AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-04-11 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md

Summary

Added LakeFormation:DescribeResource permission, Bedrock service role policy, Bedrock ingestion job permissions, EventBridge scheduler policies, and CodeEditor app ARNs. Removed CalledViaFirst conditions.

Security assessment

Changes primarily expand permissions for new services (Bedrock, EventBridge) and refine resource ARNs. No evidence of addressing a specific security vulnerability. Security documentation is updated with new IAM policies.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md
index 4870a9f35..585bca928 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md
@@ -137 +137,2 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
-    				"lakeformation:ListResources"
+    				"lakeformation:ListResources",
+    				"lakeformation:DescribeResource"
@@ -357 +358,2 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
-    						"arn:aws:iam::aws:policy/AmazonSageMakerPartnerAppsFullAccess"
+    						"arn:aws:iam::aws:policy/AmazonSageMakerPartnerAppsFullAccess",
+    						"arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy"
@@ -709 +711,2 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
-    						"redshift-serverless.amazonaws.com"
+    						"redshift-serverless.amazonaws.com",
+    						"bedrock.amazonaws.com"
@@ -2046,0 +2050,2 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
+    				"arn:aws:sagemaker:*:*:app/*/*/codeeditor/*",
+    				"arn:aws:sagemaker:*:*:app/*/*/CodeEditor/*",
@@ -2317 +2321,0 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
-    					"aws:CalledViaFirst": "cloudformation.amazonaws.com",
@@ -2352,0 +2357,4 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
+    				"bedrock:ListIngestionJobs",
+    				"bedrock:GetIngestionJob",
+    				"bedrock:StartIngestionJob",
+    				"bedrock:StopIngestionJob",
@@ -2379 +2386,0 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
-    					"aws:CalledViaFirst": "cloudformation.amazonaws.com",
@@ -2397 +2403,0 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
-    					"aws:CalledViaFirst": "cloudformation.amazonaws.com",
@@ -2723,0 +2730,68 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId>
+    		},
+    		{
+    			"Sid": "EventBridgeViewScheduleGroupActions",
+    			"Effect": "Allow",
+    			"Action": [
+    				"scheduler:ListTagsForResource",
+    				"scheduler:GetScheduleGroup"
+    			],
+    			"Resource": "arn:aws:scheduler:*:*:schedule-group/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceAccount": "${aws:PrincipalAccount}",
+    					"aws:CalledViaFirst": "cloudformation.amazonaws.com"
+    				}
+    			}
+    		},
+    		{
+    			"Sid": "EventBridgeDeleteScheduleGroupActions",
+    			"Effect": "Allow",
+    			"Action": "scheduler:DeleteScheduleGroup",
+    			"Resource": "arn:aws:scheduler:*:*:schedule-group/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceAccount": "${aws:PrincipalAccount}",
+    					"aws:CalledViaFirst": "cloudformation.amazonaws.com"
+    				},
+    				"Null": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "false"
+    				}
+    			}
+    		},
+    		{
+    			"Sid": "EventBridgeCreateScheduleGroupActions",
+    			"Effect": "Allow",
+    			"Action": "scheduler:CreateScheduleGroup",
+    			"Resource": "arn:aws:scheduler:*:*:schedule-group/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceAccount": "${aws:PrincipalAccount}",
+    					"aws:CalledViaFirst": "cloudformation.amazonaws.com"
+    				},
+    				"Null": {
+    					"aws:RequestTag/AmazonDataZoneProject": "false",
+    					"aws:TagKeys": "false"
+    				},
+    				"ForAllValues:StringLike": {
+    					"aws:TagKeys": "AmazonDataZone*"
+    				}
+    			}
+    		},
+    		{
+    			"Sid": "EventBridgeTagScheduleGroupActions",
+    			"Effect": "Allow",
+    			"Action": "scheduler:TagResource",
+    			"Resource": "arn:aws:scheduler:*:*:schedule-group/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceAccount": "${aws:PrincipalAccount}",
+    					"aws:CalledViaFirst": "cloudformation.amazonaws.com"
+    				},
+    				"Null": {
+    					"aws:TagKeys": "false",
+    					"aws:ResourceTag/AmazonDataZoneProject": "false"
+    				},
+    				"ForAllValues:StringLike": {
+    					"aws:TagKeys": "AmazonDataZone*"
+    				}
+    			}
@@ -2735,2 +2808,0 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-SageMakerStudioProjectUserRolePermissionsBoundary 
-
@@ -2738,0 +2811,2 @@ SageMakerStudioDomainExecutionRolePolicy
+SageMakerStudioProjectRoleMachineLearningPolicy
+