AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-03-02 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md

Summary

Added new permissions for untagging roles and enabling Amazon Bedrock permissions in the provisioning role policy.

Security assessment

The changes add new IAM permissions which are security-related features, but there is no evidence these changes address specific security vulnerabilities or incidents.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md
index 7237f9a97..f2667686c 100644
--- a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md
+++ b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md
@@ -419,0 +420 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
+    						"EnableAmazonBedrockPermissions",
@@ -516,0 +518,18 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
+    		{
+    			"Sid": "IAMRoleUntagging",
+    			"Effect": "Allow",
+    			"Action": "iam:UntagRole",
+    			"Resource": "arn:aws:iam::*:role/datazone_usr_role_*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:CalledViaFirst": "cloudformation.amazonaws.com",
+    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
+    				},
+    				"Null": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "false"
+    				},
+    				"ForAllValues:StringLike": {
+    					"aws:TagKeys": "EnableAmazonBedrockIDEPermissions"
+    				}
+    			}
+    		},