Access Control for EC2 Hosted Jupyter Notebooks in AI Research

Question

Pulumi · Accepted Answer

To establish access control for EC2 hosted Jupyter Notebooks in AI Research, we need to set up an Amazon Web Services (AWS) EC2 instance that serves the Jupyter Notebook application. We will ensure that the instance is secured with appropriate access control measures.

Below is a program written in Python using Pulumi's AWS SDK to accomplish the following:
1. Set up an EC2 instance.
2. Assign an IAM role with the necessary permissions to the instance.
3. Apply security group rules to allow necessary traffic (like HTTP, HTTPS, or specific ports for Jupyter Notebook).
4. Deploy Jupyter Notebook inside the EC2 instance (note that this will be a mock setup, as the actual installation would happen outside the scope of an IaC template).

This is a high-level view of the necessary steps and how we could enforce stricter access control using IAM roles and security groups.

```python
import pulumi
import pulumi_aws as aws

# Create an IAM role for the EC2 instance to grant it the necessary permissions.
ec2_role = aws.iam.Role("ec2Role", assume_role_policy="""{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Principal": {"Service": "ec2.amazonaws.com"}
    }]
}""")

# Attach the IAM policy to the role created above. Adjust the policy according to your actual needs.
policy_attachment = aws.iam.RolePolicyAttachment("ec2RoleAttach",
    role=ec2_role.name,
    policy_arn=aws.iam.ManagedPolicy.AmazonS3ReadOnlyAccess.value)

# Create an EC2 instance profile to associate the role with the EC2 instance.
instance_profile = aws.iam.InstanceProfile("instanceProfile", role=ec2_role.name)

# Create a security group to control access to the EC2 instance.
secgroup = aws.ec2.SecurityGroup('secgroup',
    description='Allow access to Jupyter Notebook',
    ingress=[
        {'protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'cidr_blocks': ['0.0.0.0/0']},
        {'protocol': 'tcp', 'from_port': 8888, 'to_port': 8888, 'cidr_blocks': ['0.0.0.0/0']}  # Jupyter Notebook typically runs on port 8888
    ])

# Create the EC2 instance with the necessary configurations.
ec2_instance = aws.ec2.Instance('jupyterNotebookInstance',
    instance_type='t2.micro',  # Choose an appropriate instance type for your workloads.
    ami='ami-0c55b159cbfafe1f0',  # Choose an appropriate AMI for Jupyter Notebook, ideally one that comes pre-loaded with data science tools.
    key_name='my-key-name',  # Replace with your SSH key pair name.
    security_groups=[secgroup.id],  # Associate the security group with the instance.
    iam_instance_profile=instance_profile.arn  # Associate the IAM role with the instance.
)

# Export the public IP to access the Jupyter Notebook.
pulumi.export('publicIp', ec2_instance.public_ip)
```

In this script:
- An IAM role `ec2Role` is established that the EC2 instance could assume, granting permissions defined in the role policy. The policy in this example allows read-only access to S3.
- A security group `secgroup` is created, which allows SSH connections on port 22 for remote management and connections to port 8888 where Jupyter Notebook is expected to operate.
- An EC2 instance `jupyterNotebookInstance` is launched with the specified instance profile and associated with our security group to regulate network access.
- The instance's public IP is exported for access, which you'll point your browser to with `http://<publicIp>:8888` to access the Jupyter Notebook.

Remember, this program sets up the cloud infrastructure needed to host the Jupyter Notebook. You will need to configure the EC2 instance to install Jupyter Notebook and any other required tools and libraries manually or through user data scripts. Also, make sure to replace values like the AMI, key name, and any CIDR blocks with ones that are appropriate for your setup.