Introduction

In the rapidly evolving healthcare sector, secure data sharing between providers remains a critical challenge. It’s important for healthcare customers to address unique risks that are associated with data protection and Health Insurance Portability and Accountability Act (HIPAA) compliance. Therefore, AWS Enterprise Support frequently partners with these customers to help them protect their sensitive data and maintain regulatory compliance. One method that healthcare organizations can use to implement solutions for cross-provider data sharing is Amazon SageMaker Unified Studio. This service is a unified data and AI development environment that provides access to organizational data.

During rigorous security assessments that often include penetration testing, organizations might uncover potential vulnerabilities in their configurations. These findings show how sophisticated attackers might try to bypass existing controls through techniques, such as URL extraction. In such cases, security teams typically request additional mechanisms to implement strict permissions boundaries and protect against identified vulnerabilities. AWS Enterprise Support engages with AWS service teams to investigate issues and develop robust solutions.

This case study demonstrates how AWS Enterprise Support collaborates with healthcare customers to architect and implement enhanced security measures, such as IP-based access control solutions. AWS Enterprise Support works closely with customers and helps create multiple layers of protection. Customers use AWS services for their sensitive data and AI/ML initiatives and significantly improve their overall security posture.

Solution overview

To enhance security and apply permissions boundaries, AWS Enterprise Support reviewed and tested a solution with AWS Identity and Access Management (IAM) policies. The solution provides granular control capabilities that support precise restrictions by limiting access to only approved organizational IP ranges. This network-level control makes sure that access attempts from unauthorized IP addresses that are outside your organization's approved ranges are denied, even if your credentials are compromised. The implementation seamlessly integrates with Amazon SageMaker Unified Studio's existing security framework through IAM and doesn’t need any architectural changes to your current setup. As your organization's security requirements evolve, you can easily modify and expand the IP-based access controls to accommodate new requirements.

Prerequisites

To implement the solution, you need the following prerequisites:

• Amazon SageMaker Unified Studio environment with a pre-configured AmazonSageMakerDomainExecution role
• Administrator access to IAM
• List of allowed IP ranges within your organization

Solution implementation

The AmazonSageMakerDomainExecution rolehas the AWS managed policy SageMakerStudioDomainExecutionRolePolicy attached to it. Amazon SageMaker Unified Studio creates this role for you on your behalf. For certain actions in the portal, Amazon SageMaker Unified Studio assumes this role in the account where you created the role. It checks that this role is authorized to perform the action.

For more information, see Create a Amazon SageMaker Unified Studio domain - manual setup.

Step 1: Create a custom managed policy

Create an identity-based policy that denies access to all AWS actions in the account when the request comes from principals outside the specified IP range. For more information, see Create the policy. Copy and paste the following policy document into the JSON text box:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "192.0.2.0/24",
                    "203.0.113.0/24"
                ]
            }
        }
    }
}

Note: Replace the aws:SourceIp condition key values with your IP range.

For more information, see AWS: Denies access to AWS based on the source IP.

Step 2: Attach the custom policy to the IAM role

To attach the custom policy to the AmazonSageMakerDomainExecution role, follow these steps:

1. Open the IAM console.

2. In the navigation pane, choose Roles.

3. In the list, choose AmazonSageMakerDomainExecution.

4. Choose the Permissions tab.

5. Choose Add permissions, and then choose Attach policies.

6. At the top of the policy list, in the search box, start typing the name of the policy that you previously created.

7. Select the policy, and then choose Add permissions.

Step 3: Test and validate the denial of access

1. Test access to Amazon SageMaker Unified Studio portal from allowed IP ranges.
2. Verify denial of access to Amazon SageMaker Unified Studio from unauthorized IP ranges.

The following example screenshot shows the denial of access to a SageMaker Unified Studio portal when an IP-based denial policy is in effect.

Note: You can use the same mechanism and steps to restrict access to the Amazon DataZone data portal. Use theAmazonDataZoneDomainExecutionrole.

Cleanup

You don't need to terminate any resource, because you didn't have to provision any for this solution.

To remove the IP range permissions boundaries, follow these steps:

1. Detach the custom policy that you created in step 1 of the previous section.
2. Delete the custom policy if you no longer need it.

Conclusion

Through IP-based access restrictions for the Amazon SageMaker Unified Studio portal, you can use existing AWS services to address complex security challenges. This solution, developed through collaboration between AWS Enterprise Support and healthcare customers, showcases the flexibility and effectiveness of IAM policies to create tailored security measures.

Organizations can use this approach to achieve a balance between security and operational efficiency. For industries that deal with sensitive data, maintaining compliance while fostering innovation is crucial. This article’s solution proves valuable to these industries through its non-intrusive nature. It promotes enhanced protection without the need to disrupt existing workflows or require significant architectural changes. As security landscapes evolve and organizational needs change, you can easily modify the IP-based access controls to accommodate new requirements. This flexibility makes sure that your security measures can grow and adapt alongside the organization to provide long-term benefits.

AWS Enterprise Support can help organizations that must implement similar security enhancements on how to use AWS services for complex use cases. Our team of Cloud Support Engineers (CSEs) and Technical Account Managers (TAMs) can provide tailored guidance, share industry best practices, and offer hands-on support to help you optimize your AWS environment. To learn more about our plans and offerings, see AWS Support.

---

About the authors

Rashmiman Ray

Rashmiman is a TAM at AWS in New Jersey. He works with Enterprise customers to provide technical insights and cloud optimization strategies that drive their success in the cloud. Outside of work, Rashmiman enjoys hiking, playing cricket, and cooking Indian delicacies.

Ramesh Narayanaswamy

Ramesh is a Sr. TAM at AWS in Boston, Massachusetts. He partners with AWS Enterprise customers to deliver proactive technical guidance and best-practice recommendations for cloud optimization. Outside of work, Ramesh likes to stay active through tennis, volleyball, and nature activities.