AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2025-04-11 · Documentation medium

File: sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md

Summary

Added note clarifying pre-built container image ownership and credential usage

Security assessment

Explains security implications of image access permissions but does not address a specific vulnerability

Diff

diff --git a/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md b/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md
index cbd7385c8..897848f29 100644
--- a//sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md
+++ b//sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md
@@ -19,0 +20,4 @@ Use the path as follows:
+###### Note
+
+Pre-built container images are owned by SageMaker AI, and in some cases include proprietary code. Capabilities such as training and processing jobs, batch transform, and real-time inference use service-owned credentials to pull and run images on managed SageMaker AI instances. Because customer credentials aren't used, any AWS IAM policies (including service control policies and resource control policies) that deny Amazon ECR permissions don't prevent the use of pre-built images.
+