AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio medium security documentation change

Service: sagemaker-unified-studio · 2025-05-10 · Security-related medium

File: sagemaker-unified-studio/latest/userguide/create-asset-types.md

Summary

Added documentation about usage permissions configuration for custom asset types, including access restriction options and permission management roles

Security assessment

The change introduces documentation about access control mechanisms (restricting asset usage to specific projects/domain units) and clarifies role-based permissions (owners vs contributors). This directly relates to security by enforcing least privilege and authorization controls, though no specific vulnerability is mentioned.

Diff

diff --git a/sagemaker-unified-studio/latest/userguide/create-asset-types.md b/sagemaker-unified-studio/latest/userguide/create-asset-types.md
index 36f40f624..7fca7bc2d 100644
--- a//sagemaker-unified-studio/latest/userguide/create-asset-types.md
+++ b//sagemaker-unified-studio/latest/userguide/create-asset-types.md
@@ -73,0 +74,16 @@ To create a custom asset type in Amazon SageMaker Unified Studio, complete the f
+     * Under **Usage permission** , restrict access, by specify which projects or domain units are authorized to use this asset type. 
+
+###### Note
+
+You must be a domain unit owner or a project owner in order to modify usage permissions. Project contributors can view usage permissions but cannot edit them.
+
+You can choose the following:
+
+       * **All projects** \- give permissions to all projects in this domain
+
+       * **Owning project** \- give permissions only to the owning project
+
+       * **Selected projects or domain units** \- give permissions to specific projects and/or domain units
+
+If you select this option, choose **Add usage permission** , and in the **Add projects and designations** pop up window, specify the authorized projects (you can choose **Select projects in a domain unit** or **All project in a domain unit**), the specific domain unit, and the allowed designations - which designations a project member must have to use this policy. You can choose **Owner** or **Contributor**.
+