-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathds_shared_data_lake.yaml
137 lines (128 loc) · 4.13 KB
/
ds_shared_data_lake.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
# This template creates an a shared S3 bucket to server data lake for data science teams.
Description: Shared S3 data storage to server as data lake for data science teams.
Parameters:
SharedServiceStackSetName:
Type: String
Description: Common root name used across shared service cloudformation resources
Outputs:
DataLakeKMSCMK:
Description: KMS Key ARN for the shared data lake S3 bucket
Value: !GetAtt KMSCMK.Arn
Export:
Name: !Sub 'ds-data-lake-kms-cmk-${SharedServiceStackSetName}-arn'
DataLakeBucket:
Description: Shared service data lake S3 bucket name
Value: !Ref DataLakeBucket
Export:
Name: !Sub 'ds-s3-data-lake-${SharedServiceStackSetName}'
Resources:
KMSCMK:
Type: 'AWS::KMS::Key'
Properties:
Description: KMS key for S3 data lake bucket
EnableKeyRotation: true
KeyPolicy:
Id: key-policy-1
Version: 2012-10-17
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: 'kms:*'
Resource: '*'
- Sid: Allow access for Key Administrators
Effect: Allow
Principal:
AWS:
Fn::ImportValue:
!Sub "ds-administrator-role-${SharedServiceStackSetName}-arn"
Action:
- 'kms:Create*'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:TagResource'
- 'kms:UntagResource'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
- Sid: Allow access for Key Users
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:CreateGrant'
- 'kms:ReEncrypt'
- 'kms:GenerateDataKey'
- 'kms:DescribeKey'
Resource: '*'
Condition:
StringNotEquals:
'aws:SourceVpce':
Fn::ImportValue:
!Sub "ds-s3-endpoint-${SharedServiceStackSetName}-id"
Tags:
- Key: SharedServiceStackSetName
Value: !Ref SharedServiceStackSetName
KMSCMKAlias:
Type: 'AWS::KMS::Alias'
Properties:
AliasName: !Sub "alias/ds-s3-data-lake-kms-cmk-${SharedServiceStackSetName}"
TargetKeyId: !Ref KMSCMK
KMSCMKArn:
Type: 'AWS::SSM::Parameter'
Properties:
Name: !Sub "ds-s3-data-lake-kms-cmk-${SharedServiceStackSetName}-arn"
Type: String
Value: !GetAtt
- KMSCMK
- Arn
Description: SageMakerExecRole ARN
DataLakeBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
!Join
- ''
-
- 'ds-data-lake-'
- !Select
- 4
- !Split
- '-'
- !Select
- 2
- !Split
- /
- !Ref 'AWS::StackId'
PublicAccessBlockConfiguration:
BlockPublicAcls: TRUE
BlockPublicPolicy: TRUE
IgnorePublicAcls: TRUE
RestrictPublicBuckets: TRUE
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: !Ref KMSCMK
Tags:
- Key: SharedServiceStackSetName
Value: !Ref SharedServiceStackSetName
S3DataLakeBucketNameSSMParameter:
Type: 'AWS::SSM::Parameter'
Properties:
Name: !Sub "ds-s3-data-lake-bucket-${SharedServiceStackSetName}"
Type: String
Value: !Ref DataLakeBucket
Description: Shared S3 data lake bucket name for data science teams.