Revert "[feat] Use S3VPCE to prevent S3 access outside of VPC" (#1187)

awslabs · Apr 28, 2023 · 9e5c6d8 · 9e5c6d8
1 parent c75600c
commit 9e5c6d8
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 38 deletions.
diff --git a/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml
@@ -1227,10 +1227,3 @@ Outputs:
     Description: Route53 hosted zone
     Condition: isAppStreamAndCustomDomain
     Value: !Ref Route53HostedZone
-
-  S3VPCE:
-    Description: S3 interface endpoint
-    Condition: isAppStream
-    Value: !Ref S3Endpoint
-    Export:
-      Name: !Join [ '', [ Ref: Namespace, '-S3VPCE' ] ]
diff --git a/...packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml b/...packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml
@@ -79,18 +79,6 @@ Resources:
             Action:
               - 'sts:AssumeRole'
             Resource: 'arn:aws:iam::*:role/swb-*'
-          - Effect: Deny
-            Action: '*'
-            Resource: '*'
-            Condition:
-              StringNotEquals:
-                aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}"
-                aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}"
-              BoolIfExists:
-                aws:ViaAWSService: "false"
-              'Null':
-                aws:ec2InstanceSourceVPC: "false"
-
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:

diff --git a/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml b/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml
@@ -101,17 +101,6 @@ Resources:
             Action:
               - 'sts:AssumeRole'
             Resource: 'arn:aws:iam::*:role/swb-*'
-          - Effect: Deny
-            Action: '*'
-            Resource: '*'
-            Condition:
-              StringNotEquals:
-                aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}"
-                aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}"
-              BoolIfExists:
-                aws:ViaAWSService: "false"
-              'Null':
-                aws:ec2InstanceSourceVPC: "false"
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:

diff --git a/...base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/...base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml
@@ -122,14 +122,6 @@ Resources:
               - sagemaker:DescribeNotebookInstance
               - sagemaker:StopNotebookInstance
             Resource: '*'
-          - Effect: Deny
-            Action: 's3:*'
-            Resource: '*'
-            Condition:
-              StringNotEquals:
-                aws:SourceVpce:
-                  Fn::ImportValue: !Sub '${SolutionNamespace}-S3VPCE'
-
 
   IAMRoleSageMakerURL:
     Type: 'AWS::IAM::Role'