in packages/constructs/L3/ai/datascience-team-l3-construct/lib/datascience-team-l3-construct.ts [978:1111]
private createSageMakerGuardrailPolicy(teamKey: IKey): ManagedPolicy {
const sagemakerGuardrailManagedPolicy = new MdaaManagedPolicy(this, 'sm-guardrail-managed-pol', {
managedPolicyName: this.props.team.verbatimPolicyNamePrefix
? this.props.team.verbatimPolicyNamePrefix + '-' + 'sm-guardrail'
: 'sm-guardrail',
verbatimPolicyName: this.props.team.verbatimPolicyNamePrefix != undefined,
naming: this.props.naming,
});
//Enforces use of Team KMS key for SageMaker Volumes
const sagemakerForceVolumeKmsKeyStatement = new PolicyStatement({
sid: 'forceVolumeKmsKey',
effect: Effect.DENY,
resources: ['*'],
actions: [
'sagemaker:CreateEndpointConfig',
'sagemaker:CreateMonitoringSchedule',
'sagemaker:UpdateMonitoringSchedule',
'sagemaker:CreateNotebookInstance',
'sagemaker:Create*Job*',
],
conditions: {
StringNotEquals: {
'sagemaker:VolumeKmsKey': teamKey.keyArn,
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceVolumeKmsKeyStatement);
//Enforces use of Team KMS key for SageMaker Outputs
const sagemakerForceOutputKmsKeyStatement = new PolicyStatement({
sid: 'forceOutputKmsKey',
effect: Effect.DENY,
resources: ['*'],
actions: ['sagemaker:CreateMonitoringSchedule', 'sagemaker:UpdateMonitoringSchedule', 'sagemaker:Create*Job*'],
conditions: {
StringNotEquals: {
'sagemaker:OutputKmsKey': teamKey.keyArn,
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceOutputKmsKeyStatement);
const sagemakerForceIntercontainerEncryptionNonNullStatement = new PolicyStatement({
sid: 'forceIntercontainerEncryptionNonNull',
effect: Effect.DENY,
resources: ['*'],
actions: ['sagemaker:CreateMonitoringSchedule', 'sagemaker:UpdateMonitoringSchedule', 'sagemaker:Create*Job*'],
conditions: {
Null: {
'sagemaker:InterContainerTrafficEncryption': 'true',
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceIntercontainerEncryptionNonNullStatement);
const sagemakerForceIntercontainerEncryptionTrueStatement = new PolicyStatement({
sid: 'forceIntercontainerEncryptionTrue',
effect: Effect.DENY,
resources: ['*'],
actions: ['sagemaker:CreateMonitoringSchedule', 'sagemaker:UpdateMonitoringSchedule', 'sagemaker:Create*Job*'],
conditions: {
Bool: {
'sagemaker:InterContainerTrafficEncryption': 'false',
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceIntercontainerEncryptionTrueStatement);
const sagemakerForceJobVpc = new PolicyStatement({
sid: 'forceJobNotebookVpc',
effect: Effect.DENY,
resources: ['*'],
actions: [
'sagemaker:Create*Job*',
'sagemaker:CreateNotebookInstance',
'sagemaker:CreateMonitoringSchedule',
'sagemaker:UpdateMonitoringSchedule',
'sagemaker:CreateModel',
],
conditions: {
Null: {
'sagemaker:VpcSubnets': 'true',
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceJobVpc);
const sagemakerForceSecurityGroupIds = new PolicyStatement({
sid: 'forceJobNotebookSecurityGroups',
effect: Effect.DENY,
resources: ['*'],
actions: [
'sagemaker:Create*Job*',
'sagemaker:CreateNotebookInstance',
'sagemaker:CreateMonitoringSchedule',
'sagemaker:UpdateMonitoringSchedule',
'sagemaker:CreateModel',
],
conditions: {
Null: {
'sagemaker:VpcSecurityGroupIds': 'true',
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceSecurityGroupIds);
const sagemakerForceNotebookNonDirectNonNull = new PolicyStatement({
sid: 'forceNotebookNonPublicNonNull',
effect: Effect.DENY,
resources: ['*'],
actions: ['sagemaker:CreateNotebookInstance'],
conditions: {
Null: {
'sagemaker:DirectInternetAccess': 'true',
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceNotebookNonDirectNonNull);
const sagemakerForceNotebookNonDirectDisabled = new PolicyStatement({
sid: 'forceNotebookNonPublicDisabled',
effect: Effect.DENY,
resources: ['*'],
actions: ['sagemaker:CreateNotebookInstance'],
conditions: {
StringNotEquals: {
'sagemaker:DirectInternetAccess': 'Disabled',
},
},
});
sagemakerGuardrailManagedPolicy.addStatements(sagemakerForceNotebookNonDirectDisabled);
return sagemakerGuardrailManagedPolicy;
}