Secure Amazon SageMaker Studio presigned URLs Part 2: Private API with JWT authentication

{"value":"In [part 1](https://aws.amazon.com/cn/blogs/machine-learning/secure-amazon-sagemaker-studio-presigned-urls-part-1-foundational-infrastructure/) of this series, we demonstrated how to resolve an [Amazon SageMaker Studio](Amazon SageMaker Studio) presigned URL from a corporate network using Amazon private VPC endpoints without traversing the internet. In this post, we will continue to build on top of the previous solution to demonstrate how to build a private API Gateway via [Amazon API Gateway](https://aws.amazon.com/cn/api-gateway/) as a proxy interface to generate and access [Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/) presigned URLs. Furthermore, we add an additional guardrail to ensure presigned URLs are only generated and accessed for the authenticated end-user within the corporate network.\n\n#### **Solution overview**\n\nThe following diagram illustrates the architecture of the solution.\n\n\n\nThe process includes the following steps:\n\n1. In the [Amazon Cognito](https://aws.amazon.com/cn/blogs/machine-learning/secure-amazon-sagemaker-studio-presigned-urls-part-2-private-api-with-jwt-authentication/aws.amazon.com/cognito/) user pool, first set up a user with the name matching their Studio user profile and register Studio as the app client in the user pool.\n2. The user federates from their corporate identity provider (IdP) and authenticates with the [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user pool for accessing Studio.\n3. [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) returns a token to the user authorizing access to the Studio application.\n4. The user invokes ```createStudioPresignedUrl ```API\n on API Gateway along with a token in the header.\n5. API Gateway invokes a custom [AWS Lambda](https://aws.amazon.com/cn/lambda/) authorizer and validates the token.\n6. When the token is valid, [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) returns an access grant policy with studio user profile id to API Gateway.\n7. API Gateway invokes the```createStudioPresignedUrl```Lambda function for creating the studio presigned url.\n8. The ```createStudioPresignedUrl```function creates a presigned URL using the SageMaker API VPC endpoint and returns to caller.\n9. User accesses the presigned URL from their corporate network that resolves over the Studio VPC endpoint.\n10. The function’s [AWS Identity and Access Management](https://aws.amazon.com/cn/iam/) (IAM) policy makes sure that the presigned URL creation and access are performed via VPC endpoints.\n\nThe following sections walk you through solution deployment, configuration, and validation for the API Gateway private API for creating and resolving a Studio presigned URL from a corporate network using VPC endpoints.\n\n1. Deploy the solution\n2. Configure the [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user\n3. Authenticating the private API for the presigned URL using a JSON Web Token\n4. Configure the corporate DNS server for accessing the private API\n5. Test the API Gateway private API for a presigned URL from the corporate network\n6. Pre-Signed URL Lambda Auth Policy\n7. Cleanup\n\n#### **Deploy the solution**\n\nYou can deploy the solution through either the [AWS Management Console ](https://aws.amazon.com/cn/console/)or the [AWS Serverless Application Model](https://aws.amazon.com/cn/serverless/sam/?trk=cndc-detail) (AWS SAM).\n\nTo deploy the solution via the console, launch the following [AWS CloudFormation](https://aws.amazon.com/cn/cloudformation/) template in your account by choosing Launch Stack. It takes approximately 10 minutes for the CloudFormation stack to complete.\n\n::: hljs-center\n\n[](https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fus-east-1.console.aws.amazon.com%2Fcloudformation%2Fhome%3Fregion%3Dus-east-1%26state%3DhashArgs%2523%252Fstacks%252Fnew%253FstackName%253Dsagemakerauthpresignedurl%2526templateURL%253Dhttps%253A%252F%252Faws-ml-blog.s3.amazonaws.com%252Fartifacts%252Fml5236-secure-studio-presigned-url%252Fprocessed-template.yaml%26isauthcode%3Dtrue&client_id=arn%3Aaws%3Aiam%3A%3A015428540659%3Auser%2Fcloudformation&forceMobileApp=0&code_challenge=x4DO6s4zxZ58HSiQ7YYxXA_IA5xt-YglprTrNbFfPzY&code_challenge_method=SHA-256)\n\n:::\n\nTo deploy the solution using AWS SAM, you can find the latest code in the [aws-samples GitHub repository](https://github.com/aws-samples/secure-sagemaker-studio-presigned-url), where you can also contribute to the sample code. The following commands show how to deploy the solution using the AWS SAM CLI. If not currently installed, [install the AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html).\n\n1. Clone the repository at https://github.com/aws-samples/secure-sagemaker-studio-presigned-url.\n2. After you clone the repo, navigate to the source and run the following code:\n\n```\\nsam deploy –guided\\n```\n#### **Configure the [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user**\n\nTo configure your [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user, complete the following steps:\n\n1. Create an [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user with the same name as a SageMaker user profile：\n```\\naws cognito-idp admin-create-user --user-pool-id <user_pool_id> --username <sagemaker_username>\\n```\n\n2. Set the user password:\n ```\\naws cognito-idp admin-set-user-password --user-pool-id <user_pool_id> --username <sagemaker_username> --password <password> --permanent\\n```\n\n3. Get an access token:\n\n```\\naws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id <cognito_app_client_id> --auth-parameters USERNAME=<sagemaker_username>,PASSWORD=<password>\\n```\n\n#### **Authenticating the private API for the presigned URL using a JSON Web Token**\n\nWhen you deployed a private API for creating a SageMaker presigned URL, you added a guardrail to restrict access to access the presigned URL by anyone outside the corporate network and VPC endpoint. However, without implementing another control to the private API within the corporate network, any internal user within the corporate network would be able to pass unauthenticated parameters for the SageMaker user profile and access any SageMaker app.\n\nTo mitigate this issue, we propose passing a JSON Web Token (JWT) for the authenticated caller to the API Gateway and validating that token with a JWT authorizer. There are multiple options for implementing an authorizer for the private API Gateway, using either a custom [Lambda authorizer](https://aws.amazon.com/cn/blogs/compute/introducing-iam-and-lambda-authorizers-for-amazon-api-gateway-http-apis/) or [Amazon Cognito](https://aws.amazon.com/cn/blogs/security/how-to-secure-api-gateway-http-endpoints-with-jwt-authorizer/).\n\nWith a custom Lambda authorizer, you can embed a SageMaker user profile name in the returned policy. This prevents any users within the corporate network from being able to send any SageMaker user profile name for creating a presigned URL that they’re not authorized to create. We use [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) to generate our tokens and a custom Lambda authorizer to validate and return the appropriate policy. For more information, refer to [Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM](https://aws.amazon.com/cn/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/). The Lambda authorizer uses the [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user name as the user profile name.\n\nIf you’re unable to use [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail), you can develop a custom application to authenticate and pass end-user tokens to the Lambda authorizer. For more information, refer to [Use API Gateway Lambda authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html).\n\n#### **Configure the corporate DNS server for accessing the private API**\n\nTo configure your corporate DNS server, complete the following steps:\n\n1. On the [Amazon Elastic Compute Cloud](https://aws.amazon.com/cn/ec2/) (Amazon EC2) console, choose your on-premises DNSA EC2 instance and connect via [Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html).\n2. Add a zone record in the ```/etc/named.conf```file for resolving to the API Gateway’s DNS name via your [Amazon Route 53](https://aws.amazon.com/cn/route53/) inbound resolver, as shown in the following code:\n\n```\\nzone \\"zxgua515ef.execute-api.<region>.amazonaws.com\\" {\\n type forward;\\n forward only;\\n forwarders { 10.16.43.122; 10.16.102.163; };\\n};\\n\\n```\n\n3. Restart the named service using the following command\n\n```\\nsudo service named restart\\n```\n#### **Validate requesting a presigned URL from the API Gateway private API for authorized users**\n\nIn a real-world scenario, you would implement a front-end interface that would pass the appropriate Authorization headers for authenticated and authorized resources using either a custom solution or leverage [AWS Amplify](https://aws.amazon.com/cn/amplify/). For brevity of this blog post, the following steps leverages Postman to quickly validate the solution we deployed actually restricts requesting the presigned URL for an internal user, unless authorized to do so.\n\nTo validate the solution with Postman, complete the following steps:\n\n1. Install Postman on the WINAPP EC2 instance. See instructions [here](https://learning.postman.com/docs/getting-started/installation-and-updates/#installing-postman-on-windows)\n2. Open Postman and add the access token to your ```Authorization```header:\n```\\nAuthorization: Bearer <access token>\\n```\n\n3. Modify the API Gateway URL to access it from your internal EC2 instance:\n\ta. Add the VPC endpoint into your API Gateway URL:\n```\\nhttps://<API-G-ID>-<VPCE-ID>.execute-api.<region>.amazonaws.com/dev/EMPLOYEE_ID\\n```\n b. Add the ```Host```header with a value of your API Gateway URL:\n```\\n<API-G-ID>.execute-api.<region>.amazonaws.com\\n```\n\n c. First, change the ```EMPLOYEE_ID```to your [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user and SageMaker user profile name. Make sure you receive an authorized presigned URL.\n d. Then change the ```EMPLOYEE_ID```to a user that is not yours and make sure you receive an access failure.\n4. On the [Amazon EC2 ](https://aws.amazon.com/cn/ec2/?trk=cndc-detail)console, choose your on-premises WINAPP instance and connect via your RDP client.\n5. Open a Chrome browser and navigate to your authorized presigned URL to launch Studio.\n\n\n\nStudio is launched over VPC endpoint with remote address as the Studio VPC endpoint IP.\n\n\n\nIf the presigned URL is accessed outside of the corporate network, the resolution fails because the IAM policy condition for the presigned URL enforces creation and access from a VPC endpoint.\n\n\n\n\n\n#### **Pre-Signed URL Lambda Auth Policy**\n\nAbove solution created the following Auth Policy for the Lambda that generated Pre-Signed URL for accessing SageMaker Studio.\n\n```\\n{\\n \\"Version\\": \\"2012-10-17\\",\\n \\"Statement\\": [\\n {\\n \\"Condition\\": {\\n \\"IpAddress\\": {\\n \\"aws:VpcSourceIp\\": \\"10.16.0.0/16\\"\\n }\\n },\\n \\"Action\\": \\"sagemaker:CreatePresignedDomainUrl\\",\\n \\"Resource\\": \\"arn:aws:sagemaker:<region>:<account-id>:user-profile/*/*\\",\\n \\"Effect\\": \\"Allow\\"\\n },\\n {\\n \\"Condition\\": {\\n \\"IpAddress\\": {\\n \\"aws:SourceIp\\": \\"192.168.10.0/24\\"\\n }\\n },\\n \\"Action\\": \\"sagemaker:CreatePresignedDomainUrl\\",\\n \\"Resource\\": \\"arn:aws:sagemaker:<region>:<account-id>:user-profile/*/*\\",\\n \\"Effect\\": \\"Allow\\"\\n },\\n {\\n \\"Condition\\": {\\n \\"StringEquals\\": {\\n \\"aws:sourceVpce\\": [\\n \\"vpce-sm-api-xx\\",\\n \\"vpce-sm-api-yy\\"\\n ]\\n }\\n },\\n \\"Action\\": \\"sagemaker:CreatePresignedDomainUrl\\",\\n \\"Resource\\": \\"arn:aws:sagemaker:<region>:<account-id>:user-profile/*/*\\",\\n \\"Effect\\": \\"Allow\\"\\n }\\n ]\\n}\\n```\nThe above policy enforces Studio pre-signed URL is both generated and accessed via one of these three entrypoints:\n\n1. aws:VpcSourceIp as your AWS VPC CIDR\n2. aws:SourceIp as your corporate network CIDR\n3. aws:sourceVpce as your SageMaker API VPC endpoints\n\n#### **Cleanup**\n\nTo avoid incurring ongoing charges, [ delete the CloudFormation stacks ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) you created. Alternatively, if you deployed the solution using SAM, you need to authenticate to the AWS account the solution was deployed and run [sam delete](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-delete.html).\n\n#### **Conclusion**\n\nIn this post, we demonstrated how to access Studio using a private API Gateway from a corporate network using Amazon private VPC endpoints, preventing access to presigned URLs outside the corporate network, and securing the API Gateway with a JWT authorizer using [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) and custom Lambda authorizers.\n\nTry out with this solution and experiment integrating this with your corporate portal, and leave your feedback in the comments!\n\n\t_____________________________________________\n\n#### **About the Authors**\n\n **Ram Vittal** is a machine learning solutions architect at AWS. He has over 20+ years of experience architecting and building distributed, hybrid and cloud applications. He is passionate about building secure and scalable AI/ML and Big Data solutions to help enterprise customers with their cloud adoption and optimization journey to improve their business outcomes. In his spare time, he enjoys tennis, photography, and action movies.\n\n\n**Jonathan Nguyen** is a Shared Delivery Team Senior Security Consultant at AWS. His background is in AWS Security with a focus on Threat Detection and Incident Response. Today, he helps enterprise customers develop a comprehensive AWS Security strategy, deploy security solutions at scale, and train customers on AWS Security best practices.\n\n \n**Chris Childers** is a Cloud Infrastructure Architect in Professional Services at AWS. He works with AWS customers to design and automate their cloud infrastructure and improve their adoption of DevOps culture and processes.","render":"<p>In <a href=\\"https://aws.amazon.com/cn/blogs/machine-learning/secure-amazon-sagemaker-studio-presigned-urls-part-1-foundational-infrastructure/\\" target=\\"_blank\\">part 1</a> of this series, we demonstrated how to resolve an [Amazon SageMaker Studio](Amazon SageMaker Studio) presigned URL from a corporate network using Amazon private VPC endpoints without traversing the internet. In this post, we will continue to build on top of the previous solution to demonstrate how to build a private API Gateway via <a href=\\"https://aws.amazon.com/cn/api-gateway/\\" target=\\"_blank\\">Amazon API Gateway</a> as a proxy interface to generate and access <a href=\\"https://aws.amazon.com/cn/sagemaker/\\" target=\\"_blank\\">Amazon SageMaker</a> presigned URLs. Furthermore, we add an additional guardrail to ensure presigned URLs are only generated and accessed for the authenticated end-user within the corporate network.</p>\\n<h4><a id=\\"Solution_overview_2\\"></a><strong>Solution overview</strong></h4>\\n<p>The following diagram illustrates the architecture of the solution.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/e088306ba6554aa1b3f279613d691a3d_image.png\\" alt=\\"image.png\\" /></p>\n<p>The process includes the following steps:</p>\n<ol>\\n<li>In the <a href=\\"https://aws.amazon.com/cn/blogs/machine-learning/secure-amazon-sagemaker-studio-presigned-urls-part-2-private-api-with-jwt-authentication/aws.amazon.com/cognito/\\" target=\\"_blank\\">Amazon Cognito</a> user pool, first set up a user with the name matching their Studio user profile and register Studio as the app client in the user pool.</li>\\n<li>The user federates from their corporate identity provider (IdP) and authenticates with the Amazon Cognito user pool for accessing Studio.</li>\n<li>Amazon Cognito returns a token to the user authorizing access to the Studio application.</li>\n<li>The user invokes <code>createStudioPresignedUrl </code>API<br />\\non API Gateway along with a token in the header.</li>\n<li>API Gateway invokes a custom <a href=\\"https://aws.amazon.com/cn/lambda/\\" target=\\"_blank\\">AWS Lambda</a> authorizer and validates the token.</li>\\n<li>When the token is valid, Amazon Cognito returns an access grant policy with studio user profile id to API Gateway.</li>\n<li>API Gateway invokes the<code>createStudioPresignedUrl</code>Lambda function for creating the studio presigned url.</li>\\n<li>The <code>createStudioPresignedUrl</code>function creates a presigned URL using the SageMaker API VPC endpoint and returns to caller.</li>\\n<li>User accesses the presigned URL from their corporate network that resolves over the Studio VPC endpoint.</li>\n<li>The function’s <a href=\\"https://aws.amazon.com/cn/iam/\\" target=\\"_blank\\">AWS Identity and Access Management</a> (IAM) policy makes sure that the presigned URL creation and access are performed via VPC endpoints.</li>\\n</ol>\n<p>The following sections walk you through solution deployment, configuration, and validation for the API Gateway private API for creating and resolving a Studio presigned URL from a corporate network using VPC endpoints.</p>\n<ol>\\n<li>Deploy the solution</li>\n<li>Configure the Amazon Cognito user</li>\n<li>Authenticating the private API for the presigned URL using a JSON Web Token</li>\n<li>Configure the corporate DNS server for accessing the private API</li>\n<li>Test the API Gateway private API for a presigned URL from the corporate network</li>\n<li>Pre-Signed URL Lambda Auth Policy</li>\n<li>Cleanup</li>\n</ol>\\n<h4><a id=\\"Deploy_the_solution_32\\"></a><strong>Deploy the solution</strong></h4>\\n<p>You can deploy the solution through either the <a href=\\"https://aws.amazon.com/cn/console/\\" target=\\"_blank\\">AWS Management Console </a>or the [AWS Serverless Application Model](https://aws.amazon.com/cn/serverless/sam/?trk=cndc-detail) (AWS SAM).</p>\\n<p>To deploy the solution via the console, launch the following <a href=\\"https://aws.amazon.com/cn/cloudformation/\\" target=\\"_blank\\">AWS CloudFormation</a> template in your account by choosing Launch Stack. It takes approximately 10 minutes for the CloudFormation stack to complete.</p>\\n<div class=\\"hljs-center\\">\\n<p><a href=\\"https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fus-east-1.console.aws.amazon.com%2Fcloudformation%2Fhome%3Fregion%3Dus-east-1%26state%3DhashArgs%2523%252Fstacks%252Fnew%253FstackName%253Dsagemakerauthpresignedurl%2526templateURL%253Dhttps%253A%252F%252Faws-ml-blog.s3.amazonaws.com%252Fartifacts%252Fml5236-secure-studio-presigned-url%252Fprocessed-template.yaml%26isauthcode%3Dtrue&amp;client_id=arn%3Aaws%3Aiam%3A%3A015428540659%3Auser%2Fcloudformation&amp;forceMobileApp=0&amp;code_challenge=x4DO6s4zxZ58HSiQ7YYxXA_IA5xt-YglprTrNbFfPzY&amp;code_challenge_method=SHA-256\\" target=\\"_blank\\"><img src=\\"https://dev-media.amazoncloud.cn/17d69fc4b7bb4c55921e46074e3b7b1e_image.png\\" alt=\\"image.png\\" /></a></p>\\n</div>\n<p>To deploy the solution using AWS SAM, you can find the latest code in the <a href=\\"https://github.com/aws-samples/secure-sagemaker-studio-presigned-url\\" target=\\"_blank\\">aws-samples GitHub repository</a>, where you can also contribute to the sample code. The following commands show how to deploy the solution using the AWS SAM CLI. If not currently installed, <a href=\\"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html\\" target=\\"_blank\\">install the AWS SAM CLI</a>.</p>\\n<ol>\\n<li>Clone the repository at https://github.com/aws-samples/secure-sagemaker-studio-presigned-url.</li>\n<li>After you clone the repo, navigate to the source and run the following code:</li>\n</ol>\\n<pre><code class=\\"lang-\\">sam deploy –guided\\n</code></pre>\\n<h4><a id=\\"Configure_the_Amazon_Cognito_user_52\\"></a><strong>Configure the Amazon Cognito user</strong></h4>\\n<p>To configure your Amazon Cognito user, complete the following steps:</p>\n<ol>\\n<li>Create an Amazon Cognito user with the same name as a SageMaker user profile：</li>\n</ol>\\n<pre><code class=\\"lang-\\">aws cognito-idp admin-create-user --user-pool-id &lt;user_pool_id&gt; --username &lt;sagemaker_username&gt;\\n</code></pre>\\n<ol start=\\"2\\">\\n<li>Set the user password:</li>\n</ol>\\n<pre><code class=\\"lang-\\">aws cognito-idp admin-set-user-password --user-pool-id &lt;user_pool_id&gt; --username &lt;sagemaker_username&gt; --password &lt;password&gt; --permanent\\n</code></pre>\\n<ol start=\\"3\\">\\n<li>Get an access token:</li>\n</ol>\\n<pre><code class=\\"lang-\\">aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id &lt;cognito_app_client_id&gt; --auth-parameters USERNAME=&lt;sagemaker_username&gt;,PASSWORD=&lt;password&gt;\\n</code></pre>\\n<h4><a id=\\"Authenticating_the_private_API_for_the_presigned_URL_using_a_JSON_Web_Token_72\\"></a><strong>Authenticating the private API for the presigned URL using a JSON Web Token</strong></h4>\\n<p>When you deployed a private API for creating a SageMaker presigned URL, you added a guardrail to restrict access to access the presigned URL by anyone outside the corporate network and VPC endpoint. However, without implementing another control to the private API within the corporate network, any internal user within the corporate network would be able to pass unauthenticated parameters for the SageMaker user profile and access any SageMaker app.</p>\n<p>To mitigate this issue, we propose passing a JSON Web Token (JWT) for the authenticated caller to the API Gateway and validating that token with a JWT authorizer. There are multiple options for implementing an authorizer for the private API Gateway, using either a custom <a href=\\"https://aws.amazon.com/cn/blogs/compute/introducing-iam-and-lambda-authorizers-for-amazon-api-gateway-http-apis/\\" target=\\"_blank\\">Lambda authorizer</a> or <a href=\\"https://aws.amazon.com/cn/blogs/security/how-to-secure-api-gateway-http-endpoints-with-jwt-authorizer/\\" target=\\"_blank\\">Amazon Cognito</a>.</p>\\n<p>With a custom Lambda authorizer, you can embed a SageMaker user profile name in the returned policy. This prevents any users within the corporate network from being able to send any SageMaker user profile name for creating a presigned URL that they’re not authorized to create. We use Amazon Cognito to generate our tokens and a custom Lambda authorizer to validate and return the appropriate policy. For more information, refer to <a href=\\"https://aws.amazon.com/cn/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/\\" target=\\"_blank\\">Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM</a>. The Lambda authorizer uses the [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user name as the user profile name.</p>\\n<p>If you’re unable to use Amazon Cognito, you can develop a custom application to authenticate and pass end-user tokens to the Lambda authorizer. For more information, refer to <a href=\\"https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html\\" target=\\"_blank\\">Use API Gateway Lambda authorizers</a>.</p>\\n<h4><a id=\\"Configure_the_corporate_DNS_server_for_accessing_the_private_API_82\\"></a><strong>Configure the corporate DNS server for accessing the private API</strong></h4>\\n<p>To configure your corporate DNS server, complete the following steps:</p>\n<ol>\\n<li>On the <a href=\\"https://aws.amazon.com/cn/ec2/\\" target=\\"_blank\\">Amazon Elastic Compute Cloud</a> (Amazon EC2) console, choose your on-premises DNSA EC2 instance and connect via <a href=\\"https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html\\" target=\\"_blank\\">Systems Manager Session Manager</a>.</li>\\n<li>Add a zone record in the <code>/etc/named.conf</code>file for resolving to the API Gateway’s DNS name via your <a href=\\"https://aws.amazon.com/cn/route53/\\" target=\\"_blank\\">Amazon Route 53</a> inbound resolver, as shown in the following code:</li>\\n</ol>\n<pre><code class=\\"lang-\\">zone &quot;zxgua515ef.execute-api.&lt;region&gt;.amazonaws.com&quot; {\\n type forward;\\n forward only;\\n forwarders { 10.16.43.122; 10.16.102.163; };\\n};\\n\\n</code></pre>\\n<ol start=\\"3\\">\\n<li>Restart the named service using the following command</li>\n</ol>\\n<pre><code class=\\"lang-\\">sudo service named restart\\n</code></pre>\\n<h4><a id=\\"Validate_requesting_a_presigned_URL_from_the_API_Gateway_private_API_for_authorized_users_103\\"></a><strong>Validate requesting a presigned URL from the API Gateway private API for authorized users</strong></h4>\\n<p>In a real-world scenario, you would implement a front-end interface that would pass the appropriate Authorization headers for authenticated and authorized resources using either a custom solution or leverage <a href=\\"https://aws.amazon.com/cn/amplify/\\" target=\\"_blank\\">AWS Amplify</a>. For brevity of this blog post, the following steps leverages Postman to quickly validate the solution we deployed actually restricts requesting the presigned URL for an internal user, unless authorized to do so.</p>\\n<p>To validate the solution with Postman, complete the following steps:</p>\n<ol>\\n<li>Install Postman on the WINAPP EC2 instance. See instructions <a href=\\"https://learning.postman.com/docs/getting-started/installation-and-updates/#installing-postman-on-windows\\" target=\\"_blank\\">here</a></li>\\n<li>Open Postman and add the access token to your <code>Authorization</code>header:</li>\\n</ol>\n<pre><code class=\\"lang-\\">Authorization: Bearer &lt;access token&gt;\\n</code></pre>\\n<ol start=\\"3\\">\\n<li>Modify the API Gateway URL to access it from your internal EC2 instance:<br />\\na. Add the VPC endpoint into your API Gateway URL:</li>\n</ol>\\n<pre><code class=\\"lang-\\">https://&lt;API-G-ID&gt;-&lt;VPCE-ID&gt;.execute-api.&lt;region&gt;.amazonaws.com/dev/EMPLOYEE_ID\\n</code></pre>\\n<p>b. Add the <code>Host</code>header with a value of your API Gateway URL:</p>\\n<pre><code class=\\"lang-\\">&lt;API-G-ID&gt;.execute-api.&lt;region&gt;.amazonaws.com\\n</code></pre>\\n<p>c. First, change the <code>EMPLOYEE_ID</code>to your [Amazon Cognito](https://aws.amazon.com/cn/cognito/?trk=cndc-detail) user and SageMaker user profile name. Make sure you receive an authorized presigned URL.<br />\\nd. Then change the <code>EMPLOYEE_ID</code>to a user that is not yours and make sure you receive an access failure.<br />\\n4. On the Amazon EC2 console, choose your on-premises WINAPP instance and connect via your RDP client.<br />\\n5. Open a Chrome browser and navigate to your authorized presigned URL to launch Studio.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/a380117c343b441b93700c13313221f6_image.png\\" alt=\\"image.png\\" /></p>\n<p>Studio is launched over VPC endpoint with remote address as the Studio VPC endpoint IP.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/2285709e5a124b8a934c4e2a3343d8df_image.png\\" alt=\\"image.png\\" /></p>\n<p>If the presigned URL is accessed outside of the corporate network, the resolution fails because the IAM policy condition for the presigned URL enforces creation and access from a VPC endpoint.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/b29baf17490a454dbbce0a7f494839ab_image.png\\" alt=\\"image.png\\" /></p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/294a50ce130947189f66ae27e7f617d3_image.png\\" alt=\\"image.png\\" /></p>\n<h4><a id=\\"PreSigned_URL_Lambda_Auth_Policy_142\\"></a><strong>Pre-Signed URL Lambda Auth Policy</strong></h4>\\n<p>Above solution created the following Auth Policy for the Lambda that generated Pre-Signed URL for accessing SageMaker Studio.</p>\n<pre><code class=\\"lang-\\">{\\n &quot;Version&quot;: &quot;2012-10-17&quot;,\\n &quot;Statement&quot;: [\\n {\\n &quot;Condition&quot;: {\\n &quot;IpAddress&quot;: {\\n &quot;aws:VpcSourceIp&quot;: &quot;10.16.0.0/16&quot;\\n }\\n },\\n &quot;Action&quot;: &quot;sagemaker:CreatePresignedDomainUrl&quot;,\\n &quot;Resource&quot;: &quot;arn:aws:sagemaker:&lt;region&gt;:&lt;account-id&gt;:user-profile/*/*&quot;,\\n &quot;Effect&quot;: &quot;Allow&quot;\\n },\\n {\\n &quot;Condition&quot;: {\\n &quot;IpAddress&quot;: {\\n &quot;aws:SourceIp&quot;: &quot;192.168.10.0/24&quot;\\n }\\n },\\n &quot;Action&quot;: &quot;sagemaker:CreatePresignedDomainUrl&quot;,\\n &quot;Resource&quot;: &quot;arn:aws:sagemaker:&lt;region&gt;:&lt;account-id&gt;:user-profile/*/*&quot;,\\n &quot;Effect&quot;: &quot;Allow&quot;\\n },\\n {\\n &quot;Condition&quot;: {\\n &quot;StringEquals&quot;: {\\n &quot;aws:sourceVpce&quot;: [\\n &quot;vpce-sm-api-xx&quot;,\\n &quot;vpce-sm-api-yy&quot;\\n ]\\n }\\n },\\n &quot;Action&quot;: &quot;sagemaker:CreatePresignedDomainUrl&quot;,\\n &quot;Resource&quot;: &quot;arn:aws:sagemaker:&lt;region&gt;:&lt;account-id&gt;:user-profile/*/*&quot;,\\n &quot;Effect&quot;: &quot;Allow&quot;\\n }\\n ]\\n}\\n</code></pre>\\n<p>The above policy enforces Studio pre-signed URL is both generated and accessed via one of these three entrypoints:</p>\n<ol>\\n<li>aws:VpcSourceIp as your AWS VPC CIDR</li>\n<li>aws:SourceIp as your corporate network CIDR</li>\n<li>aws:sourceVpce as your SageMaker API VPC endpoints</li>\n</ol>\\n<h4><a id=\\"Cleanup_192\\"></a><strong>Cleanup</strong></h4>\\n<p>To avoid incurring ongoing charges, <a href=\\"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html\\" target=\\"_blank\\"> delete the CloudFormation stacks </a> you created. Alternatively, if you deployed the solution using SAM, you need to authenticate to the AWS account the solution was deployed and run <a href=\\"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-delete.html\\" target=\\"_blank\\">sam delete</a>.</p>\\n<h4><a id=\\"Conclusion_196\\"></a><strong>Conclusion</strong></h4>\\n<p>In this post, we demonstrated how to access Studio using a private API Gateway from a corporate network using Amazon private VPC endpoints, preventing access to presigned URLs outside the corporate network, and securing the API Gateway with a JWT authorizer using Amazon Cognito and custom Lambda authorizers.</p>\n<p>Try out with this solution and experiment integrating this with your corporate portal, and leave your feedback in the comments!</p>\n<pre><code>_____________________________________________\\n</code></pre>\\n<h4><a id=\\"About_the_Authors_204\\"></a><strong>About the Authors</strong></h4>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/bb017250518745968c5cdd790af9894a_image.png\\" alt=\\"image.png\\" /> <strong>Ram Vittal</strong> is a machine learning solutions architect at AWS. He has over 20+ years of experience architecting and building distributed, hybrid and cloud applications. He is passionate about building secure and scalable AI/ML and Big Data solutions to help enterprise customers with their cloud adoption and optimization journey to improve their business outcomes. In his spare time, he enjoys tennis, photography, and action movies.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/e6dd5dce4df6427d938828db8ab169aa_image.png\\" alt=\\"image.png\\" /><br />\\n<strong>Jonathan Nguyen</strong> is a Shared Delivery Team Senior Security Consultant at AWS. His background is in AWS Security with a focus on Threat Detection and Incident Response. Today, he helps enterprise customers develop a comprehensive AWS Security strategy, deploy security solutions at scale, and train customers on AWS Security best practices.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/34d8a70a11bd48bc8bcffeea0b7f0aba_image.png\\" alt=\\"image.png\\" /><br />\\n<strong>Chris Childers</strong> is a Cloud Infrastructure Architect in Professional Services at AWS. He works with AWS customers to design and automate their cloud infrastructure and improve their adoption of DevOps culture and processes.</p>\n"}