From 9e5c6d83a2a25eef7e0296742b05bd77ad1f7b96 Mon Sep 17 00:00:00 2001 From: Tyler Mikev <112508158+aws-tyler@users.noreply.github.com> Date: Fri, 28 Apr 2023 17:28:39 -0500 Subject: [PATCH] Revert "[feat] Use S3VPCE to prevent S3 access outside of VPC" (#1187) --- .../src/templates/onboard-account.cfn.yml | 7 ------- .../service-catalog/ec2-linux-instance.cfn.yml | 12 ------------ .../service-catalog/ec2-windows-instance.cfn.yml | 11 ----------- .../sagemaker-notebook-instance.cfn.yml | 8 -------- 4 files changed, 38 deletions(-) diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml index 573bc78aa1..5b8292546d 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml @@ -1227,10 +1227,3 @@ Outputs: Description: Route53 hosted zone Condition: isAppStreamAndCustomDomain Value: !Ref Route53HostedZone - - S3VPCE: - Description: S3 interface endpoint - Condition: isAppStream - Value: !Ref S3Endpoint - Export: - Name: !Join [ '', [ Ref: Namespace, '-S3VPCE' ] ] \ No newline at end of file diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml index 55c2769210..34f774050f 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml @@ -79,18 +79,6 @@ Resources: Action: - 'sts:AssumeRole' Resource: 'arn:aws:iam::*:role/swb-*' - - Effect: Deny - Action: '*' - Resource: '*' - Condition: - StringNotEquals: - aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}" - aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}" - BoolIfExists: - aws:ViaAWSService: "false" - 'Null': - aws:ec2InstanceSourceVPC: "false" - IAMRole: Type: 'AWS::IAM::Role' Properties: diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml index 9282b0eaab..8b4ab81d69 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml @@ -101,17 +101,6 @@ Resources: Action: - 'sts:AssumeRole' Resource: 'arn:aws:iam::*:role/swb-*' - - Effect: Deny - Action: '*' - Resource: '*' - Condition: - StringNotEquals: - aws:Ec2InstanceSourceVPC: "${aws:SourceVpc}" - aws:ec2InstanceSourcePrivateIPv4: "${aws:VpcSourceIp}" - BoolIfExists: - aws:ViaAWSService: "false" - 'Null': - aws:ec2InstanceSourceVPC: "false" IAMRole: Type: 'AWS::IAM::Role' Properties: diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml index 3b45a4b769..d267db875f 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml @@ -122,14 +122,6 @@ Resources: - sagemaker:DescribeNotebookInstance - sagemaker:StopNotebookInstance Resource: '*' - - Effect: Deny - Action: 's3:*' - Resource: '*' - Condition: - StringNotEquals: - aws:SourceVpce: - Fn::ImportValue: !Sub '${SolutionNamespace}-S3VPCE' - IAMRoleSageMakerURL: Type: 'AWS::IAM::Role'