AWS sagemaker-unified-studio documentation change
Summary
Updated policy documentation to add permissions for creating network interfaces in shared VPCs and updated related policy name.
Security assessment
The change adds new permissions related to network interface creation in shared VPCs, which is a security-related feature, but there is no evidence this addresses a specific security vulnerability.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md index 9e20f7e70..0ea3216a7 100644 --- a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md +++ b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md @@ -9 +9 @@ Amazon SageMaker Unified Studio is in preview release and is subject to change. -Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to Amazon EMR. +Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to EMR. @@ -35,0 +36,17 @@ Amazon SageMaker Unified Studio creates IAM roles for project users to perform d + { + "Sid": "CreateInNetworkForSharedSubnet", + "Effect": "Allow", + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:RunInstances", + "ec2:CreateFleet" + ], + "Resource": [ + "*" + ], + "Condition": { + "ArnLike": { + "ec2:Vpc": "arn:aws:ec2:*:*:vpc/${aws:PrincipalTag/VpcId}" + } + } + }, @@ -116 +133 @@ SageMakerStudioQueryExecutionRolePolicy -SageMakerStudioBedrockAgentServiceRolePolicy +SageMakerStudioEMRInstanceRolePolicy