AWS sagemaker-unified-studio documentation change
Summary
Expanded Bedrock session management permissions with tag-based access controls for conversation history feature
Security assessment
Adds granular IAM conditions for session management but does not reference a security flaw. Enhances security documentation for a new feature's access controls.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy.md index e535a33fa..992610380 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy.md @@ -29,0 +30,68 @@ Provides permissions to consume Amazon Bedrock models, including invoking Amazon + }, + { + "Sid": "BedrockCreateSessionWithTagsPermissions", + "Effect": "Allow", + "Action": [ + "bedrock:CreateSession", + "bedrock:TagResource" + ], + "Resource": "arn:aws:bedrock:*:*:session/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}", + "aws:RequestTag/AmazonDataZoneUser": "${datazone:userId}", + "aws:ResourceTag/AmazonDataZoneUser": "${datazone:userId}", + "aws:RequestTag/AmazonDataZoneDomain": "${datazone:domainId}", + "aws:ResourceTag/AmazonDataZoneDomain": "${datazone:domainId}" + }, + "StringNotEquals": { + "aws:RequestTag/AmazonDataZoneUser": "", + "aws:ResourceTag/AmazonDataZoneUser": "", + "aws:RequestTag/AmazonDataZoneDomain": "", + "aws:ResourceTag/AmazonDataZoneDomain": "" + }, + "ForAllValues:StringLike": { + "aws:TagKeys": "AmazonDataZone*" + }, + "Null": { + "aws:RequestTag/AmazonDataZoneProject": "true", + "aws:ResourceTag/AmazonDataZoneProject": "true" + } + } + }, + { + "Sid": "BedrockSessionPermissions", + "Effect": "Allow", + "Action": [ + "bedrock:GetSession", + "bedrock:UpdateSession", + "bedrock:DeleteSession", + "bedrock:EndSession", + "bedrock:CreateInvocation", + "bedrock:ListInvocations", + "bedrock:PutInvocationStep", + "bedrock:GetInvocationStep", + "bedrock:ListInvocationSteps", + "bedrock:ListTagsForResource" + ], + "Resource": "arn:aws:bedrock:*:*:session/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}", + "aws:ResourceTag/AmazonDataZoneUser": "${datazone:userId}", + "aws:ResourceTag/AmazonDataZoneDomain": "${datazone:domainId}" + }, + "StringNotEquals": { + "aws:ResourceTag/AmazonDataZoneUser": "", + "aws:ResourceTag/AmazonDataZoneDomain": "" + }, + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "true" + } + } + }, + { + "Sid": "BedrockListSessionsPermissions", + "Effect": "Allow", + "Action": "bedrock:ListSessions", + "Resource": "*" @@ -41,2 +108,0 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -SageMakerStudioProjectUserRolePolicy - @@ -44,0 +111,2 @@ SageMakerStudioQueryExecutionRolePolicy +SageMakerStudioEMRServiceRolePolicy +