Lab 1: Secure Networking

The data science team have requested a cloud environment to complete their project. The data science administrator has in turn asked the Cloud Platform Engineering team to provision a secure VPC for the data science team. In this lab, you will use AWS CloudFormation to provision this data science environment. Following the steps below create an environment which contains:

  • AWS VPC with no IGW
  • VPC endpoints to Amazon S3, Amazon SageMaker, CloudWatch, STS
  • IAM roles for the data science administrator and the data scientist
  • Store AWS resource names/identifiers in AWS SSM Parameter Store for future reference
  • Service Catalog Portfolio of products for the data science administrator
  • AWS CloudTrail configured to log AWS API calls
  • AWS KMS key for encrypting CloudTrail logs
  • Remediating detective control to ensure SageMaker resources are only deployed into a VPC (CloudWatch Event Rule + Lambda Function)

As you work through these labs make a note of your AWS account ID and the team name you choose in Lab 2. You will need your 12 digit AWS account number to quickly assume the 3 roles you will create. You will also, in Lab 2, create a team name that you will then need again later in other labs.

Create a Cloud Platform Engineering IAM role

Skip ahead to the next step (Deploy base environment) if you are at an AWS-hosted event using an Event Engine account.
ONLY perform this step (Create a Cloud Platform Engineering IAM role) if using your own AWS account.

The first step to complete these labs is to create a Cloud Platform Engineering IAM role to be used by the cloud platform engineering team to deploy the base infrastructure. To do this use one of the links below based on the region you want to work in:

Region Launch Template
Oregon (us-west-2) Deploy to AWS Oregon
Ohio (us-east-2) Deploy to AWS Ohio
N. Virginia (us-east-1) Deploy to AWS N. Virginia
Ireland (eu-west-1) Deploy to AWS Ireland
London (eu-west-2) Deploy to AWS London
Sydney (ap-southeast-2) Deploy to AWS Sydney

Deploy base environment

Your first task as the cloud platform engineer is to create a base environment for the data science teams. Start by assuming the role of the Cloud Platform Engineering team via the AWS console. Then, as the cloud platform engineer, use CloudFormation to provision a secure VPC environment to support the data science team. Choose a region below and click Deploy to AWS to get started.

All of the parameters in this CloudFormation template should have reasonable defaults but you can change them to your preference if you wish. One parameter that DOES NOT have a default and that you MUST define is the suffix for the CloudTrail logging bucket. Please set this to a value such as <YOUR-NAME>-smlab.

Step-by-step instructions
Region Launch Template
Oregon (us-west-2) Deploy to AWS Oregon
Ohio (us-east-2) Deploy to AWS Ohio
N. Virginia (us-east-1) Deploy to AWS N. Virginia
Ireland (eu-west-1) Deploy to AWS Ireland
London (eu-west-2) Deploy to AWS London
Sydney (ap-southeast-2) Deploy to AWS Sydney

If you wish to see the contents of these CloudFormation templates you can view them on the CloudFormation console or copy them locally for review using a command such as the below.

aws s3 sync s3://sagemaker-workshop-cloudformation-us-east-1 ./sagemaker-workshop-cloudformation

Review base environment

After the CloudFormation stack has been successfully created review the Resources tab of the CloudFormation stack and the resources that were created. You’ll notice that it has provisioned:

  • CloudTrail

    CloudTrail has been configured to log all activity in the environment and to serve as an event source for a CloudWatch Event Rule as part of a detective control you will test later. Visit the console, what records can you see already present in the logs?

  • Service Catalog Portfolio

    A service catalog portfolio and products have been configured to give the data science teams tailored products they can deploy easily.

  • IAM roles

    Roles and permissions have been created so that the data science teams can manage themselves and create the resources they need.

  • SSM parameters

    A collection of parameters have been stored so they can be referenced by the data science teams. Visit the console, what parameters have been created?

  • KMS key

    A KMS key to encrypt data at rest in the data science environment. Visit the console, what is the KMS key being used to encrypt?

  • Lambda function

    The combination of the CloudWatch event rule and the Lambda function acts as a detective and corrective control inspecting training jobs that are launched to ensure they remain compliant with your defined security requirements. Visit the console, what event will cause the Lambda function to execute?

  • Virtual Private Cloud (VPC)

    The template has created a VPC with no Internet connectivity but with VPC endpoints for accessing AWS services like Amazon S3 and Amazon SageMaker. Visit the console, what services are accessible from within the VPC? Do any endpoints have Endpoint Policies governing them?


You have now created a secure environment for the data science teams. Lets now hand things back to the Data Science Administrator and let them support the data science team.