This solution provides a way to deploy SageMaker Studio in a private and secure environment. The solution integrates with a Custom SAML 2.0 Application as the mechanism to trigger the authentication to Amazon SageMaker Studio. It requires that the Custom SAML application is configured with the Amazon API Gateway endpoint URL as its ACS (Assertion Consumer Service) and needs mapping attributes containing the AWS SSO User ID as well as the Amazon SageMaker Domain Domain ID. The Amazon API Gateway is configured to trigger an AWS Lambda function that parses the SAML response to extract the Domain ID and User ID and use it to generate the SageMaker Studio Presigned URL and eventually perform redirection to log the user in Amazon SageMaker Studio. The control of the environment that SageMaker Studio users are able to login from is done by an AWS IAM Policy that includes a condition to allow the generation of the predefined URL only from specific(s) IPs, which is attached to the AWS Lambda function. The Amazon SageMaker Studio Domain creates an Amazon EFS mount where some user specific data Amazon SageMaker Studio Domain is persisted, note that the automated deletion process of this project will NOT delete the Amazon EFS mount and its content. Finally, along with the core components of the solution, a couple EC2 instances are deployed in order to easily demonstrate the expected behaviours experienced by the end user.
AWS CLI, AWS SAM CLI and python3.8 or later must be installed.
The deployment procedure assumes that AWS Single Sign On has been enabled and configured for the AWS Organization where the solution will be deployed.
You can follow these instructions to setup AWS Single Sign On.
- Run the following commands to build and deploy the SAM Application. Replace the
<Identity Store ID>(where to find the Identity Store ID) and<UserName>(Add AWS SSO User) with values from your AWS SSO configuration.
ssoStoreId='<Identity Store ID>'
ssoUserName='<UserName>'
publicIp=$(curl -s 'https://api.ipify.org?format=text')/32
ssoUserId=$(aws identitystore list-users --identity-store-id $ssoStoreId --filter AttributePath='UserName',AttributeValue=$ssoUserName --query 'Users[0].UserId' --output text)
EC2keyPair=$(aws ec2 create-key-pair --key-name $ssoUserName-key --query 'KeyMaterial' --output text >> $ssoUserName-key.pem && chmod 400 $ssoUserName-key.pem)
sam build && sam deploy --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND --stack-name sagemaker-secure-sso --guided --parameter-overrides KeyPairName=$ssoUserName-key SSOUserId=$ssoUserId PublicIpCidr=$publicIp- Once the SAM application is fully deployed, the output should look something like this:
CloudFormation outputs from deployed stack
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Outputs
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key SageMakerWindowsPublicHost
Description Public IP Address to access Windows Bastion Host
Value 34.245.126.112
Key SageMakerWindowsPassword
Description Default password to loging to the EC2 Windows instances
Value SageMakerSecureSSO10.100.0.0/16
Key SAMLAudience
Description Application SAML audience
Value https://dl06u6zwx1.execute-api.eu-west-1.amazonaws.com/
Key SAMLBackEndApi
Description API Gateway endpoint URL acting as the Application ACS URL
Value https://dl06u6zwx1.execute-api.eu-west-1.amazonaws.com/prod/saml
Key SageMakerStudioDomainId
Description SageMaker Studio domain created
Value d-qd5xcbgwf2cs
Key TunnelCommand
Description Command to initiate the SSH tunnnel in order to access the Windows EC2 on the private subnet over RDP
Value ssh -i sso-username.pem -A -N -L localhost:3389:10.100.10.187:3389 [email protected]
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Create a new Custom SAML 2.0 Application
- Open the AWS SSO console on the AWS management account
- Choose Applications
- Click Add a new application
- Choose Add a custom SAML 2.0 application
- Name the Custom SAML 2.0 Application
SageMaker Secure Demo - Leave Application start URL and Relay state empty
- Click If you don't have a metadata file, you can manually type your metadata values.
- Set the Application ACS URL to the URL provided in the SAMLBackEndApi Key SAM Output
- Set the Application SAML audience to the URL provided in the SAMLAudience Key SAM Output
- Click Save Changes
- Go to the Attribute mappings tab
- Set the Subject to email and format emailAddress
- Add a new attribute named domain-id and set the value to the Key SAM Output SageMakerStudioDomainId
- Add a new attribute named username and set the value to ${user:AD_GUID}
- Go to the Assigned users tab
- Click Assign users
- Select the user used in the ssoUserName variable of the SAM deployment steps
- Click Assign users
The solution deploys 3 EC2 instances for demonstrating the solution and end user experience:
- 1 EC2 Windows in a private subnet that is able to access Amazon SageMaker Studio (think your onpremise secured environment)
- 1 EC2 Linux in the public subnet acting as Bastion host used to establish an SSH tunnel into the EC2 Windows on the private network
- 1 EC2 Windows in a public subnet to demonstrate that SageMaker Studio can't be accessed from unauthorised subnets - IP Available as the SageMakerWindowsPublicHost Key SAM Output
The username to login to the Windows EC2 instances is Administrator and the password is provided in the output under the SageMakerWindowsPassword key value. See these instructions for more information on how to connect to the EC2 Windows instance.
To change the password, run the following command in a Windows Command prompt at the first login:
net user Administrator "NewPassword"-
To access the EC2 Windows on the private network, run the command provided as the value of the SAM output Key TunnelCommand, make sure that the private key of the KeyPair specified in the parameter is the directory where the SSH tunnel command is run from (by default the root of the project folder). The command opens an SSH tunnel from the local computer on localhost:3389 to the EC2 Windows Instance on the private network.
- Full command example
ssh -i sso-username.pem -A -N -L localhost:3389:10.100.10.187:3389 [email protected]
- Command structure explained
ssh: SSH command-i sso-username.pem: Pass the private key for authentication:-A: Enable agent forwarding for autentication on the remote host-N: No Execution of remote command as we are just doing forwarding-L localhost:3389:10.100.10.187:3389 [email protected]: Performs the forward of the localhost (local machine) on port 3389 to the private EC2 Windows (10.100.10.187) also on port 3389 by goin through the EC2 Linux on the public subnet (3.250.93.113) Follow this link if you need to use Putty to create the ssh tunnel
- Full command example
-
On your local desktop/notebook open a new RDP connection (for example using Microsoft Remote Desktop) using localhost as the host, This connection will be tunnelled via the bastion host to the private EC2 Windows instance. Use the user name “Administrator” and password from the stack output SageMakerWindowsPassword.
-
Open the Firefox web browser from the Desktop
-
Navigate and login to the AWS Single Sign On portal using the credentials associated with the User Name that was specified as the SSOUserName parameter.
-
Click the
SageMaker Secure DemoSSO Application from the AWS Single Sign On portal
Expected Result: ✅ User is logged in to Amazon SageMaker Studio ✅
- On your local desktop/notebook open a new RDP connection (for example using Microsoft Remote Desktop) using the IP provided in the SageMakerWindowsPublicHost SAML output as the host. Use the user name “Administrator” and password from the stack output SageMakerWindowsPassword.
- Open the Firefox web browser from the Desktop
- Navigate and login to the AWS Single Sign On portal using the credentials associated with the User ID that was specified as the SSOUserId parameter.
- Click the
SageMaker Secure DemoSSO Application from the AWS Single Sign On portal
Expected Result: ❌ User receives an unauthorized access message ❌
In order to centrally prevent access to SageMaker Studio for users within the console we recommend to implement the following Service Control Policy and attach it to the account where SageMaker Studio is or can be deployed. Make sure to replace the <AuthorizedPrivateSubnet> with the source IP CDIR block you want to allow SageMaker Studio access from.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sagemaker:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"NotIpAddress": {
"aws:VpcSourceIp": "<AuthorizedPrivateSubnet>"
}
},
"Action": [
"sagemaker:CreatePresignedDomainUrl"
],
"Resource": "*",
"Effect": "Deny"
}
]
}To delete the solution application that you created, use the follwing commands CLI. Assuming you used the default project name for the stack name, you can run the following:
sam delete delete-stack --stack-name sagemaker-secure-sso
rm -rf $ssoUserName-key.pem && aws ec2 delete-key-pair --key-name $ssoUserName-key > /dev/nullFollow these instructions to delete Amazon EFS and these instructions to delete the Amazon VPC.
From a cost point of view, VPC is free of charge and Amazon EFS is charge at a per GB per month rate, more details available here.
- Open the AWS SSO console.
- Choose Applications
- Select the radio button next to SageMaker Studio Login
- Go to Actions and select Remove
- Type in the SageMaker Studio Login in the field and cliclk Remove application
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0