Merge pull request #36 Adding PreventDirectInternetAccessSageMakerNotebook

tatyatsk · web-flow · commit bf5478f07762 · 2025-03-28T11:10:41.000-04:00
Adding PreventDirectInternetAccessSageMakerNotebook
diff --git a/service_control_policies/README.md b/service_control_policies/README.md
@@ -248,4 +248,10 @@ Services such as Lambda, AWS Glue, CloudShell, App Runner, and SageMaker support
 ### "Sid": "PreventNonVpcOnlySageMakerDomain"
 
 This statement is included in the [data_perimeter_governance_policy_2.json](data_perimeter_governance_policy_2.json) and prevents users from creating [Amazon SageMaker domains](https://docs.aws.amazon.com/sagemaker/latest/dg/sm-domain.html) that can access the internet through a VPC managed by SageMaker, or updating SageMaker domains to allow access to the internet through a VPC managed by SageMaker.    
-For more details, see the definition of the parameter [`AppNetworkAccessType`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html#sagemaker-UpdateDomain-request-AppNetworkAccessType) in the Amazon SageMaker API Reference.
+For more details, see the definition of the parameter [`AppNetworkAccessType`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html#sagemaker-UpdateDomain-request-AppNetworkAccessType) in the Amazon SageMaker API Reference.
+
+
+### "Sid": "PreventDirectInternetAccessSageMakerNotebook"
+
+This statement is included in the [data_perimeter_governance_policy_2.json](data_perimeter_governance_policy_2.json) and prevents users from creating [Amazon SageMaker Notebooks Instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) that can access the internet through a VPC managed by SageMaker.        
+For more details, see [Connect a Notebook Instance in a VPC to External Resources](https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html) in the Amazon SageMaker documentation.
diff --git a/service_control_policies/data_perimeter_governance_policy_2.json b/service_control_policies/data_perimeter_governance_policy_2.json
@@ -108,11 +108,28 @@
          ],
         "Resource": "*",
         "Condition": {
-            "StringNotEquals": {
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude": "true",
                "sagemaker:AppNetworkAccessType": "VpcOnly"
             }
          }
       },
+      {
+         "Sid": "PreventDirectInternetAccessSageMakerNotebook",
+         "Effect": "Deny",
+         "Action": [
+            "sagemaker:CreateNotebookInstance"
+         ],
+        "Resource": "*",
+        "Condition": {
+            "StringEquals": {
+               "sagemaker:DirectInternetAccess": "Enabled"
+            },
+            "StringNotEqualsIfExists": {
+               "aws:PrincipalTag/dp:exclude": "true"
+            }
+         }
+      },
       {
          "Sid":"PreventNonVPCDeploymentLambda",
          "Effect":"Deny",
