AWS sagemaker-unified-studio documentation change
Summary
Added new permissions for untagging roles and enabling Amazon Bedrock permissions in the provisioning role policy.
Security assessment
The changes add new IAM permissions which are security-related features, but there is no evidence these changes address specific security vulnerabilities or incidents.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md index 7237f9a97..f2667686c 100644 --- a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md +++ b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md @@ -419,0 +420 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId> + "EnableAmazonBedrockPermissions", @@ -516,0 +518,18 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId> + { + "Sid": "IAMRoleUntagging", + "Effect": "Allow", + "Action": "iam:UntagRole", + "Resource": "arn:aws:iam::*:role/datazone_usr_role_*", + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": "cloudformation.amazonaws.com", + "aws:ResourceAccount": "${aws:PrincipalAccount}" + }, + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "false" + }, + "ForAllValues:StringLike": { + "aws:TagKeys": "EnableAmazonBedrockIDEPermissions" + } + } + },