AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-03-02 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md

Summary

Added multiple policy updates and a new policy for SageMaker Studio, including updates to provisioning roles, machine learning policies, user roles, EMR service roles, and a new EMR instance role policy.

Security assessment

The changes document updates to IAM policies and permissions, which are security-related features, but there is no evidence of addressing a specific security vulnerability or incident.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md
index c8269fc5c..3241e3838 100644
--- a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md
+++ b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md
@@ -12,0 +13,5 @@ Change | Description | Date
+Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy \- renaming Amazon Bedrock tag and adding permission to remove deprecated tag on roles. | 2/28/2025  
+Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy) |  Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding support for the MLFlow Tracking Server for Shared VPC, applying visibility condition to Amazon SageMaker Search API. | 2/28/2025  
+Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy) |  Policy updates to the SageMakerStudioProjectUserRolePolicy - changes to support shared VPC by removing ResourceAccount condition on actions dependent on VPC/subnets. Moving permissions from inline to this AWS managed policy for Amazon EMR, EMR-Serverless, and federated connections. Adding support for buckets with public access blocked with permission `s3:GetBucketPublicAccessBlock`. Adding permission to support data lineage in Amazon DataZone. Supporting Amazon LakeFormation ABAC by adding session tag the access role. Supporting users operating on private ECR. Also adding support for managing AWS Glue subscriptions by the user. | 2/28/2025  
+Policy update - [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy) |  Policy updates to the SageMakerStudioEMRServiceRolePolicy - adding permissions to allow Amazon EMR to create network interfaces against Shared VPC. | 2/28/2025  
+New policy - [SageMakerStudioEMRInstanceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.html) |  Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to EMR. | 2/28/2025