Development Environment
The Environment module manages the provisioning of resources and manages access controls, providing the environment for data scientists and engineers to develop solutions.
Design Principles
| Principle | Description |
|---|---|
| Promote basic software development best practices. | Many data scientists come from a non-CS background, and thus it is important to emphasize the benefit of tools and techniques of software development. |
| Provide a flexible set of baseline services. | Data Scientists should be enabled to develop code in any environment capable to run remote python interpreter including modern IDEs (e.g., VS Code,), traditional IDEs (e.g., vim) or jupyter notebooks. There should not be a single, "one-size-fits-all" approach. |
| Operate in an isolated environment | This means resources will have to reside in a private VPC and VPC endpoints will need to be created. |
| Data encryption in transit and at rest | One aspect to enforce here is S3 encryption for all content at rest and requirement for data upload encryption header to be specified. |
Quick Start
Update the following config in
config/config.iniKeyName: Existing EC2 key pair name that you have access to the private file
S3BucketName: Unique S3 bucket name for project
VpcCIDR: The Cidr range for the VPC
Prepare a S3 bucket in the same region to store cloudformation intermediate metedata. This could be an existing bucket or a new bucket. You must be able to write to this bucket. This is a different bucket than the one specified in Step 1.
To deploy, run the command
deploy.sh [stack-name] [cloudformation-bucket] [region]Cloundformation bucket be in the same region specified by
regionargument.If no
regionargument is provided, default region in.aws/configwill be used.E.g.
deploy.sh my-stack my-cfn-s3bucket ap-southeast-1
Architecture
Very often in a regulated industry such as Financial Services or Healthcare where data security is critical, the customer will have stringent requirements to be compliant for data science work. This template will setup the minimum service such as bastianless EC2 instance, SageMaker Notebook and S3 bucket for Data Scientist to start working on customer engagement.
S3
Enforce service side encryption with customer managed key
Data Scientist or developer is responsible to specify kmsid for AWSCLI, SDK or BOTO3 for any data upload to S3
SageMaker
Encrypted EBS volume with customer manged key
Restricted access to default encrypted S3 bucket
VPC Endpoint
The following endpoints have been added by default, additional endpoint can be added as necessary.
s3
git-codecommit, codecommit
sagemaker.api, sagemaker.runtime
ecr.api, ec.dkr
sts
logs
ssm
states
KMS
Generate a customer managed key
VPC
Two Private Subnets only across different avaiability zones
EC2
SSM Agent to support remote SSH using exisitng key pair
First verify that Session Manager Plugin is installed on your local workstation by running the command below or follow the instruction here to install SSM agent
Your current active aws profile keypair should be the same as the deployment profile.
aws ssm start-session --target <ec2-instance-id>
Update SSH config to be able to SSH to EC2 using command
ssh ec2-ssm.
# Add the following in your SSH config
Host ec2-ssm
HostName <ec2-instance-id>
User ec2-user
IdentityFile /path/to/keypair/pemfile
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
Security Patching
It is recommended that you patch the EC2 instance regularly whenever there is security updates. Run the following commands in EC2 for patching.
sudo yum-config-manager --disable libnvidia-container
sudo yum-config-manager --disable neuron
sudo yum-config-manager --disable nvidia-container-runtime
sudo yum-config-manager --disable nvidia-docker
sudo yum update-minimal --sec-severity=critical,important --bugfix