diff --git a/deploy/cdk_exec_policy/cdkExecPolicy.yaml b/deploy/cdk_exec_policy/cdkExecPolicy.yaml index 50c60edeb..5c78403e0 100644 --- a/deploy/cdk_exec_policy/cdkExecPolicy.yaml +++ b/deploy/cdk_exec_policy/cdkExecPolicy.yaml @@ -8,6 +8,60 @@ Parameters: EnvironmentResourcePrefix: Description: The resource prefix value of the dataall environment. It MUST match the resource prefix that we use when we create the environment. Type: String + NotebooksEnabled: + Description: Whether Notebooks are enabled on this Data.all Environment. + Type: String + Default: "true" + AllowedValues: + - "true" + - "false" + MLStudioEnabled: + Description: Whether ML Studio is enabled on this Data.all Environment + Type: String + Default: "true" + AllowedValues: + - "true" + - "false" + PipelinesEnabled: + Description: Whether Pipelines are enabled on this Data.all Environment + Type: String + Default: "true" + AllowedValues: + - "true" + - "false" + DashboardsEnabled: + Description: Whether Dashboards are enabled on this Data.all Environment + Type: String + Default: "true" + AllowedValues: + - "true" + - "false" + +Conditions: + NotebooksEnabledCondition: + !Equals + - !Ref NotebooksEnabled + - "true" + MLStudioEnabledCondition: + !Equals + - !Ref MLStudioEnabled + - "true" + SagemakerComponentsEnabledCondition: !Or + - !Equals + - !Ref NotebooksEnabled + - "true" + - !Equals + - !Ref MLStudioEnabled + - "true" + PipelinesEnabledCondition: + !Equals + - !Ref PipelinesEnabled + - "true" + DashboardsEnabledCondition: + !Equals + - !Ref DashboardsEnabled + - "true" + Resources: CDKCustomExecutionPolicy0: Type: 'AWS::IAM::ManagedPolicy' @@ -56,25 +110,38 @@ Resources: - 'iam:*Role*' Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/cdk-*' - - Sid: Quicksight - Effect: Allow - Action: - - 'ds:AuthorizeApplication' - - 'ds:UnauthorizeApplication' - - 'ds:CheckAlias' - - 'ds:CreateAlias' - - 'ds:Describe*' - - 'ds:DeleteDirectory' - - 'ds:CreateIdentityPoolDirectory' - - 'quicksight:CreateAdmin' - - 'quicksight:CreateUser' - - 'quicksight:Subscribe' - - 'quicksight:Get*' - - 'quicksight:SearchDirectoryGroups' - - 'quicksight:SetGroupMapping' - - 'quicksight:RegisterUser' - - 'quicksight:Describe*' - Resource: '*' + - !If + - DashboardsEnabledCondition + - Sid: Quicksight + Effect: Allow + Action: + - 'ds:AuthorizeApplication' + - 'ds:UnauthorizeApplication' + - 'ds:CheckAlias' + - 'ds:CreateAlias' + - 'ds:Describe*' + - 'ds:DeleteDirectory' + - 'ds:CreateIdentityPoolDirectory' + - 'quicksight:CreateAdmin' + - 'quicksight:CreateUser' + - 'quicksight:Subscribe' + - 'quicksight:Get*' + - 'quicksight:SearchDirectoryGroups' + - 'quicksight:SetGroupMapping' + - 'quicksight:RegisterUser' + - 'quicksight:Describe*' + Resource: + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:datasource/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:dataset/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:analysis/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:dashboard/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:group/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:folder/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:template/*' + - !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:theme/*' + - !Sub 'arn:${AWS::Partition}:ds:${AWS::Region}:${AWS::AccountId}:user/*' + - !Ref AWS::NoValue - Sid: QuicksightDeny Effect: Deny @@ -152,20 +219,23 @@ Resources: - 'sqs:GetQueueAttributes' Resource: !Sub 'arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${EnvironmentResourcePrefix}*' - - Sid: Sagemaker - Effect: Allow - Action: - - 'sagemaker:*Tag*' - - 'sagemaker:*Domain' - - 'sagemaker:CreateApp' - - 'sagemaker:CreateUserProfile' - - 'sagemaker:DescribeUserProfile' - - 'sagemaker:DeleteUserProfile' - - 'sagemaker:*NotebookInstance' - Resource: - - !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:domain/*' - - !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:user-profile/*' - - !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/${EnvironmentResourcePrefix}*' + - !If + - SagemakerComponentsEnabledCondition + - Sid: Sagemaker + Effect: Allow + Action: + - 'sagemaker:*Tag*' + - 'sagemaker:*Domain' + - 'sagemaker:CreateApp' + - 'sagemaker:CreateUserProfile' + - 'sagemaker:DescribeUserProfile' + - 'sagemaker:DeleteUserProfile' + - 'sagemaker:*NotebookInstance' + Resource: + - !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:domain/*' + - !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:user-profile/*' + - !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/${EnvironmentResourcePrefix}*' + - !Ref AWS::NoValue - Sid: SSM Effect: Allow @@ -196,9 +266,9 @@ Resources: Effect: Allow Action: - 'cloudformation:*' - Resource: + Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/CDKToolkit/*' - - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${EnvironmentResourcePrefix}*' + - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{EnvironmentResourcePrefix}*' - Sid: ECR Effect: Allow @@ -218,24 +288,27 @@ Resources: - 'glue:*' Resource: '*' - - Sid: EC2 - Effect: Allow - Action: - - 'ec2:Describe*' - - 'ec2:*SecurityGroup*' - - 'ec2:Create*' - - 'ec2:*InternetGateway*' - - 'ec2:Associate*' - - 'ec2:Disassociate*' - - 'ec2:Delete*' - - 'ec2:Modify*' - - 'ec2:Get*' - - 'ec2:*Address' - - 'elasticfilesystem:CreateFileSystem' - - 'elasticfilesystem:TagResource' - - 'elasticfilesystem:UntagResource' - - 'elasticfilesystem:DeleteFileSystem' - Resource: '*' + - !If + - SagemakerComponentsEnabledCondition + - Sid: EC2 + Effect: Allow + Action: + - 'ec2:Describe*' + - 'ec2:*SecurityGroup*' + - 'ec2:Create*' + - 'ec2:*InternetGateway*' + - 'ec2:Associate*' + - 'ec2:Disassociate*' + - 'ec2:Delete*' + - 'ec2:Modify*' + - 'ec2:Get*' + - 'ec2:*Address' + - 'elasticfilesystem:CreateFileSystem' + - 'elasticfilesystem:TagResource' + - 'elasticfilesystem:UntagResource' + - 'elasticfilesystem:DeleteFileSystem' + Resource: '*' + - !Ref AWS::NoValue - Sid: EC2Deny Effect: Deny @@ -243,30 +316,40 @@ Resources: - 'ec2:*Instance*' Resource: '*' - - Sid: CodePipeline - Effect: Allow - Action: - - 'codepipeline:*Tag*' - - 'codepipeline:CreatePipeline' - - 'codepipeline:UpdatePipeline' - - 'codepipeline:StartPipelineExecution' - - 'codepipeline:GetPipeline*' - - 'codepipeline:List*' - - 'codepipeline:DeletePipeline' - - 'codestar-notifications:List*' - - 'codestar-notifications:DescribeNotificationRule' - - 'codecommit:Create*' - - 'codecommit:DeleteRepository' - - 'codecommit:*Tag*' - - 'codebuild:*Project*' - Resource: '*' + - !If + - PipelinesEnabledCondition + - Sid: CodePipeline + Effect: Allow + Action: + - 'codepipeline:*Tag*' + - 'codepipeline:CreatePipeline' + - 'codepipeline:UpdatePipeline' + - 'codepipeline:StartPipelineExecution' + - 'codepipeline:GetPipeline*' + - 'codepipeline:List*' + - 'codepipeline:DeletePipeline' + - 'codecommit:Create*' + - 'codecommit:DeleteRepository' + - 'codecommit:*Tag*' + - 'codebuild:*Project*' + Resource: + - !Sub 'arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${EnvironmentResourcePrefix}*' + - !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${EnvironmentResourcePrefix}*' + - !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${EnvironmentResourcePrefix}*' + - !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/DDKCodePipelineBuildSynthCd*' + - !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/DDKCodePipelineUpdatePipelineSelfMutation' + - !Ref AWS::NoValue - - Sid: Events - Effect: Allow - Action: - - 'events:PutRule' - - 'events:DescribeRule' - - 'events:PutTargets' - - 'events:RemoveTargets' - - 'events:DeleteRule' - Resource: '*' + - !If + - PipelinesEnabledCondition + - Sid: Events + Effect: Allow + Action: + - 'events:PutRule' + - 'events:DescribeRule' + - 'events:PutTargets' + - 'events:RemoveTargets' + - 'events:DeleteRule' + Resource: + - !Sub 'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/${EnvironmentResourcePrefix}*' + - !Ref AWS::NoValue diff --git a/frontend/src/modules/Environments/views/EnvironmentCreateForm.js b/frontend/src/modules/Environments/views/EnvironmentCreateForm.js index cde6968ef..4c5a08a42 100644 --- a/frontend/src/modules/Environments/views/EnvironmentCreateForm.js +++ b/frontend/src/modules/Environments/views/EnvironmentCreateForm.js @@ -325,7 +325,11 @@ const EnvironmentCreateForm = (props) => { CloudFormation (i.e. CDK Execution Policy). You optionally can use the below CloudFormation template to create the custom IAM policy that is more restrictive than the - default AdministratorAccess policy. + default AdministratorAccess policy. To remove + permissions associated to the environment features - + Notebooks, MLStudio, Pipelines and Dashboards, please set + the respective parameters to false in the + CloudFormation template (default is true).