AWS sagemaker-unified-studio documentation change
Summary
Updated IAM policy to remove RedshiftDbUser restrictions, add Glue/SecretsManager permissions, and include new QuickSight management policies with resource tagging conditions.
Security assessment
The changes add permissions for Glue and SecretsManager, and introduce new QuickSight policies with resource tagging conditions, which are security best practices. The removal of RedshiftDbUser format restrictions addresses a functional issue rather than a security vulnerability.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md index 2e3b59341..28e1908ed 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md @@ -1416 +1416 @@ An administrator can disable certain permissions in this policy by tagging the r - "Sid": "RedshiftServerlessGetCredentialsOnlyForDbUser", + "Sid": "RedshiftGetCredentials", @@ -1426,7 +1425,0 @@ An administrator can disable certain permissions in this policy by tagging the r - }, - "StringLike": { - "aws:PrincipalTag/RedshiftDbUser": [ - "user-${aws:PrincipalTag/datazone:userId}*", - "user-project@${aws:PrincipalTag/AmazonDataZoneProject}", - "user-*@*" - ] @@ -1600 +1593,3 @@ An administrator can disable certain permissions in this policy by tagging the r - "scheduler.*.amazonaws.com" + "scheduler.*.amazonaws.com", + "glue.*.amazonaws.com", + "secretsmanager.*.amazonaws.com" @@ -2583,0 +2579,84 @@ An administrator can disable certain permissions in this policy by tagging the r + }, + { + "Sid": "ManageQuickSightFolderAndDataSourceResources", + "Effect": "Allow", + "Action": [ + "quicksight:DescribeDataSource", + "quicksight:DescribeFolder", + "quicksight:DescribeFolderPermissions", + "quicksight:ListFolderMembers" + ], + "Resource": [ + "arn:aws:quicksight:*:*:folder/*", + "arn:aws:quicksight:*:*:datasource/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" + } + } + }, + { + "Sid": "ManageQuickSightOtherResources", + "Effect": "Allow", + "Action": [ + "quicksight:DescribeDataSet", + "quicksight:DescribeAccountSubscription", + "quicksight:DescribeUser", + "quicksight:DescribeGroup" + ], + "Resource": [ + "arn:aws:quicksight:*:*:*" + ] + }, + { + "Sid": "ManagePassDataSourcePermissions", + "Effect": "Allow", + "Action": [ + "quicksight:PassDataSource" + ], + "Resource": "arn:aws:quicksight:*:*:datasource/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" + } + } + }, + { + "Sid": "ManageCreateDataSetPermissions", + "Effect": "Allow", + "Action": [ + "quicksight:CreateDataSet", + "quicksight:TagResource" + ], + "Resource": "arn:aws:quicksight:*:*:dataset/*", + "Condition": { + "Null": { + "aws:TagKeys": "false" + }, + "ForAllValues:StringLike": { + "aws:TagKeys": [ + "AmazonDataZone*" + ] + }, + "StringEquals": { + "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" + }, + "StringEqualsIfExists": { + "aws:RequestTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" + } + } + }, + { + "Sid": "CreateFolderMembership", + "Effect": "Allow", + "Action": [ + "quicksight:CreateFolderMembership" + ], + "Resource": "arn:aws:quicksight:*:*:folder/sagemaker-*-assets", + "Condition": { + "StringEquals": { + "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}", + "aws:ResourceTag/AmazonDataZoneAssetsFolder": "true" + } + } @@ -2595,2 +2673,0 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -AmazonDataZoneBedrockModelManagementPolicy - @@ -2598,0 +2676,2 @@ SageMakerStudioQueryExecutionRolePolicy +SageMakerStudioEMRServiceRolePolicy +