AWS sagemaker-unified-studio documentation change
Summary
Added documentation for several policy updates and a new policy related to SageMaker Studio, including changes to support shared VPC, public access blocked buckets, data lineage, LakeFormation ABAC, private ECR, and AWS Glue subscriptions.
Security assessment
The changes document updates to IAM policies which are security-related features, but there is no evidence these changes address specific security vulnerabilities or incidents.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/doc-history.md index 1e3425eb7..eaf81e7fd 100644 --- a/sagemaker-unified-studio/latest/adminguide/doc-history.md +++ b/sagemaker-unified-studio/latest/adminguide/doc-history.md @@ -12,0 +13,5 @@ Change| Description| Date +Policy update - SageMakerStudioProjectUserRolePolicy| Policy updates to the SageMakerStudioProjectUserRolePolicy - changes to support shared VPC by removing ResourceAccount condition on actions dependent on VPC/subnets. Moving permissions from inline to this AWS managed policy for Amazon EMR, EMR-Serverless, and federated connections. Adding support for buckets with public access blocked with permission `s3:GetBucketPublicAccessBlock`. Adding permission to support data lineage in Amazon DataZone. Supporting Amazon LakeFormation ABAC by adding session tag the access role. Supporting users operating on private ECR. Also adding support for managing AWS Glue subscriptions by the user. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| February 28, 2025 +Policy update - SageMakerStudioProjectRoleMachineLearningPolicy| Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding support for the MLFlow Tracking Server for Shared VPC, applying visibility condition to Amazon SageMaker Search API. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| February 28, 2025 +Policy update - SageMakerStudioProjectProvisioningRolePolicy| Policy updates to the \- renaming Amazon Bedrock tag and adding permission to removeSageMakerStudioProjectProvisioningRolePolicy deprecated tag on roles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| February 28, 2025 +Policy update - SageMakerStudioEMRServiceRolePolicy| Policy updates to the SageMakerStudioEMRServiceRolePolicy - adding permissions to allow Amazon EMR to create network interfaces against Shared VPC.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| February 28, 2025 +New policies - SageMakerStudioEMRInstanceRolePolicy| Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to EMR. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| February 28, 2025