v4.0.0

Features

• Egress, Secured Workspaces (AppStream) and Account update wizard (#750) (b990924)

Service Workbench is incrementing a major release version to bring attention to three new features.

1. Member account onboarding improvement

The Service Workbench member account onboarding process is changed to be more in line with the Bring Your Own Bucket (BYOB) process. The general intent is that the process to onboard an account in support of hosting data should be the same as onboarding an account in support of hosting researcher workspace compute. Twelve points of context switching and manual data entry have been eliminated with the new process.

This change applies to all updated installations, and can be applied to those installations that have already onboarded member accounts.

To learn more about the new process, refer to the updated instructions in the Service Workbench Post Deployment guide.

Important Notes:

• If you have already onboarded a member account for your Service Workbench installation, and this account has active or stopped workspaces, the safest course would be to terminate all workspaces prior to the update. We did test a scenario with active and stopped workspaces and observed no impact during testing, but because this update is a major release, we recommend the safest course.
• Any member accounts that were onboarded prior to this update will need to be updated through the Service Workbench user interface, and you will be prompted to do so when visiting the new “Accounts” page in Service Workbench. This update is necessary because there is a new capability that will check to see if the member and main account code versions are in sync, and provide a visual indicator if not, allowing you a clear indication of update.

2. Enabling secure desktop

Introduction of AppStream 2.0 as an access point for Service Workbench workspaces. With this enabled, researchers will not be able to egress the data from their Service Workbench workspaces to their client machine, and Service Workbench workspaces will not have access to the internet.

Core networking changes within the member account will move researcher workspaces to the private subnets, and the method of connecting to a researcher workspace changes. Restricting access by public IP is no longer available, and the layer of security per workspace that replaces IP restriction is outlined in connection instructions in the Service Workbench workspace UI.

This feature is disabled by default upon install. To enable this feature, change the feature flag isAppStreamEnabled in the configuration file to true.

Important Notes:

• Once this feature is enabled for a Service Workbench installation, it cannot be disabled without deleting the installation and reinstalling. This is because there are core networking changes for workspaces that cannot be reverted.
• If you have an existing installation without the feature flag enabled, and want to activate this feature flag, terminate all workspaces prior to activating the flag.
• AppStream service use does incur additional cost and we recommend you review the cost impact prior to configuring your AppStream fleet: https://aws.amazon.com/appstream2/pricing/
• Because the Service Workbench workspaces do not have internet connectivity, VPC endpoints are introduced for all AWS services that the workspaces use (such as S3, EC2, and AppStream).
• Significant updates to the post deployment configuration instructions when this feature is enabled are outlined here

3. Enabling secure egress

As a compliment to the Secure Desktop functionality, this feature provides a mount point per workspace (that is only accessible from that workspace) for a researcher to stage data that they wish to take out of the Service Workbench installation. Once the data is put to this location (called the Egress Store), the researcher can choose the Submit Egress Request button and a message is generated to a SNS Topic (https://aws.amazon.com/sns/) containing the metadata for their egress request.

Like the Secure Desktop feature, this feature is also disabled by default upon install. To enable this feature, you must change the feature flag enableEgressStore in the configuration file to true. Note that this feature flag is independent from the Secure Desktop feature flag, but if it is activated by itself, there is nothing preventing the researcher from copying data to their local client (thus outside the egress store).

Important Notes:

• Currently, the message goes to the SNS topic - but there is not subscriber added to the topic. It is your responsibility to subscribe to the topic, and to act on the Egress Store data source with elevated permissions through the AWS Management Console.
• When this feature is enabled, the Bring Your Own Buckets (BYOB) data sources are only allowed to be read only. This is because a BYOB data source can live in a different AWS account (unlike MyStudy and Organizational Study that live in the main Service Workbench main account). Allowing write to a BYOB data source would be uncontrolled egress.

v3.5.0

Features

• dynamic version number from CHANGELOG and automation of Beta versioning (#716) (5887170)

Bug Fixes

• build ami version bug (#738) (a39b3b4)
• bypass develop protection when adding beta (#725) (fe4c0ff)
• downgrade node-ssh version to fix integ tests (#744) (f5ce251)
• integ test setup flakiness fix (#727) (65ea43d)
• namespace code works with configs with no namespace param (#717) (72c9fe3)
• Update libcurl-devel package for RStudio to correct version (#726) (04bb82c)
• version number before backend deployment (#724) (6d545dd)

v3.4.0

Features

• display Configuration Name and Instance Type on Workspace details card (#669) (f0fa819)
• Pre-populate variable values in input section of new workspace configuration (#680) (8ce51b2)

Bug Fixes

• add label to stop timeout during e2e test (#688) (ff0b4cc)
• end2end test terminated existing ws (#685) (9c74ac7)
• github cypress setup (#686) (23f6d03)
• go bug during deployment is handled (#641) (4c21a30)
• no sagemaker autostop or EC2 stop lag (#703) (8cb199b)
• properly handle very long error messages on env update (#705) (d920abd)
• reset ForceLogout component upon relogin (#640) (5c2aaee)
• static namespace bug fix (#615) (bacb469)
• sync UI and API func (#709) (a188b3c)
• update int test readme to include adv test info (#634) (5453f5e)

Documentation

• New user guide PDF (#704) (d375785)

v3.3.1

Bug Fixes

• application version number (#573) (fada154)
• Clear timer in ForceLogout.test.js to allow tests to end (#570) (4871e0f)
• Remove delete user feature from UI and handle study permissions which have stale users (#595) (8be3f90)

Chore

• deps: bump all dependencies (#556) (46e26af)

Documentation

• Added details found needed while onboarding (#593) (d375785)
• IDP configuration guide (#569) (406c656)

v3.3.0

Documentation

• Service Workbench installation guide (#545) (2be27d1)

v3.2.0

Features

• Add warning that internal authentication shouldn't be used in production (#506) (1586278)
• Encrypt s3 buckets for EMR log bucket and CICD Artifact bucket (#508) (e86fd06)
• study permissions only shown to Study Admin (#501) (f3eaae8)

Bug Fixes

• add termination status for non-found workspaces (#502) (8c30378)
• adds 'stopped' filter for workspaces (960b592)
• Allow sagemaker to have the proper IAM permission to autostop itself (#515) (32007ed)
• Corrected Spark defaults to fix read/write functionality from Spark (#526) (f96e1bd)
• Do not allow users to change root password (#503) (a436f73)
• moved notification boxes to avoid blocking the top ribbon. (#483) (5a226d7)
• react compilation error (#500) (547f2ad)
• Redirect non admin users to "/" if they try to access "/users" (#489) (ee3a58e)

v3.1.0

Features

• Allow uploading a folder to My Studies (#475) (cb17d4b)
• Run coverage for merge commit (#458) (03afe0e)
• Test coverage (#456) (252b504)

Bug Fixes

• Fix BYOB app role to only modify FS roles (#454) (35f6cce)
• free-form strings for workspace configs (#479) (fca73f4)
• properly handle SC products with no active versions (#468) (3c561f4)
• Update workspace name reg exp and workspace config tags reg exp (#452) (f9b7d62)

v3.0.0

• refactor: restricting AppDeployer permissions
• refactor: Remove permission boundary condition on launch constraint role
• refactor: restrict sc roles

Permissions boundaries are being added to the several important IAM roles used by Service Workbench as a security best practice.

Customer Impact: Below outlines the actions required for you to successfully adopt this security enhancement. The first two items are applicable to all customers. If you have created custom workspace types, then all three items below are applicable.

1. After running the update, onboard all hosting accounts once again to benefit from the enhanced security, and test the application.
   Note: The attached pdf contains steps for onboarding hosting accounts, contact your Service Workbench Administrator if you have not performed these steps before.

2. After running the update, import and use the newly available Service Catalog product versions for workspace types (latest version numbers) to benefit from the enhanced security.

3. ONLY Customers that have created custom workspace types: It is possible that the permissions boundaries would prevent actions that were formerly allowed. You should plan to validate your custom workspace types after the update. Issues should be addressed by modifying the custom workspaces to work within the permissions granted, or modify the permissions boundary for your installation (this would require a change to Service Workbench code (specifically the IAM policies that are attached as the permissions boundary) for your install).
   Note: Any existing custom or non-custom workspaces types (for example, EC2 Linux/Windows, EMR, SageMaker, R Studio) are not impacted by this upgrade.

v2.2.0

• feat: Display SWB Version in UI's Top Bar
• fix: Fix cost dashboard bugs

v2.1.5

• chore: Add custom user agent
• fix: Ensure sdk retry logic is enabled in prod
• docs: Readme updated
• fix: assume role on added member account