AWS sagemaker documentation change
Summary
Added clarification about pre-built container image ownership and IAM policy implications
Security assessment
Explains security implications of service-owned credentials for image pulling but doesn't address a specific vulnerability
Diff
diff --git a/sagemaker/latest/dg/docker-containers-prebuilt.md b/sagemaker/latest/dg/docker-containers-prebuilt.md index 0eeb16b54..ce5e381a0 100644 --- a//sagemaker/latest/dg/docker-containers-prebuilt.md +++ b//sagemaker/latest/dg/docker-containers-prebuilt.md @@ -12,0 +13,2 @@ For the Docker registry path and other parameters for each of the Amazon SageMak +For information on Docker images for developing reinforcement learning (RL) solutions in SageMaker AI, see [SageMaker AI RL Containers](https://github.com/aws/sagemaker-rl-container). + @@ -15 +17 @@ For the Docker registry path and other parameters for each of the Amazon SageMak -For information on Docker images for developing reinforcement learning (RL) solutions in SageMaker AI, see [SageMaker AI RL Containers](https://github.com/aws/sagemaker-rl-container). +Pre-built container images are owned by SageMaker AI, and in some cases include proprietary code. Capabilities such as training and processing jobs, batch transform, and real-time inference use service-owned credentials to pull and run images on managed SageMaker AI instances. Because customer credentials aren't used, any AWS IAM policies (including service control policies and resource control policies) that deny Amazon ECR permissions don't prevent the use of pre-built images.