AWS sagemaker-unified-studio documentation change
Summary
Significantly restructured S3 data integration documentation by removing detailed role configuration steps and redirecting to other pages for lakehouse integration and existing S3 data management
Security assessment
The changes remove detailed security configuration instructions (CORS policies, IAM role permissions, trust relationships) rather than addressing vulnerabilities. While security configurations are mentioned in removed content, the change itself is organizational rather than security-focused. No evidence of addressing a specific vulnerability or adding new security features.
Diff
diff --git a/sagemaker-unified-studio/latest/userguide/data-s3.md b/sagemaker-unified-studio/latest/userguide/data-s3.md index f821813fa..3b5a74ded 100644 --- a//sagemaker-unified-studio/latest/userguide/data-s3.md +++ b//sagemaker-unified-studio/latest/userguide/data-s3.md @@ -5,2 +4,0 @@ -Adding Amazon S3 data - @@ -9,117 +7 @@ Adding Amazon S3 data -You can bring in Amazon S3 data to your project and access it on the **Data** page in Amazon SageMaker Unified Studio. - -## Adding Amazon S3 data - -To bring in Amazon S3 data to your project, you must first gain access to the data and then add the data to your project. You can gain access to the data by using the project role or an access role. - -###### Note - -If you are using a bucket in a different account than the account that contains the project tooling environment, you must use an access role to gain access to the data. - -### Prerequisite option 1: Gain access using the project role - -Work with your admin to complete the following steps: - - 1. Retrieve the project role ARN and send it to your admin. - - 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. - - 2. Navigate to the project that you want to add Amazon S3 data to. You can do this by choosing **Browse all projects** from the center menu, and then selecting the name of the project. - - 3. On the **Project overview** page, copy the project role ARN. - - 2. The admin then must go to the Amazon S3 console and add a CORS policy to the bucket that you want to access in your project. - - 1. Navigate to the Amazon S3 console. - - 2. Navigate to the bucket you want to grant access to. - - 3. On the **Permissions** tab, under **Cross-origin resource sharing (CORS)** , choose **Edit**. - - 4. Enter in the new CORS policy, then choose **Save changes**. - - [ - { - "AllowedHeaders": [ - "*" - ], - "AllowedMethods": [ - "PUT", - "GET", - "POST", - "DELETE", - "HEAD" - ], - "AllowedOrigins": [ - "domainUrl" // example: https://dzd_abcdefg1234567.sagemaker.us-east-1.on.aws - ], - "ExposeHeaders": [ - "x-amz-version-id" - ] - } - ] - - - 5. Choose the name of an object to view its details. On the **Properties** tab, note the resource name ARN and the S3 URI. You will need to use these later. - - 3. The admin then must go to the IAM console and update the project role. - - 1. Navigate to the IAM console. - - 2. On the **Roles** page, search for the project role using the last string in the project role ARN, for example: `datazone_usr_role_1a2b3c45de6789_abcd1efghij2kl`. - - 3. Select the project role to navigate to the project role details. - - 4. Under the **Permissions** tab, choose **Add permissions** , then choose **Create inline policy**. - - 5. Use the JSON editor to create a policy so that the project has access to an Amazon S3 location, using the Amazon S3 resource ARN that you noted in step 2. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "S3AdditionalBucketPermissions", - "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:GetBucketLocation" - ], - "Resource": [ - "arn:aws:s3:::bucketName" - ] - }, - { - "Sid": "S3AdditionalObjectPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject*", - "s3:PutObject" - ], - "Resource": [ - "arn:aws:s3:::bucketName/key/*" - ] - } - ] - } - - - 6. Choose **Next** - - 7. Enter a name for the policy, then choose **Create policy**. - - - - -### Prerequisite option 2: Gain access using an access role - -Work with your admin to complete the following steps: - - 1. Retrieve the project role ARN and the project ID and send them to your admin. - - 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. - - 2. Navigate to the project that you want to add Amazon S3 data to. You can do this by choosing **Browse all projects** from the center menu, and then selecting the name of the project. - - 3. On the **Project overview** page, copy the project role ARN and the project ID. - - 2. The admin then must go to the Amazon S3 console and add a CORS policy to the bucket that you want to access in your project. +You can bring in Amazon S3 data to your project and access it on the **Data** page of your project in Amazon SageMaker Unified Studio. @@ -127 +9 @@ Work with your admin to complete the following steps: - 1. Navigate to the Amazon S3 console. +To add S3 tables to your lakehouse in Amazon SageMaker Unified Studio, see [Amazon S3 tables integration](./lakehouse-s3-tables-integration.html). @@ -129 +11 @@ Work with your admin to complete the following steps: - 2. Navigate to the bucket you want to grant access to. +To add S3 data as assets in your Amazon SageMaker Unified Studio project catalog, see [Adding Amazon S3 data](./adding-existing-s3-data.html). In Amazon SageMaker Unified Studio, assets represent specific types of data resources such as database tables, dashboards, S3 buckets or prefixes, or machine learning models. @@ -131,164 +13 @@ Work with your admin to complete the following steps: - 3. On the **Permissions** tab, under **Cross-origin resource sharing (CORS)** , choose **Edit**. - - 4. Enter in the new CORS policy, then choose **Save changes**. - - [ - { - "AllowedHeaders": [ - "*" - ], - "AllowedMethods": [ - "PUT", - "GET", - "POST", - "DELETE", - "HEAD" - ], - "AllowedOrigins": [ - "domainUrl" // example: https://dzd_abcdefg1234567.sagemaker.us-east-1.on.aws - ], - "ExposeHeaders": [ - "x-amz-version-id" - ] - } - ] - - - 5. Choose the name of an object to view its details. On the **Properties** tab, note the resource name ARN and the S3 URI. You will need to use these later. - - 3. The admin then must go to the IAM console and create an access role. - - 1. Navigate to the IAM console. - - 2. On the **Roles** page, choose **Create role**. - - 3. Under **Trusted entity type** , choose **AWS service**. - - 4. Under **Use case** , select **S3** from the dropdown menu, then choose the **S3** button. - - 5. Choose **Next**. - - 6. Search for and select the **AmazonS3FullAccess** policy, then choose **Next**. - - 7. Enter a name for the role, then choose **Create role**. - - 8. Select the access role from the list on the **Roles** page. - - 9. Under **Trust relationships** choose **Edit trust policy**. - - 10. Edit the trust policy to include the project ID and project ARN. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "project-role-arn" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "project-id" - } - } - }, - { - "Effect": "Allow",