AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2025-04-11 · Documentation low

File: sagemaker/latest/dg/docker-containers-prebuilt.md

Summary

Added clarification about pre-built container image ownership and IAM policy implications

Security assessment

Explains security implications of service-owned credentials for image pulling but doesn't address a specific vulnerability

Diff

diff --git a/sagemaker/latest/dg/docker-containers-prebuilt.md b/sagemaker/latest/dg/docker-containers-prebuilt.md
index 0eeb16b54..ce5e381a0 100644
--- a//sagemaker/latest/dg/docker-containers-prebuilt.md
+++ b//sagemaker/latest/dg/docker-containers-prebuilt.md
@@ -12,0 +13,2 @@ For the Docker registry path and other parameters for each of the Amazon SageMak
+For information on Docker images for developing reinforcement learning (RL) solutions in SageMaker AI, see [SageMaker AI RL Containers](https://github.com/aws/sagemaker-rl-container).
+
@@ -15 +17 @@ For the Docker registry path and other parameters for each of the Amazon SageMak
-For information on Docker images for developing reinforcement learning (RL) solutions in SageMaker AI, see [SageMaker AI RL Containers](https://github.com/aws/sagemaker-rl-container).
+Pre-built container images are owned by SageMaker AI, and in some cases include proprietary code. Capabilities such as training and processing jobs, batch transform, and real-time inference use service-owned credentials to pull and run images on managed SageMaker AI instances. Because customer credentials aren't used, any AWS IAM policies (including service control policies and resource control policies) that deny Amazon ECR permissions don't prevent the use of pre-built images.