AWS Security ChangesHomeSearch

AWS sagemaker medium security documentation change

Service: sagemaker · 2025-03-30 · Security-related medium

File: sagemaker/latest/dg/monitor-user-access.md

Summary

Updated documentation about sourceIdentity tracking in CloudTrail logs for SageMaker Training and Processing jobs. Consolidated previous separate entries into a unified statement confirming both job types now properly ingest sourceIdentity.

Security assessment

The change corrects previous documentation about audit trail limitations (specifically sourceIdentity tracking in CloudTrail) which is critical for security auditing and attribution. Explicitly addresses logging improvements for security-relevant metadata.

Diff

diff --git a/sagemaker/latest/dg/monitor-user-access.md b/sagemaker/latest/dg/monitor-user-access.md
index 452d51a9e..3f2c72f66 100644
--- a/sagemaker/latest/dg/monitor-user-access.md
+++ b/sagemaker/latest/dg/monitor-user-access.md
@@ -21,3 +21 @@ When these API calls invoke other services to perform additional operations, `so
-  * Amazon SageMaker Processing: When you create a job using these features, the job creation APIs are not able to ingest the `sourceIdentity` that exists in the session. As a result, any AWS API calls made from these jobs do not record `sourceIdentity` in the CloudTrail logs.
-
-  * Amazon SageMaker Training: When you create a training job, the job creation APIs are able to ingest the `sourceIdentity` that exists in the session. As a result, any AWS API calls made from these jobs record `sourceIdentity` in the CloudTrail logs.
+  * Amazon SageMaker Training and Processing: When you create a job using the training feature or the processing feature, the job creation API calls ingest the `sourceIdentity` that exists in the session. As a result, any AWS API calls made from these jobs record the `sourceIdentity` in the CloudTrail logs.