AWS sagemaker-unified-studio high security documentation change
Summary
Updated IAM policy with new permissions for trust policy modification and partner apps access
Security assessment
Policy changes explicitly address confused deputy prevention through trust policy modifications, a documented security concern.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md index 264afbab9..08920362f 100644 --- a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md +++ b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md @@ -358 +358,2 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId> - "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2" + "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2", + "arn:aws:iam::aws:policy/AmazonSageMakerPartnerAppsFullAccess" @@ -568 +569,4 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId> - "arn:aws:iam::*:role/datazone_usr_role_*" + "arn:aws:iam::*:role/datazone_usr_role_*", + "arn:aws:iam::*:role/datazone_emr_*", + "arn:aws:iam::*:role/datazone-partner-apps-*", + "arn:aws:iam::*:role/AmazonBedrock*" @@ -2721,14 +2724,0 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId> - }, - { - "Sid": "IamGetEmrRoleFromDataZone", - "Effect": "Allow", - "Action": "iam:GetRole", - "Resource": "arn:aws:iam::*:role/datazone_emr_*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "aws:ResourceTag/AmazonDataZoneProject": "false" - } - }