTB= # IGWRouteTableId
 
 aws ec2 create-route \
-    --destination-cidr-block ${DEST_CIDR} \
+    --destination-cidr-block ${NAT_SN_CIDR} \
     --vpc-endpoint-id ${FIREWALL_VPCE} \
     --route-table-id ${IGW_RTB}
 ```
 
 2. Add the route to the Firewall VPC endpoint to the NAT Gateway route table:
 ```bash
-DEST_CIDR=0.0.0.0/0
-FIREWALL_VPCE=vpce-0df2998d6ec900ccc
-NATGW_RTB=rtb-0d226d36fc7cdd662
+NATGW_RTB= # NATGWRouteTableId
 
 aws ec2 create-route \
-    --destination-cidr-block ${DEST_CIDR} \
+    --destination-cidr-block 0.0.0.0/0 \
     --vpc-endpoint-id ${FIREWALL_VPCE} \
     --route-table-id ${NATGW_RTB}
 ```
 
 ### Create an Amazon SageMaker Studio domain inside a VPC
+Please replace the variables with corresponding values from `sagemaker-studio-vpc` CloudFormation stack output.
 ```bash
 REGION=eu-west-1
 VPC_DOMAIN_NAME=ilyiny-sagemaker-studio-domain
@@ -362,12 +364,12 @@ Start the Amazon SageMaker Studio from the pre-signed URL or AWS SageMaker conso
 - create a file 
 - copy file to `data` S3 bucket
 ```
-!aws s3 cp test-file.txt s3://<project-name>_data
+!aws s3 cp test-file.txt s3://<project_name>-<region>-data
 ```
 - the operation must be successful
 
 - try to copy the file or list any other bucket: AccessDenied error
-- try to list the `<project-name>_data` bucket from a command line: AccessDenied error
+- try to list the `<project_name>-<region>-data` bucket from a command line: AccessDenied error
 
 ## Internet access
 Here we show how the internet inbound or outbound access can be controled with AWS Network Firewall.
@@ -398,7 +400,12 @@ You can demostrate any other stateless or stateful rules and implement traffic f
 You can also demostrate the usage of the SageMaker security group or NACL inbould and outbound rules. 
 
 # Clean up
-TBD
+1. [Delete Amazon SageMaker Studio Domain](https://docs.aws.amazon.com/sagemaker/latest/dg/gs-studio-delete-domain.html)
+2. Delete the stack:
+```bash
+make delete
+```
+alternatively you can delete the stack from the AWS CloudFormation console.
 
 # Resources
 [1]. [SageMaker Security](https://docs.aws.amazon.com/sagemaker/latest/dg/security.html)  

cfn_templates/iam.yaml

@@ -179,10 +179,9 @@ Resources:
       AliasName: !Sub alias/${KMSAlias}
       TargetKeyId: !Ref KMSKey  
 
-
 Outputs:
-  ExecutionRoleARN:
+  ExecutionRoleArn:
     Value: !GetAtt SageMakerNotebookInstanceRole.Arn
   KMSKeyArn:
-    Description: AMS KMS CMK for sagemaker Notebook's EBS encryption
+    Description: KMS CMK arn for SageMaker notebooks EBS encryption
     Value: !GetAtt KMSKey.Arn

cfn_templates/packaged.yaml

@@ -36,7 +36,7 @@ Resources:
           Fn::GetAtt:
           - S3
           - Outputs.ModelBucket
-      TemplateURL: https://s3.eu-west-1.amazonaws.com/ilyiny-sagemaker-demo-artefacts/8f869043c3df0583065e196e839ff8cd.template
+      TemplateURL: https://s3.eu-central-1.amazonaws.com/ilyiny-sagemaker-demo-artefacts/57c275518cd27f0c6a229f6d6431fe2b.template
   S3:
     Type: AWS::CloudFormation::Stack
     DependsOn: VPC
@@ -45,10 +45,14 @@ Resources:
         ProjectName:
           Ref: ProjectName
         DataBucketName:
-          Fn::Sub: ${ProjectName}-data
+          Fn::GetAtt:
+          - VPC
+          - Outputs.DataBucket
         ModelBucketName:
-          Fn::Sub: ${ProjectName}-models
-      TemplateURL: https://s3.eu-west-1.amazonaws.com/ilyiny-sagemaker-demo-artefacts/719b9e758a700c435b11b1c2e258e733.template
+          Fn::GetAtt:
+          - VPC
+          - Outputs.ModelBucket
+      TemplateURL: https://s3.eu-central-1.amazonaws.com/ilyiny-sagemaker-demo-artefacts/c30fb1e65c276aacdec6edf90cff7ff3.template
   VPC:
     Type: AWS::CloudFormation::Stack
     Properties:
@@ -63,4 +67,57 @@ Resources:
           Ref: NATGatewaySubnetCIDR
         SageMakerStudioSubnetCIDR:
           Ref: SageMakerStudioSubnetCIDR
-      TemplateURL: https://s3.eu-west-1.amazonaws.com/ilyiny-sagemaker-demo-artefacts/93006f3ad472185ca584409d3e20b5e6.template
+        DataBucketName:
+          Fn::Sub: ${ProjectName}-${AWS::Region}-data
+        ModelBucketName:
+          Fn::Sub: ${ProjectName}-${AWS::Region}-models
+      TemplateURL: https://s3.eu-central-1.amazonaws.com/ilyiny-sagemaker-demo-artefacts/473d5d7e0d9951d321817f7ce88f65d1.template
+Outputs:
+  VPCId:
+    Description: The ID of VPC where SageMaker Studio will reside
+    Value:
+      Fn::GetAtt:
+      - VPC
+      - Outputs.VPCId
+  SageMakerStudioSubnetId:
+    Description: The ID of the SageMaker subnet
+    Value:
+      Fn::GetAtt:
+      - VPC
+      - Outputs.SageMakerStudioSubnetId
+  SageMakerStudioSecurityGroupId:
+    Description: The ID the SageMaker security group
+    Value:
+      Fn::GetAtt:
+      - VPC
+      - Outputs.SageMakerSecurityGroupId
+  SageMakerExecutionRoleArn:
+    Description: IAM Execution role for SageMaker Studio and SageMaker notebooks
+    Value:
+      Fn::GetAtt:
+      - IAM
+      - Outputs.ExecutionRoleArn
+  KMSCMKEBSArn:
+    Description: KMS CMK arn for SageMaker notebooks EBS encryption
+    Value:
+      Fn::GetAtt:
+      - IAM
+      - Outputs.KMSKeyArn
+  KMSCMKS3bucketsArn:
+    Description: KMS CMK arn for data encryption in S3 buckets
+    Value:
+      Fn::GetAtt:
+      - S3
+      - Outputs.KMSKeyArn
+  SageMakerS3bucketData:
+    Description: Name of S3 bucket for data
+    Value:
+      Fn::GetAtt:
+      - S3
+      - Outputs.DataBucket
+  SageMakerS3bucketModels:
+    Description: Name of S3 bucket for models
+    Value:
+      Fn::GetAtt:
+      - S3
+      - Outputs.ModelBucket

cfn_templates/s3.yaml

@@ -138,6 +138,6 @@ Outputs:
     Value: !Ref DataBucket
   ModelBucket:
     Value: !Ref ModelBucket
-  KMSCMK:
+  KMSKeyArn:
     Description: KMS Key ARN for the S3 buckets
     Value: !GetAtt KMSCMK.Arn

cfn_templates/sagemaker-studio-vpc.yaml

@@ -43,8 +43,8 @@ Resources:
     Properties:
       Parameters:
         ProjectName: !Ref ProjectName
-        DataBucketName: !Sub ${ProjectName}-data
-        ModelBucketName: !Sub ${ProjectName}-models
+        DataBucketName: !GetAtt VPC.Outputs.DataBucket
+        ModelBucketName: !GetAtt VPC.Outputs.ModelBucket
       TemplateURL:  s3.yaml
   #================================================================================
   # VPC WITH A PRIVATE SUBNET AND SECURITY GROUP 
@@ -58,7 +58,32 @@ Resources:
         FirewallSubnetCIDR: !Ref FirewallSubnetCIDR
         NATGatewaySubnetCIDR: !Ref NATGatewaySubnetCIDR
         SageMakerStudioSubnetCIDR: !Ref SageMakerStudioSubnetCIDR
+        DataBucketName: !Sub ${ProjectName}-${AWS::Region}-data
+        ModelBucketName: !Sub ${ProjectName}-${AWS::Region}-models
       TemplateURL:  vpc.yaml
-  #================================================================================
-  # AWS NETWORK FIREWALL
-  #================================================================================
+
+Outputs:
+  VPCId:
+    Description: The ID of VPC where SageMaker Studio will reside
+    Value: !GetAtt VPC.Outputs.VPCId
+  SageMakerStudioSubnetId:
+    Description: The ID of the SageMaker subnet
+    Value: !GetAtt VPC.Outputs.SageMakerStudioSubnetId
+  SageMakerStudioSecurityGroupId:
+    Description: The ID the SageMaker security group
+    Value: !GetAtt VPC.Outputs.SageMakerSecurityGroupId
+  SageMakerExecutionRoleArn:
+    Description: IAM Execution role for SageMaker Studio and SageMaker notebooks
+    Value: !GetAtt IAM.Outputs.ExecutionRoleArn
+  KMSCMKEBSArn:
+    Description: KMS CMK arn for SageMaker notebooks EBS encryption
+    Value: !GetAtt IAM.Outputs.KMSKeyArn
+  KMSCMKS3bucketsArn:
+    Description: KMS CMK arn for data encryption in S3 buckets
+    Value: !GetAtt S3.Outputs.KMSKeyArn
+  SageMakerS3bucketData:
+    Description: Name of S3 bucket for data
+    Value: !GetAtt S3.Outputs.DataBucket
+  SageMakerS3bucketModels:
+    Description: Name of S3 bucket for models
+    Value: !GetAtt S3.Outputs.ModelBucket

cfn_templates/vpc.yaml

@@ -16,6 +16,10 @@ Parameters:
   SageMakerStudioSubnetCIDR:
     Type: String
     AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+  DataBucketName:
+    Type: String
+  ModelBucketName:
+    Type: String
 
 Resources:
   # VPC and subnets
@@ -258,10 +262,10 @@ Resources:
               "s3:PutObject",
               "s3:ListBucket"
             ],
-            "Resource": ["arn:aws:s3:::${ProjectName}-data",
-            "arn:aws:s3:::${ProjectName}-models",
-            "arn:aws:s3:::${ProjectName}-data/*",
-            "arn:aws:s3:::${ProjectName}-models/*"
+            "Resource": ["arn:aws:s3:::${DataBucketName}",
+            "arn:aws:s3:::${ModelBucketName}",
+            "arn:aws:s3:::${DataBucketName}/*",
+            "arn:aws:s3:::${ModelBucketName}/*"
             ]
           }]
         }
@@ -444,10 +448,18 @@ Outputs:
   VPCId:
     Description: The ID of VPC where SageMaker Studio will reside
     Value: !Ref VPC
-  SageMakerStudioSubnet:
+  SageMakerStudioSubnetId:
     Value: !Ref SageMakerStudioSubnet
-  SageMakerSecurityGroup:
+  SageMakerSecurityGroupId:
     Value: !Ref SageMakerSecurityGroup
+  NATGWSubnetCIDR:
+    Value: !Ref NATGatewaySubnetCIDR
+  NetworkFirewallEndpointIds:
+    Value: !GetAtt NetworkFirewall.EndpointIds
+  IGWRouteTableId:
+    Value: !Ref IGWIngressRouteTable
+  NATGWRouteTableId:
+    Value: !Ref NATGatewayRouteTable
   S3VPCEndpointId:
     Description: The ID of the S3 VPC Endpoint
     Value: !Ref VPCEndpointS3