AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-03-02 · Documentation low

File: solutions/latest/mlops-workload-orchestrator/architecture-overview.md

Summary

Updated formatting of AWS Lambda URL, removed and reorganized some content about pipeline deployment and permissions, and made minor text formatting changes

Security assessment

The changes are primarily formatting and content reorganization. While there is mention of IAM roles and permissions, this is existing security documentation rather than new security content or addressing a specific security issue.

Diff

diff --git a/solutions/latest/mlops-workload-orchestrator/architecture-overview.md
index 389db9fdc..7b587d038 100644
--- a/solutions/latest/mlops-workload-orchestrator/architecture-overview.md
+++ b/solutions/latest/mlops-workload-orchestrator/architecture-overview.md
@@ -40 +40 @@ This solution’s single-account template provides the following components and
-Depending on the pipeline type, the [AWS Lambda](https://aws.amazon.com/lambda/) `Orchestrator` function packages the target AWS CloudFormation template and its parameters and configurations using the body of the API call or the `mlops-config.json` file. The orchestrator then uses this packaged template and configurations as the source stage for the [AWS CodePipeline](https://aws.amazon.com/codepipeline/) instance. 
+Depending on the pipeline type, the [https://aws.amazon.com/lambda/](https://aws.amazon.com/lambda/) `Orchestrator` function packages the target AWS CloudFormation template and its parameters and configurations using the body of the API call or the `mlops-config.json` file. The orchestrator then uses this packaged template and configurations as the source stage for the [AWS CodePipeline](https://aws.amazon.com/codepipeline/) instance.
@@ -46 +45,0 @@ If you are provisioning the model monitor pipeline, the orchestrator must first
-If a custom algorithm (for example, not a built-in Amazon SageMaker AI algorithm) was used to train the model, the orchestrator must provide the Amazon ECR custom algorithm’s image URI, or build and register the Docker image using the custom algorithm image builder pipeline. 
@@ -48,7 +46,0 @@ If a custom algorithm (for example, not a built-in Amazon SageMaker AI algorithm
-  4. The DeployPipeline stage takes the packaged CloudFormation template and its parameters and configurations, and deploys the target pipeline into the same account. 
-
-  5. After the target pipeline is provisioned, users can access its functionalities. An [Amazon Simple Notification Service](https://aws.amazon.com/sns/) (Amazon SNS) notification is sent to the email provided in the solution’s launch parameters. 
-
-###### Note
-
-The single-account AWS CodePipeline’s AWS CloudFormation action is granted admin permissions to deploy different resources by different MLOps pipelines. Roles are defined by the pipelines' CloudFormation templates. This makes it easy to add new pipelines. To restrict the types of resources a template can deploy, customers can create an [AWS Identity and Access Management](https://aws.amazon.com/iam) (IAM) role, with limited permissions, and pass it to the CloudFormation action as the deployment role. 
@@ -56,0 +49 @@ The single-account AWS CodePipeline’s AWS CloudFormation action is granted adm
+If a custom algorithm (for example, not a built-in Amazon SageMaker AI algorithm) was used to train the model, the orchestrator must provide the Amazon ECR custom algorithm’s image URI, or build and register the Docker image using the custom algorithm image builder pipeline. . The DeployPipeline stage takes the packaged CloudFormation template and its parameters and configurations, and deploys the target pipeline into the same account. . After the target pipeline is provisioned, users can access its functionalities. An [Amazon Simple Notification Service](https://aws.amazon.com/sns/) (Amazon SNS) notification is sent to the email provided in the solution’s launch parameters.
@@ -57,0 +51 @@ The single-account AWS CodePipeline’s AWS CloudFormation action is granted adm
+\+ NOTE: The single-account AWS CodePipeline’s AWS CloudFormation action is granted admin permissions to deploy different resources by different MLOps pipelines. Roles are defined by the pipelines' CloudFormation templates. This makes it easy to add new pipelines. To restrict the types of resources a template can deploy, customers can create an [AWS Identity and Access Management](https://aws.amazon.com/iam) (IAM) role, with limited permissions, and pass it to the CloudFormation action as the deployment role.
@@ -94 +88 @@ This solution’s multi-account template provides the following components and w
-  2. The orchestrator uploads the required assets for the target pipeline (for example, model artifact, training data, and/or custom algorithm zip file) into the S3 assets bucket in the orchestrator's AWS account. If Amazon SageMaker AI Model Registry is used, the orchestrator (or an automated pipeline) must register the model with the model registry. 
+  2. The orchestrator uploads the required assets for the target pipeline (for example, model artifact, training data, and/or custom algorithm zip file) into the S3 assets bucket in the orchestrator’s AWS account. If Amazon SageMaker AI Model Registry is used, the orchestrator (or an automated pipeline) must register the model with the model registry.