AWS sagemaker-unified-studio medium security documentation change
Summary
Removed EC2 security group permissions, Athena catalog permissions, EMR termination permission; added Bedrock ListFoundationModels permission; updated policy references
Security assessment
Removal of EC2 security group modification permissions (Authorize/Revoke SecurityGroupEgress/Ingress) reduces attack surface for network security misconfigurations. Removal of EMR TerminateJobFlows permission prevents unintended cluster termination. These changes limit privileged actions, improving security posture.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md index 28e1908ed..0f91a5cd2 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md @@ -845,16 +844,0 @@ An administrator can disable certain permissions in this policy by tagging the r - { - "Sid": "DataLakeEC2Permissions", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, @@ -912,15 +895,0 @@ An administrator can disable certain permissions in this policy by tagging the r - { - "Sid": "DefaultAthenaDataCatalogPermissions", - "Effect": "Allow", - "Action": [ - "athena:GetDatabase", - "athena:GetDataCatalog", - "athena:GetTableMetadata", - "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "arn:aws:athena:*:*:datacatalog/AwsDataCatalog", - "arn:aws:athena:*:*:datacatalog/awsdatacatalog" - ] - }, @@ -1516 +1484,0 @@ An administrator can disable certain permissions in this policy by tagging the r - "elasticmapreduce:TerminateJobFlows", @@ -1988 +1956,2 @@ An administrator can disable certain permissions in this policy by tagging the r - "bedrock:RetrieveAndGenerate" + "bedrock:RetrieveAndGenerate", + "bedrock:ListFoundationModels" @@ -2674,2 +2642,0 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -SageMakerStudioQueryExecutionRolePolicy - @@ -2677,0 +2645,2 @@ SageMakerStudioEMRServiceRolePolicy +AmazonDataZoneBedrockModelConsumptionPolicy +