Created
April 27, 2018 22:13
-
-
Save jtroberts83/bb8c505763c9741eba18aad9548950b1 to your computer and use it in GitHub Desktop.
Cloud Custodian policy chain to enforce encryption and vpc mode for new SageMaker Notebooks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| policies: | |
| - name: sagemaker-notebook-auto-tag-user | |
| resource: sagemaker-notebook | |
| description: | | |
| When a new Sagemaker notebook is created tag the creators ID to CreatorName tag | |
| mode: | |
| type: cloudtrail | |
| events: | |
| - source: sagemaker.amazonaws.com | |
| event: CreateNotebookInstance | |
| ids: "responseElements.notebookInstanceArn" | |
| actions: | |
| - type: auto-tag-user | |
| tag: CreatorName | |
| - name: sagemaker-notebook-tag-non-compliant | |
| resource: sagemaker-notebook | |
| description: | | |
| When a new Sagemaker Notebook is created that is public or not encrypted | |
| it will get tagged for stopping and then deletion | |
| mode: | |
| type: cloudtrail | |
| events: | |
| - source: sagemaker.amazonaws.com | |
| event: CreateNotebookInstance | |
| ids: "responseElements.notebookInstanceArn" | |
| filters: | |
| - or: | |
| - "DirectInternetAccess": "Enabled" | |
| - "KmsKeyId": absent | |
| actions: | |
| - type: tag | |
| key: NonCompliantTag | |
| value: "TRUE" | |
| - name: sagemaker-notebook-stop-non-compliant | |
| resource: sagemaker-notebook | |
| description: | | |
| If a SageMaker Notebook is tagged with NonCompliantTag then it gets stopped and tagged | |
| with NonCompliantTagStopped for deletion | |
| mode: | |
| type: periodic | |
| schedule: "rate(5 minutes)" | |
| timeout: 45 | |
| filters: | |
| - "tag:NonCompliantTag": "TRUE" | |
| - "NotebookInstanceStatus": "InService" | |
| actions: | |
| - type: tag | |
| key: NonCompliantTagStopped | |
| value: "TRUE" | |
| - stop | |
| - name: sagemaker-notebook-delete-non-compliant | |
| resource: sagemaker-notebook | |
| description: | | |
| When a new Sagemaker notebook is tagged as non-compliant and in a stopped state, delete it | |
| mode: | |
| type: periodic | |
| schedule: "rate(5 minutes)" | |
| timeout: 45 | |
| filters: | |
| - "tag:NonCompliantTagStopped": "TRUE" | |
| - "NotebookInstanceStatus": "Stopped" | |
| actions: | |
| - delete | |
| - type: notify | |
| template: default.html | |
| priority_header: 1 | |
| subject: SageMaker Notebook - Deleted! - [custodian {{ account }} - {{ region }}] | |
| violation_desc: | | |
| Public facing (Non-VPC) OR Non-Encrypted Sagemaker Notebooks Are Prohibited! | |
| All Notebooks Must Be in VPC mode and encrypted! | |
| action_desc: | | |
| Actions Taken: Your SageMaker Notebook Instance has been deleted due to being non-compliant. Please create a new | |
| SageMaker notebook in VPC mode with KMS encryption enabled. | |
| to: | |
| - [email protected] | |
| - resource-owner | |
| transport: | |
| type: sqs | |
| queue: https://sqs.us-east-1.amazonaws.com/123456789123/cloud-custodian-mailer | |
| region: us-east-1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment