AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-03-02 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md

Summary

Updated IAM policy document with numerous additions including new permissions for Glue, EMR Serverless, Bedrock, S3, DataZone, SQL Workbench, EMR, KMS, Secrets Manager, Lambda, CloudFormation, EC2, ECR, Lake Formation, and RAM. Added conditions and resource constraints for many permissions.

Security assessment

The changes primarily add new permissions and refine existing ones with additional conditions and resource constraints. While these changes enhance security by adding more granular permissions and access controls, there is no evidence they address a specific security vulnerability or incident.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
index b78ccd7f5..2b9434a33 100644
--- a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
+++ b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
@@ -160,2 +160 @@ An administrator can disable certain permissions in this policy by tagging the r
-    					"glue:RoleAssumedBy": "glue.amazonaws.com",
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
+    					"glue:RoleAssumedBy": "glue.amazonaws.com"
@@ -192,2 +191 @@ An administrator can disable certain permissions in this policy by tagging the r
-    					"glue:RoleAssumedBy": "glue.amazonaws.com",
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
+    					"glue:RoleAssumedBy": "glue.amazonaws.com"
@@ -418,0 +417,10 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "GlueJobRunnerSessionLogPermissions",
+    			"Effect": "Allow",
+    			"Action": [
+    				"logs:CreateLogGroup",
+    				"logs:CreateLogStream",
+    				"logs:PutLogEvents"
+    			],
+    			"Resource": "arn:aws:logs:*:*:log-group:/aws-glue/*"
+    		},
@@ -463,0 +472,33 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		},
+    		{
+    			"Sid" : "EmrServerlessInteractivePermissions",
+    			"Effect" : "Allow",
+    			"Action": [
+    				"emr-serverless:AccessInteractiveEndpoints",
+    				"emr-serverless:AccessLivyEndpoints",
+    				"emr-serverless:GetApplication",
+    				"emr-serverless:StartApplication",
+    				"emr-serverless:StopApplication"
+    			],
+    			"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
+    				}
+    			}
+    		},
+    		{
+                "Sid": "EmrServerlessJobAccessPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "emr-serverless:GetDashboardForJobRun",
+                    "emr-serverless:GetJobRun"
+                ],
+                "Resource": [
+                    "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
+                    }
+                }
@@ -562 +603,2 @@ An administrator can disable certain permissions in this policy by tagging the r
-    				"s3:GetEncryptionConfiguration"
+    				"s3:GetEncryptionConfiguration",
+    				"s3:GetBucketPublicAccessBlock"
@@ -564 +606,6 @@ An administrator can disable certain permissions in this policy by tagging the r
-    			"Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}"
+    			"Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
+    				}
+    			}
@@ -909 +956,2 @@ An administrator can disable certain permissions in this policy by tagging the r
-    				"datazone:UpdateConnection"
+    				"datazone:UpdateConnection",
+    				"datazone:PostLineageEvent"
@@ -1139,0 +1188,18 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "TagSessionForAssumeAccessRole",
+    			"Effect": "Allow",
+    			"Action": "sts:TagSession",
+    			"Resource": "*",
+    			"Condition": {
+    				"ForAllValues:StringEquals": {
+    					"aws:TagKeys": [
+    						"AmazonDataZoneProject",
+    						"AmazonDataZoneDomain"
+    					]
+    				},
+    				"StringEquals": {
+    					"aws:RequestTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}",
+    					"aws:RequestTag/AmazonDataZoneDomain": "${aws:PrincipalTag/AmazonDataZoneDomain}"
+    				}
+    			}
+    		},
@@ -1212 +1278,2 @@ An administrator can disable certain permissions in this policy by tagging the r
-    				"sqlworkbench:GetQSqlPromptQuotas"
+    				"sqlworkbench:GetQSqlPromptQuotas",
+    				"sqlworkbench:GetSchemaInference"
@@ -1446,0 +1514,2 @@ An administrator can disable certain permissions in this policy by tagging the r
+    				"elasticmapreduce:CreatePersistentAppUI",
+    				"elasticmapreduce:DescribePersistentAppUI",
@@ -1468,0 +1538,13 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "EMRPersistentAppUI",
+    			"Effect": "Allow",
+    			"Resource": "*",
+    			"Action": [
+    				"elasticmapreduce:GetPersistentAppUIPresignedURL"
+    			],
+    			"Condition": {
+    				"ArnLike": {
+    					"elasticmapreduce:ExecutionRoleArn": "arn:aws:iam::*:role/${aws:PrincipalTag/RoleName}"
+    				}
+    			}
+    		},
@@ -1642,0 +1725,21 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "BedrockInvokeModelPermissions",
+    			"Effect": "Allow",
+    			"Action": [
+    				"bedrock:InvokeModel",
+    				"bedrock:InvokeModelWithResponseStream"
+    			],
+    			"Resource": [
+    				"arn:aws:bedrock:*::foundation-model/*",
+    				"arn:aws:bedrock:*:*:custom-model/*",
+    				"arn:aws:bedrock:*:*:provisioned-model/*"
+    			],
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:PrincipalTag/EnableAmazonBedrockPermissions": "true"
+    				},
+    				"ArnLike": {
+    					"bedrock:InferenceProfileArn": "arn:aws:bedrock:*:*:application-inference-profile/*"
+    				}
+    			}
+    		},
@@ -1658,0 +1762,16 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "BedrockInvokeModelAppInferenceProfilePermissions",
+    			"Effect": "Allow",
+    			"Action": [
+    				"bedrock:GetInferenceProfile",
+    				"bedrock:InvokeModel",
+    				"bedrock:InvokeModelWithResponseStream"
+    			],
+    			"Resource": "arn:aws:bedrock:*:*:application-inference-profile/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:PrincipalTag/EnableAmazonBedrockPermissions": "true",
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
+    				}
+    			}
+    		},
@@ -1696,0 +1816,38 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "BedrockResourceAccessPermissions",
+    			"Effect": "Allow",
+    			"Action": [
+    				"bedrock:ApplyGuardrail",
+    				"bedrock:BatchDeleteEvaluationJob",
+    				"bedrock:CreateAgentAlias",
+    				"bedrock:CreateEvaluationJob",
+    				"bedrock:CreatePrompt",
+    				"bedrock:CreatePromptVersion",
+    				"bedrock:DeleteAgentAlias",
+    				"bedrock:DeleteAgentVersion",
+    				"bedrock:DeletePrompt",
+    				"bedrock:GetAgentAlias",
+    				"bedrock:GetAgentVersion",
+    				"bedrock:GetEvaluationJob",
+    				"bedrock:GetIngestionJob",
+    				"bedrock:GetPrompt",
+    				"bedrock:InvokeAgent",
+    				"bedrock:InvokeFlow",
+    				"bedrock:ListAgentAliases",
+    				"bedrock:ListAgentVersions",
+    				"bedrock:ListIngestionJobs",
+    				"bedrock:ListPrompts",
+    				"bedrock:ListTagsForResource",
+    				"bedrock:Retrieve",
+    				"bedrock:StartIngestionJob",
+    				"bedrock:StopEvaluationJob",
+    				"bedrock:UpdateAgentAlias"
+    			],
+    			"Resource": "arn:aws:bedrock:*:*:*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:PrincipalTag/EnableAmazonBedrockPermissions": "true",
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
+    				}
+    			}
+    		},
@@ -1705,0 +1863,14 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "BedrockCreateEvaluationJobPermissions",
+    			"Effect": "Allow",
+    			"Action": "bedrock:CreateEvaluationJob",
+    			"Resource": [
+    				"arn:aws:bedrock:*:*:custom-model/*",
+    				"arn:aws:bedrock:*::foundation-model/*"
+    			],