Lab 2: Secure Environment

A data science project team have requested a cloud environment to begin their project. As the project administrator you will use the Service Catalog portfolio, managed by the Cloud Platform Engineering team, to provision a secure VPC and related resources for the data science team. In this lab, you will use Amazon Service Catalog to provision this data science environment. Following the steps below create an environment which contains:

  • AWS VPC with no IGW
  • VPC endpoints to Amazon S3, Amazon SageMaker, CloudWatch, STS
  • IAM roles for the data science administrator and the data scientist
  • Store AWS resource names/identifiers in AWS SSM Parameter Store for future reference
  • Service Catalog Portfolio of products for the data science users
  • AWS KMS key for encrypting data at rest

Deploy a project environment

In the previous lab you deployed a CloudFormation template which created a project administrator role. Details of this role can be found in the CloudFormation Outputs for the stack you deployed.

After assuming the project administrator role, visit the AWS Service Catalog console and provision a project environment for the data science team.

Environment creation will take approximately 10 minutes.

Step-by-step instructions

If you wish to see the contents of these CloudFormation templates you can view them on the CloudFormation console or copy them locally for review using a command such as the below.

aws s3 sync s3://sagemaker-workshop-cloudformation-us-east-1/quickstart ./sagemaker-workshop-cloudformation

Review base environment

After the CloudFormation stack has been successfully created review the Resources tab of the CloudFormation stack and the resources that were created. You’ll notice that it has provisioned:

  • Service Catalog Portfolio

    A service catalog portfolio and products have been configured to give the data science teams tailored products they can deploy easily.

  • IAM roles

    Roles and permissions have been created so that the data science teams can manage themselves and create the resources they need.

  • SSM parameters

    A collection of parameters have been stored so they can be referenced by the data science teams. Visit the console, what parameters have been created?

  • KMS key

    A KMS key to encrypt data at rest in the data science environment. Visit the console, what is the KMS key being used to encrypt?

  • Virtual Private Cloud (VPC)

    The template has created a VPC with no Internet connectivity but with VPC endpoints for accessing AWS services like Amazon S3 and Amazon SageMaker. Visit the console, what services are accessible from within the VPC? Do any endpoints have Endpoint Policies governing them?


You have now created a secure environment for the data science team. Lets now hand things back to the project team and let them support themselves.