# This sample, non-production-ready template describes a S3 Bucket and IAM roles. # © 2021 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. # This AWS Content is provided subject to the terms of the AWS Customer Agreement available at # http://aws.amazon.com/agreement or other written agreement between Customer and either # Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. AWSTemplateFormatVersion: 2010-09-09 Description: >- This template creates a the encrypted S3 Bucket which stores Config files. Parameters: SageMakerNotebookInstanceRoleName: Description: Stack name which has all of the VPC configuration Type: String Resources: S3Bucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true # Build Role for AWS Lambda functions SageMakerNotebookInstanceRole: Type: AWS::IAM::Role Properties: RoleName: !Ref SageMakerNotebookInstanceRoleName Description: 'This role will be leveraged by SageMaker notebook instances.' MaxSessionDuration: 3600 # in seconds Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - sagemaker.amazonaws.com Action: - sts:AssumeRole # IAM Policy for SageMaker Presigned URL SMNotebookEC2Policy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: "SMNotebookEC2Policy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - ec2:CreateNetworkInterface - ec2:CreateSecurityGroup - ec2:DeleteNetworkInterface - ec2:DescribeDhcpOptions - ec2:DescribeNetworkInterfaces - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVpcs - ec2:ModifyNetworkInterfaceAttribute - ec2:CreateTags - ec2:AuthorizeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress - ec2:CreateNetworkInterfacePermission - ec2:DeleteNetworkInterfacePermission - ec2:DeleteSecurityGroup - ec2:RevokeSecurityGroupEgress - ec2:RevokeSecurityGroupIngress Resource: - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*' Roles: - !Ref SageMakerNotebookInstanceRole SMNotebookPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: "SMNotebookPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - sagemaker:CreateUserProfile - sagemaker:DescribeUserProfile Resource: - !Sub 'arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/*' Roles: - !Ref SageMakerNotebookInstanceRole Outputs: S3BucketWebsiteURL: Description: S3 Bucket WebsiteURL Value: !GetAtt S3Bucket.WebsiteURL Export: Name: Fn::Sub: "${AWS::StackName}-Bucket-URL" S3BucketArn: Description: S3 Bucket ARN Value: !GetAtt S3Bucket.Arn Export: Name: Fn::Sub: "${AWS::StackName}-Bucket-ARN" S3BucketName: Description: S3 Bucket Name Value: !Ref S3Bucket Export: Name: Fn::Sub: "${AWS::StackName}-Bucket-Name" SageMakerNotebookInstanceRoleARN: Description: S3 Bucket Name Value: !GetAtt SageMakerNotebookInstanceRole.Arn Export: Name: Fn::Sub: "${AWS::StackName}-SageMakerNotebookInstanceRole-ARN"