AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-05-16 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/AmazonSageMakerProvisioning.md

Summary

Added IAM policy requirements for custom query execution roles to include iam:PassRole and iam:GetRole permissions

Security assessment

Documents required permissions for secure role delegation but does not indicate a security vulnerability fix. This is a preventive security configuration guideline.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerProvisioning.md b/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerProvisioning.md
index f08aea460..fb79acc23 100644
--- a//sagemaker-unified-studio/latest/adminguide/AmazonSageMakerProvisioning.md
+++ b//sagemaker-unified-studio/latest/adminguide/AmazonSageMakerProvisioning.md
@@ -32,0 +33,21 @@ The default `AmazonSageMakerProvisioning-<domainAccountId>` role has the followi
+###### Important
+
+If you are using your own query execution role (instead of the default [AmazonSageMakerQueryExecution](./AmazonSageMakerQueryExecution.html) role), then you must modify the permissions of your provisioning role (whether you're using this default AmazonSageMakerProvisioning role or your own custom provisioning role) to include `iam:PassRole` and `iam:GetRole` permissions. These permissions enable your provisioning role to pass the query execution role to AWS LakeFormation during creation of federated connections. You can include these permissions by attaching the following inline policy to your provisioning role:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "IamRolePermissionsForQueryExecution",
+          "Effect": "Allow",
+          "Action": [
+            "iam:PassRole",
+            "iam:GetRole"
+          ],
+          "Resource": "arn:aws:iam::*:role/{your-role}"
+        }
+      ]
+    }
+                
+