AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio high security documentation change

Service: sagemaker-unified-studio · 2025-05-10 · Security-related high

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy.md

Summary

Added multiple IAM policy statements enforcing tag-based conditions for SageMaker Studio user profiles, spaces, and applications. Introduced resource tag validation for Amazon DataZone project/user tags and private space restrictions.

Security assessment

The changes enforce granular access controls by adding tag-based conditions (AmazonDataZoneProject/User tags) to restrict resource creation/deletion and presigned URL generation. This prevents unauthorized access by ensuring principals can only interact with resources tagged with their specific project/user identifiers. The explicit 'Private' space restrictions and tag validation directly address potential privilege escalation risks.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy.md
index f14de7000..13fb4706c 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy.md
@@ -564,0 +565,15 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "SageMakerStudioCreatePresignedDomainUrlForTaggedUserProfile",
+    			"Effect": "Allow",
+    			"Action": [
+    				"sagemaker:CreatePresignedDomainUrl"
+    			],
+    			"Resource": "arn:aws:sagemaker:*:*:user-profile/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}",
+    					"aws:ResourceTag/AmazonDataZoneUser": "${aws:PrincipalTag/datazone:userId}",
+    					"aws:PrincipalTag/EnableSageMakerMLWorkloadsPermissions": "true"
+    				}
+    			}
+    		},
@@ -595,0 +611,2 @@ An administrator can disable certain permissions in this policy by tagging the r
+    				"arn:aws:sagemaker:*:*:app/*/*/codeeditor/*",
+    				"arn:aws:sagemaker:*:*:app/*/*/CodeEditor/*",
@@ -612,0 +630,14 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "SageMakerStudioAppDescribeTaggedUserProfilePermissions",
+    			"Effect": "Allow",
+    			"Action": [
+    				"sagemaker:DescribeUserProfile"
+    			],
+    			"Resource": "arn:aws:sagemaker:*:*:user-profile/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}",
+    					"aws:ResourceTag/AmazonDataZoneUser": "${aws:PrincipalTag/datazone:userId}"
+    				}
+    			}
+    		},
@@ -662,0 +694,15 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "SageMakerStudioAllowCreatingDeletingTaggedOwnerUserProfile",
+    			"Effect": "Allow",
+    			"Action": [
+    				"sagemaker:CreateUserProfile",
+    				"sagemaker:DeleteUserProfile"
+    			],
+    			"Resource": "arn:aws:sagemaker:*:*:user-profile/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}",
+    					"aws:ResourceTag/AmazonDataZoneUser": "${aws:PrincipalTag/datazone:userId}"
+    				}
+    			}
+    		},
@@ -683,0 +730,19 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "SageMakerStudioRestrictPrivateSpaceToOwnerUser",
+    			"Effect": "Allow",
+    			"Action": [
+    				"sagemaker:CreateSpace",
+    				"sagemaker:UpdateSpace",
+    				"sagemaker:DeleteSpace"
+    			],
+    			"Resource": "arn:aws:sagemaker:*:*:space/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}",
+    					"aws:ResourceTag/AmazonDataZoneUser": "${aws:PrincipalTag/datazone:userId}",
+    					"sagemaker:SpaceSharingType": [
+    						"Private"
+    					]
+    				}
+    			}
+    		},
@@ -691,0 +757,2 @@ An administrator can disable certain permissions in this policy by tagging the r
+    				"arn:aws:sagemaker:*:*:app/*/*/codeeditor/*",
+    				"arn:aws:sagemaker:*:*:app/*/*/CodeEditor/*",
@@ -706,0 +774,23 @@ An administrator can disable certain permissions in this policy by tagging the r
+    		{
+    			"Sid": "SageMakerStudioRestrictPrivateSpaceAppsToOwnerUser",
+    			"Effect": "Allow",
+    			"Action": [
+    				"sagemaker:CreateApp",
+    				"sagemaker:DeleteApp"
+    			],
+    			"Resource": [
+    				"arn:aws:sagemaker:*:*:app/*/*/CodeEditor/*",
+    				"arn:aws:sagemaker:*:*:app/*/*/codeeditor/*",
+    				"arn:aws:sagemaker:*:*:app/*/*/jupyterlab/*",
+    				"arn:aws:sagemaker:*:*:app/*/*/JupyterLab/*"
+    			],
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}",
+    					"aws:ResourceTag/AmazonDataZoneUser": "${aws:PrincipalTag/datazone:userId}",
+    					"sagemaker:SpaceSharingType": [
+    						"Private"
+    					]
+    				}
+    			}
+    		},