AWS transform documentation change
Summary
Added new section 'Configuring the VPC endpoint policy' with policy example, and updated terminology from 'WebApp' to 'web application' throughout the document
Security assessment
The change adds documentation about VPC endpoint policy configuration, which is a security feature for controlling access to AWS Transform API through PrivateLink. The policy example shows how to restrict access to specific AWS Transform service profiles using principal ARN conditions. However, there's no evidence this addresses a specific security vulnerability or incident - it appears to be routine documentation improvement for a security feature.
Diff
diff --git a/transform/latest/userguide/vpc-webapp-access.md b/transform/latest/userguide/vpc-webapp-access.md index 9dc0d4877..ff8ab55a5 100644 --- a//transform/latest/userguide/vpc-webapp-access.md +++ b//transform/latest/userguide/vpc-webapp-access.md @@ -7 +7 @@ -How it worksArchitecturePrerequisitesSetting up controlled internet egressVerificationTroubleshootingCost considerationsCleanup +How it worksArchitecturePrerequisitesConfiguring the VPC endpoint policySetting up controlled internet egressVerificationTroubleshootingCost considerationsCleanup @@ -9 +9 @@ How it worksArchitecturePrerequisitesSetting up controlled internet egressVerifi -# Accessing the AWS Transform WebApp from a VPC +# Accessing the AWS Transform web application from a VPC @@ -11 +11 @@ How it worksArchitecturePrerequisitesSetting up controlled internet egressVerifi -When you use AWS PrivateLink to access the AWS Transform API privately from your VPC, the webapp requires additional network configuration. It serves static content (HTML, JavaScript, CSS) through CloudFront, which requires internet connectivity. API calls from the webapp go through your VPC endpoint and remain fully private. +When you use AWS PrivateLink to access the AWS Transform API privately from your VPC, the web application requires additional network configuration. It serves static content (HTML, JavaScript, CSS) through CloudFront, which requires internet connectivity. API calls from the web application go through your VPC endpoint and remain fully private. @@ -13 +13 @@ When you use AWS PrivateLink to access the AWS Transform API privately from your -This guide shows you how to configure controlled internet egress from your VPC so the webapp can load while keeping your VPC locked down to only the required domains. +This guide shows you how to configure controlled internet egress from your VPC so the web application can load while keeping your VPC locked down to only the required domains. @@ -17 +17 @@ This guide shows you how to configure controlled internet egress from your VPC s -The AWS Transform WebApp uses two network paths: +The AWS Transform web application uses two network paths: @@ -19 +19 @@ The AWS Transform WebApp uses two network paths: - * **API calls** – When you interact with the webapp (starting jobs, viewing workspaces, and so on), the browser sends API requests to `api.transform.`region`.on.aws`. With the `com.amazonaws.`region`.api.transform` VPC endpoint and private DNS enabled, these requests resolve to a private IP address in your VPC and never leave the AWS network. + * **API calls** – When you interact with the web application (starting jobs, viewing workspaces, and so on), the browser sends API requests to `api.transform.`region`.on.aws`. With the `com.amazonaws.`region`.api.transform` VPC endpoint and private DNS enabled, these requests resolve to a private IP address in your VPC and never leave the AWS network. @@ -21 +21 @@ The AWS Transform WebApp uses two network paths: - * **Static content** – The webapp's HTML, JavaScript, and CSS files are served through CloudFront via ``tenant-id`.transform.`region`.on.aws`. Loading these files requires internet connectivity because CloudFront content delivery is only available over the public internet. + * **Static content** – The web application's HTML, JavaScript, and CSS files are served through CloudFront via ``tenant-id`.transform.`region`.on.aws`. Loading these files requires internet connectivity because CloudFront content delivery is only available over the public internet. @@ -28 +28 @@ The AWS Transform WebApp uses two network paths: -To enable the webapp while maintaining security, you create a controlled egress path using AWS Network Firewall with domain-based filtering. This allows your VPC to reach _only_ the specific domains required by the webapp while blocking all other internet traffic. +To enable the web application while maintaining security, you create a controlled egress path using AWS Network Firewall with domain-based filtering. This allows your VPC to reach _only_ the specific domains required by the web application while blocking all other internet traffic. @@ -32 +32 @@ To enable the webapp while maintaining security, you create a controlled egress -The following diagram shows the network path for webapp traffic: +The following diagram shows the network path for web application traffic: @@ -67 +67 @@ Before you begin, ensure you have: - * A AWS Transform VPC endpoint for `com.amazonaws.`region`.api.transform` with private DNS enabled. This is the endpoint used by the WebApp browser client. For instructions on creating endpoints, see [AWS Transform and interface endpoints (AWS PrivateLink)](./vpc-interface-endpoints.html). + * A AWS Transform VPC endpoint for `com.amazonaws.`region`.api.transform` with private DNS enabled. This is the endpoint used by the web application browser client. For instructions on creating endpoints, see [AWS Transform and interface endpoints (AWS PrivateLink)](./vpc-interface-endpoints.html). @@ -71,0 +72,30 @@ Before you begin, ensure you have: +## Configuring the VPC endpoint policy + +If your `com.amazonaws.`region`.api.transform` VPC endpoint has a custom endpoint policy, you must add a statement that allows AWS Transform operations. Without this, the web application will be unable to make API calls through the endpoint. + +Add the following statement to your VPC endpoint policy. Replace `AWS_TRANSFORM_PROFILE_ARN` with your AWS Transform service profile ARN, which you can find in the AWS Transform console on the _Settings_ page. + + + { + "Statement": [ + { + "Sid": "AllowAWSTransform", + "Effect": "Allow", + "Principal": "*", + "Action": "*", + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:PrincipalArn": [ + "AWS_TRANSFORM_PROFILE_ARN" + ] + } + } + } + ] + } + +###### Note + +If your VPC endpoint uses the default policy (full access), no changes are needed and you can skip this step. + @@ -74 +104 @@ Before you begin, ensure you have: -Complete the following steps to configure Network Firewall with domain-based filtering for the AWS Transform WebApp. +Complete the following steps to configure Network Firewall with domain-based filtering for the AWS Transform web application. @@ -144 +174 @@ Create a route table for the public subnet that routes internet traffic to the i -Create a stateful rule group that allows traffic only to the domains required by the AWS Transform WebApp. +Create a stateful rule group that allows traffic only to the domains required by the AWS Transform web application. @@ -181,2 +211,2 @@ Domain | Purpose -`.cloudfront.net` | CloudFront CDN – serves webapp static assets (JavaScript, CSS, images) -`.transform.`region`.on.aws` | Webapp tenant URL – the browser loads the initial page from this domain via CloudFront +`.cloudfront.net` | CloudFront CDN – serves web application static assets (JavaScript, CSS, images) +`.transform.`region`.on.aws` | Web application tenant URL – the browser loads the initial page from this domain via CloudFront @@ -192 +222 @@ Domain | Purpose -The `.cloudfront.net` wildcard allows traffic to any CloudFront distribution, not only the AWS Transform WebApp's. A narrower domain filter is not possible because CloudFront edge IPs are shared across distributions and TLS SNI inspection cannot distinguish individual distributions behind the same domain. +The `.cloudfront.net` wildcard allows traffic to any CloudFront distribution, not only the AWS Transform web application's. A narrower domain filter is not possible because CloudFront edge IPs are shared across distributions and TLS SNI inspection cannot distinguish individual distributions behind the same domain. @@ -339 +369 @@ From an instance in the private subnet, verify the configuration: - # Should SUCCEED - webapp content via CloudFront (allowed) + # Should SUCCEED - web application content via CloudFront (allowed) @@ -374 +404 @@ Expected output: `available | True` -The webapp does not load (connection timeout) +The web application does not load (connection timeout)