AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2025-07-18 · Documentation medium

File: sagemaker/latest/dg/build-and-manage-access.md

Summary

Added section about customizing access to pipeline versions using sagemaker:PipelineVersionId condition key

Security assessment

Introduces a new access control mechanism using version-based conditions but does not address a specific security vulnerability. Enhances security documentation by describing granular permission controls.

Diff

diff --git a/sagemaker/latest/dg/build-and-manage-access.md b/sagemaker/latest/dg/build-and-manage-access.md
index 614ba7211..d312d7be2 100644
--- a//sagemaker/latest/dg/build-and-manage-access.md
+++ b//sagemaker/latest/dg/build-and-manage-access.md
@@ -5 +5 @@
-Pipeline Role PermissionsPipeline Step PermissionsCORS configuration with Amazon S3 bucketsCustomize access management for Pipelines jobsService Control Policies with Pipelines
+Pipeline Role PermissionsPipeline Step PermissionsCORS configuration with Amazon S3 bucketsCustomize access management for Pipelines jobsCustomize access to pipeline versionsService Control Policies with Pipelines
@@ -20,0 +21,2 @@ The following sections describe the AWS Identity and Access Management (IAM) req
+  * Customize access to pipeline versions
+
@@ -241,0 +244,26 @@ Finally, you can view your custom-prefixed job by calling `list_steps` on the pi
+## Customize access to pipeline versions
+
+You can grant customized access to specific versions of Amazon SageMaker Pipelines by using the `sagemaker:PipelineVersionId` condition key. For example, the policy below grants access to start executions or update pipeline version only for version ID 6 and above.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowStartPipelineExecution",
+                "Effect": "Allow",
+                "Action": [
+                    "sagemaker:StartPipelineExecution",
+                    "sagemaker:UpdatePipelineVersion"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "NumericGreaterThanEquals": {
+                        "sagemaker:PipelineVersionId": 6
+                    }
+                }
+            }
+    }
+
+For more information about supported condition keys, see [Condition keys for Amazon SageMaker AI](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-policy-keys).
+