AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio medium security documentation change

Service: sagemaker-unified-studio · 2025-04-11 · Security-related medium

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md

Summary

Added policy update entries for Bedrock integration, Redshift-Serverless isolation, EventBridge permissions, and CodeEditor support.

Security assessment

Explicitly mentions 'preventing sharing provisioned Amazon Redshift-Serverless across all projects', which is a security control to limit cross-project access. This addresses a potential over-permission risk.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md
index 58e79ff55..e9e040074 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md
@@ -10,0 +11,3 @@ Change | Description | Date
+Policy update - [SageMakerStudioBedrockFlowServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFlowServiceRolePolicy) |  Policy updates to the SageMakerStudioBedrockFlowServiceRolePolicy \- adding support for using Amazon Bedrock agent nodes in Amazon Bedrock flows for generative AI app development projects. | 4/09/2025  
+Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy) |  Policy updates to the SageMakerStudioProjectUserRolePolicy - preventing sharing provisioned Amazon Redshift-Serverless across all projects. Adding EventBridge Scheduler permissions for users to create schedules in the project schedule group. Adding permissions to handle Amazon SageMaker Studio migration to Amazon SageMaker Unified Studio. Adding support for the Amazon SageMaker App type CodeEditor. | 4/09/2025  
+Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy \- adding `lakeformation:DescribeResource` to improve deregistering of federated connections. Adding EventBridge Scheduler permissions to manage a schedule group for each project. Adding permission to manage Amazon Bedrock resources directly from the Amazon DataZone service. Add support for the Amazon SageMaker App type CodeEditor. | 4/09/2025