AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio medium security documentation change

Service: sagemaker-unified-studio · 2025-06-16 · Security-related medium

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md

Summary

Removed EC2 security group permissions, Athena catalog permissions, EMR termination permission; added Bedrock ListFoundationModels permission; updated policy references

Security assessment

Removal of EC2 security group modification permissions (Authorize/Revoke SecurityGroupEgress/Ingress) reduces attack surface for network security misconfigurations. Removal of EMR TerminateJobFlows permission prevents unintended cluster termination. These changes limit privileged actions, improving security posture.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
index 28e1908ed..0f91a5cd2 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
@@ -845,16 +844,0 @@ An administrator can disable certain permissions in this policy by tagging the r
-    		{
-    			"Sid": "DataLakeEC2Permissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"ec2:AuthorizeSecurityGroupEgress",
-    				"ec2:AuthorizeSecurityGroupIngress",
-    				"ec2:RevokeSecurityGroupEgress",
-    				"ec2:RevokeSecurityGroupIngress"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
-    				}
-    			}
-    		},
@@ -912,15 +895,0 @@ An administrator can disable certain permissions in this policy by tagging the r
-    		{
-    			"Sid": "DefaultAthenaDataCatalogPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"athena:GetDatabase",
-    				"athena:GetDataCatalog",
-    				"athena:GetTableMetadata",
-    				"athena:ListDatabases",
-    				"athena:ListTableMetadata"
-    			],
-    			"Resource": [
-    				"arn:aws:athena:*:*:datacatalog/AwsDataCatalog",
-    				"arn:aws:athena:*:*:datacatalog/awsdatacatalog"
-    			]
-    		},
@@ -1516 +1484,0 @@ An administrator can disable certain permissions in this policy by tagging the r
-    				"elasticmapreduce:TerminateJobFlows",
@@ -1988 +1956,2 @@ An administrator can disable certain permissions in this policy by tagging the r
-    				"bedrock:RetrieveAndGenerate"
+    				"bedrock:RetrieveAndGenerate",
+    				"bedrock:ListFoundationModels"
@@ -2674,2 +2642,0 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-SageMakerStudioQueryExecutionRolePolicy
-
@@ -2677,0 +2645,2 @@ SageMakerStudioEMRServiceRolePolicy
+AmazonDataZoneBedrockModelConsumptionPolicy
+