Mitigate statistics leakage by the usage of AppStream 2.0 and end-to-end auditing

Clients need to use AWS companies to function on their most delicate statistics, however they need to make it possible for solely the correct individuals have entry to that statistics. Even when the correct persons are accessing statistics, clients need to account for what actions these customers took whereas accessing the info.

On this publish, we present you ways you should utilize Amazon AppStream 2.0 to grant remoted entry to delicate statistics and reduce your assault floor. As well as, we present you learn how to obtain end-to-end auditing, which is designed to supply full traceability of all actions round your statistics.

To display this concept, we developed a pattern resolution that gives a knowledge scientist with entry to an Amazon SageMaker Studio pocket book utilizing AppStream 2.0. The answer deploys a brand new Amazon Digital Personal Cloud (Amazon VPC) with remoted subnets, the place the SageMaker pocket book and AppStream 2.0 situations are arrange.

Why AppStream 2.0?

AppStream 2.0 is a fully-managed, non-persistent software and desktop streaming service that gives entry to desktop functions from anyplace by utilizing an HTML5-compatible desktop browser.

Every time you launch an AppStream 2.0 session, a freshly-built, pre-provisioned occasion is offered, utilizing a prebuilt picture. As quickly as you shut your session and the disconnect timeout interval is reached, the occasion is terminated. This lets you rigorously management the person expertise and helps to make sure a constant, safe surroundings every time. AppStream 2.0 additionally permits you to implement restrictions on person classes, equivalent to disabling the clipboard, file transfers, or printing.

Moreover, AppStream 2.0 makes use of AWS Id and Entry Administration (IAM) roles to grant fine-grained entry to different AWS companies equivalent to Amazon Easy Storage Service (Amazon S3), Amazon Redshift, Amazon SageMaker, and different AWS companies. This provides you each management over the entry in addition to an accounting, by way of Amazon CloudTrail, of what actions have been taken and when.

These options make AppStream 2.0 uniquely appropriate for environments that require excessive safety and isolation.

Why SageMaker?

Builders and statistics scientists use SageMaker to construct, prepare, and deploy machine studying fashions shortly. SageMaker does many of the work of every step of the machine studying course of to assist customers develop high-quality fashions. SageMaker entry from inside AppStream 2.0 gives your statistics scientists and analysts with a collection of frequent and acquainted data-science packages to make use of in opposition to remoted statistics.

Answer structure overview

This resolution permits a knowledge scientist to work with a knowledge set whereas related to an remoted surroundings that doesn’t have an outbound path to the web.

First, you construct an Amazon VPC with remoted subnets and with no web gateways hooked up. This ensures that any situations stood up within the surroundings don’t have entry to the web. To offer the assets contained in the remoted subnets with a path to industrial AWS companies equivalent to Amazon S3, SageMaker, AWS System Supervisor you construct VPC endpoints and fix them to the VPC, as proven in Determine 1.

Figure 1: Network Diagram

Determine 1: Community Diagram

You then construct an AppStream 2.0 stack and fleet, and fix a safety group and IAM function to the fleet. The aim of the IAM function is to supply the AppStream 2.0 situations with entry to downstream AWS companies equivalent to Amazon S3 and SageMaker. The IAM function design follows the least privilege mannequin, to make sure that solely the entry required for every activity is granted.

Throughout the constructing of the stack, you’ll allow AppStream 2.0 Residence Folders. This characteristic builds an S3 bucket the place customers can retailer recordsdata from inside their AppStream 2.0 session. The bucket is designed with a devoted prefix for every person, the place solely they’ve entry. We use this prefix to retailer the person’s pre-signed SagaMaker URLs, making certain that nobody person can entry one other customers SageMaker Pocket book.

You then deploy a SageMaker pocket book for the info scientist to make use of to entry and analyze the remoted statistics.

To substantiate that the person ID on the AppStream 2.0 session hasn’t been spoofed, you create an AWS Lambda perform that compares the person ID of the info scientist in opposition to the AppStream 2.0 session ID. If the person ID and session ID match, this means that the person ID hasn’t been impersonated.

As soon as the session has been validated, the Lambda perform generates a pre-signed SageMaker URL that offers the info scientist entry to the pocket book.

Lastly, you allow AppStream 2.0 utilization reviews to make sure that you might have end-to-end auditing of your surroundings.

That will help you simply deploy this resolution into your surroundings, we’ve developed an AWS Cloud Growth Package (AWS CDK) software and stacks, utilizing Python. To deploy this resolution, you possibly can go to the Answer deployment part on this weblog publish.

Be aware: this resolution was developed with all assets being in a single AWS Area. The help of multi Area is feasible however isn’t a part of this weblog publish.

Answer necessities

Earlier than you construct an answer, you could know your safety necessities. The answer on this publish assumes a set of normal safety necessities that you just usually discover in an enterprise surroundings:

  • Person authentication is offered by a Safety Assertion Markup Language (SAML) id supplier (IdP).
  • IAM roles are used to entry AWS companies equivalent to Amazon S3 and SageMaker.
  • AWS IAM entry keys and secret keys are prohibited.
  • IAM insurance policies comply with the least privilege mannequin in order that solely the required entry is granted.
  • Home windows clipboard, file switch, and printing to native gadgets is prohibited.
  • Auditing and traceability of all actions is required.

Be aware: earlier than it is possible for you to to combine SAML with AppStream 2.0, you have to to comply with the AppStream 2.0 Integration with SAML 2.0 information. There are fairly a couple of steps and it’ll take a while to arrange. SAML authentication is elective, nevertheless. For those who simply need to prototype the answer and see the way it works, you are able to do that with out enabling SAML integration.

Answer parts

This resolution makes use of the next applied sciences:

  • Amazon VPC – gives an remoted community the place the answer might be deployed.
  • VPC endpoints – present entry from the remoted community to industrial AWS companies equivalent to Amazon S3 and SageMaker.
  • AWS Programs Supervisor – shops parameters equivalent to S3 bucket names.
  • AppStream 2.0 – gives hardened situations to run the answer on.
  • AppStream 2.0 residence folders – retailer customers’ session info.
  • Amazon S3 – shops software scripts and pre-signed SageMaker URLs.
  • SageMaker pocket book – gives statistics scientists with instruments to entry the info.
  • AWS Lambda – runs scripts to validate the info scientist’s session, and generates pre-signed URLs for the SageMaker pocket book.
  • AWS CDK – deploys the answer.
  • PowerShell – processes scripts on AppStream 2.0 Microsoft Home windows situations.

Answer high-level design and course of circulate

The next determine is a high-level depiction of the answer and its course of circulate.

Figure 2: Solution process flow

Determine 2: Answer course of circulate

The method circulate—illustrated in Determine 2—is:

  1. A knowledge scientist clicks on an AppStream 2.0 federated or a streaming URL.
    1. If it’s a federated URL, the info scientist authenticates utilizing their company credentials, in addition to MFA if required.
    1. If it’s a streaming URL, no additional authentication is required.
  2. The information scientist is offered with a PowerShell software that’s been made out there to them.
  3. After beginning the applying, it begins the PowerShell script on an AppStream 2.0 occasion.
  4. The script then:
    1. Downloads a second PowerShell script from an S3 bucket.
    2. Collects native AppStream 2.0 surroundings variables:
      1. AppStream_UserName
      2. AppStream_Session_ID
      3. AppStream_Resource_Name
    3. Shops the variables within the session.json file and copies the file to the house folder of the session on Amazon S3.
  5. The PUT occasion of the JSON file into the Amazon S3 bucket triggers an AWS Lambda perform that performs the next:
    1. Reads the session.json file from the person’s residence folder on Amazon S3.
    2. Performs a describe motion in opposition to the AppStream 2.0 API to make sure that the session ID and the person ID match. This helps to stop the person from manipulating the native surroundings variable to faux to be another person (spoofing), and doubtlessly achieve entry to unauthorized statistics.
    3. If the session ID and person ID match, a pre-signed SageMaker URL is generated and saved in session_url.txt, and copied to the person’s residence folder on Amazon S3.
    4. If the session ID and person ID don’t match, the Lambda perform ends with out producing a pre-signed URL.
  6. When the PowerShell script detects the session_url.txt file, it opens the URL, giving the person entry to their SageMaker pocket book.

Code construction

That will help you deploy this resolution in your surroundings, we’ve developed a set of code that you should utilize. The code is generally written in Python and for the AWS CDK framework, and with an AWS CDK software and a few PowerShell scripts.

Be aware: Now we have chosen the default settings on lots of the AWS assets our code deploys. Earlier than deploying the code, it is best to conduct an intensive code evaluate to make sure the assets you’re deploying meet your group’s necessities.

AWS CDK software – ./

To make this software modular and moveable, we’ve structured it in separate AWS CDK nested stacks:

  • vpc-stack – deploys a VPC with two remoted subnets, together with three VPC endpoints.
  • s3-stack – deploys an S3 bucket, copies the AppStream 2.0 PowerShell scripts, and shops the bucket identify in an SSM parameter.
  • appstream-service-roles-stack – deploys AppStream 2.0 service roles.
  • appstream-stack – deploys the AppStream 2.0 stack and fleet, together with the required IAM roles and safety teams.
  • appstream-start-fleet-stack – builds a customized useful resource that begins the AppStream 2.0 fleet.
  • notebook-stack – deploys a SageMaker pocket book, together with IAM roles, safety teams, and an AWS Key Administration Service (AWS KMS) encryption key.
  • saml-stack – deploys a SAML function as a placeholder for SAML authentication.

PowerShell scripts

The answer makes use of the next PowerShell scripts contained in the AppStream 2.0 situations:

  • sagemaker-notebook-launcher.ps1 – This script is a part of the AppStream 2.0 picture and downloads the sagemaker-notebook.ps1 script.
  • sagemaker-notebook.ps1 – begins the method of validating the session and producing the SageMaker pre-signed URL.

Be aware: Having the second script reside on Amazon S3 gives flexibility. You may modify this script with out having to create a brand new AppStream 2.0 picture.

Deployment Stipulations

To deploy this resolution, your deployment surroundings should meet the next conditions:

Be aware: We used AWS Cloud9 with Amazon Linux 2 to check this resolution, because it comes preinstalled with many of the conditions for deploying this resolution.

Deploy the answer

Now that the design and parts, you’re able to deploy the answer.

Be aware: In our demo resolution, we deploy two stream.normal.small AppStream 2.0 situations, utilizing Home windows Server 2019. This provides you an affordable instance to work from. In your personal surroundings you may want extra situations, a distinct occasion sort, or a distinct model of Home windows. Likewise, we deploy a single SageMaker pocket book occasion of sort ml.t3.medium. To alter the AppStream 2.0 and SageMaker occasion sorts, you have to to change the stacks/ and stacks/ respectively.

Step 1: AppStream 2.0 picture

An AppStream 2.0 picture comprises functions which you could stream to your customers. It’s what lets you curate the person expertise by preconfiguring the settings of the functions you stream to your customers.

To construct an AppStream 2.0 picture:

  1. Construct a picture following the Create a Customized AppStream 2.0 Picture by Utilizing the AppStream 2.0 Console tutorial.

    Be aware: In Step 1: Set up Functions on the Picture Builder on this tutorial, you may be requested to decide on an Occasion household. For this instance, we selected Basic Objective. For those who select a distinct Occasion household, you have to to ensure the appstream_instance_type specified below Step 2: Code modification is of the identical household.

    In Step 6: End Creating Your Picture on this tutorial, you may be requested to supply a singular picture identify. Be aware down the picture identify as you have to it in Step 2 of this weblog publish.

  2. Copy notebook-launcher.ps1 to a location on the picture. We suggest that you just copy it to C:AppStream.
  3. In Step 2—Create an AppStream 2.0 Software Catalog—of the tutorial, use C:WindowsSystem32Windowspowershellv1.0powershell.exe as the applying, and the trail to notebook-launcher.ps1 because the launch parameter.

Be aware: Whereas testing your software throughout the picture constructing course of, the PowerShell script will fail as a result of the underlying infrastructure shouldn’t be current. You may ignore that failure throughout the picture constructing course of.

Step 2: Code modification

Subsequent, you could modify a few of the code to suit your surroundings.

Make the next adjustments within the cdk.json file:

  • vpc_cidr – Provide your most popular CIDR vary for use for the VPC.

    Be aware: VPC CIDR ranges are your personal IP area and thus can include any legitimate RFC 1918 vary. Nonetheless, if the VPC you’re planning on utilizing for AppStream 2.0 wants to hook up with different components of your personal community (on premise or different VPCs), you’ll want to select a spread that doesn’t battle or overlap with the remainder of your infrastructure.

  • appstream_Image_name – Enter the picture identify you selected while you developed the Appstream 2.0 picture in Step 1.a.
  • appstream_environment_name – The surroundings identify is strictly beauty and drives the naming of your AppStream 2.0 stack and fleet.
  • appstream_instance_type – Enter the AppStream 2.0 occasion sort. The occasion sort have to be a part of the identical occasion household you utilized in Step 1 of the To construct an AppStream 2.0 picture part. For an inventory of AppStream 2.0 situations, go to
  • appstream_fleet_type – Enter the fleet sort. Allowed values are ALWAYS_ON or ON_DEMAND.
  • Idp_name – When you’ve got built-in SAML with this resolution, you have to to enter the IdP identify you selected when creating the SAML supplier within the IAM Console.

Step 3: Deploy the AWS CDK software

The CDK software deploys the CDK stacks.

The stacks embody:

  • VPC with remoted subnets
  • VPC Endpoints for S3, SageMaker, and Programs Supervisor
  • S3 bucket
  • AppStream 2.0 stack and fleet
  • Two AppStream 2.0 stream.normal.small situations
  • A single SageMaker ml.t2.medium pocket book

Run the next instructions to deploy the AWS CDK software:

  1. Set up the AWS CDK Toolkit.
  2. Create and activate a digital surroundings.
    python -m venv .datasandbox-env supply .datasandbox-env/bin/activate
  3. Change listing to the basis folder of the code repository.
  4. Set up the required packages.
    pip set up -r necessities.txt
  5. For those who haven’t used AWS CDK in your account but, run:
  6. Deploy the AWS CDK stack.

Step 4: Take a look at the answer

After the stack has efficiently deployed, permit roughly 25 minutes for the AppStream 2.0 fleet to succeed in a working state. Testing will fail if the fleet isn’t working.

With out SAML

For those who haven’t added SAML authentication, use the next steps to check the answer.

  1. Within the AWS Administration Console, go to AppStream 2.0 after which to Stacks.
  2. Choose the stack, after which choose Motion.
  3. Choose Create streaming URL.
  4. Enter any person identify and choose Get URL.
  5. Enter the URL in one other tab of your browser and take a look at your software.


In case you are utilizing SAML authentication, you should have a federated login URL that you’ll want to go to.

If the whole lot is working, your SageMaker pocket book might be launched as proven in Determine 3.

Figure 3: SageMaker Notebook

Determine 3: SageMaker Pocket book

Be aware: when you obtain an internet browser timeout, confirm that the SageMaker pocket book occasion “Data-Sandbox-Notebook” is at the moment in InService standing.


Auditing for this resolution is offered by AWS CloudTrail and AppStream 2.0 Utilization Reviews. Although CloudTrail is enabled by default, to gather and retailer the CloudTrail logs, you could create a path on your AWS account.

The next logs might be out there so that you can use, to supply auditing.

  • Login – CloudTrail
    • Person ID
    • IAM SAML function
    • AppStream stack
  • S3 – CloudTrail
    • IAM function
    • Supply IP
    • S3 bucket
    • Amazon S3 object
  • AppStream 2.0 occasion IP tackle – AppStream 2.0 utilization reviews

Connecting the dots

To get an correct thought of your customers’ exercise, it’s a must to correlate some logs from totally different companies. First, you acquire the login info from CloudTrail. This provides you the person ID of the person who logged in. You then acquire the Amazon S3 put from CloudTrail, which supplies you the IP tackle of the AppStream 2.0 occasion. And at last, you acquire the AppStream 2.0 utilization report which supplies you the IP tackle of the AppStream 2.0 occasion, plus the person ID. This lets you join the person ID to the exercise on Amazon S3. For auditing & controlling exploration actions with SageMaker, please go to this GitHub repository.

Although the logs are mechanically being collected, what we’ve got proven you here’s a handbook approach of sifting by these logs. For a extra strong resolution on querying and analyzing CloudTrail logs, go to Querying AWS CloudTrail Logs.

Prices of this Answer

The price for working this resolution will rely upon numerous elements just like the occasion measurement, the quantity of information you retailer, and what number of hours you employ the answer. AppStream 2.0 is charged per occasion hour and there may be one occasion on this instance resolution. You may see particulars on the AppStream 2.0 pricing web page. VPC endpoints are charged by the hour and by how a lot statistics passes by them. There are three VPC endpoints on this resolution (S3, System Supervisor, and SageMaker). VPC endpoint pricing is described on the Privatelink pricing web page. SageMaker Notebooks are charged based mostly on the variety of occasion hours and the occasion sort. There’s one SageMaker occasion on this resolution, which can be eligible at no cost tier pricing. See the SageMaker pricing web page for extra particulars. Amazon S3 storage pricing is determined by how a lot statistics you retailer, what sort of storage you employ, and the way a lot statistics transfers out and in of S3. The use on this resolution could also be eligible at no cost tier pricing. You may see particulars on the S3 pricing web page.

Earlier than deploying this resolution, make sure that to calculate your value utilizing the AWS Pricing Calculator, and the AppStream 2.0 pricing calculator.


Congratulations! You could have deployed an answer that gives your customers with entry to delicate and remoted statistics in a safe method utilizing AppStream 2.0. You could have additionally applied a mechanism that’s designed to stop person impersonation, and enabled end-to-end auditing of all person actions.

To study how Amazon is utilizing AppStream 2.0, go to the weblog publish How Amazon makes use of AppStream 2.0 to supply statistics scientists and analysts with entry to delicate statistics.

When you’ve got suggestions about this publish, submit feedback within the Feedback part under.

Need extra AWS Safety how-to content material, information, and have bulletins? Observe us on Twitter.


Chaim Landau

As a Senior Cloud Architect at AWS, Chaim works with massive enterprise clients, serving to them create modern options to handle their cloud challenges. Chaim is captivated with his work, enjoys the creativity that goes into constructing options within the cloud, and derives pleasure from passing on his data. In his spare time, he enjoys out of doors actions, spending time in nature, and immersing himself in his books.


JD Braun

As a Knowledge and Machine Studying Engineer, JD helps organizations design and implement trendy statistics architectures to ship worth to their inner and exterior clients. In his free time, he enjoys exploring Minneapolis along with his fiancée and black lab.

Leave a Reply

Your email address will not be published. Required fields are marked *