AWS sagemaker documentation change
Summary
Added note clarifying pre-built container image ownership and credential usage
Security assessment
Explains security implications of image access permissions but does not address a specific vulnerability
Diff
diff --git a/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md b/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md index cbd7385c8..897848f29 100644 --- a//sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md +++ b//sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.md @@ -19,0 +20,4 @@ Use the path as follows: +###### Note + +Pre-built container images are owned by SageMaker AI, and in some cases include proprietary code. Capabilities such as training and processing jobs, batch transform, and real-time inference use service-owned credentials to pull and run images on managed SageMaker AI instances. Because customer credentials aren't used, any AWS IAM policies (including service control policies and resource control policies) that deny Amazon ECR permissions don't prevent the use of pre-built images. +