AWS sagemaker documentation change
Summary
Added section about customizing access to pipeline versions using sagemaker:PipelineVersionId condition key
Security assessment
Introduces a new access control mechanism using version-based conditions but does not address a specific security vulnerability. Enhances security documentation by describing granular permission controls.
Diff
diff --git a/sagemaker/latest/dg/build-and-manage-access.md b/sagemaker/latest/dg/build-and-manage-access.md index 614ba7211..d312d7be2 100644 --- a//sagemaker/latest/dg/build-and-manage-access.md +++ b//sagemaker/latest/dg/build-and-manage-access.md @@ -5 +5 @@ -Pipeline Role PermissionsPipeline Step PermissionsCORS configuration with Amazon S3 bucketsCustomize access management for Pipelines jobsService Control Policies with Pipelines +Pipeline Role PermissionsPipeline Step PermissionsCORS configuration with Amazon S3 bucketsCustomize access management for Pipelines jobsCustomize access to pipeline versionsService Control Policies with Pipelines @@ -20,0 +21,2 @@ The following sections describe the AWS Identity and Access Management (IAM) req + * Customize access to pipeline versions + @@ -241,0 +244,26 @@ Finally, you can view your custom-prefixed job by calling `list_steps` on the pi +## Customize access to pipeline versions + +You can grant customized access to specific versions of Amazon SageMaker Pipelines by using the `sagemaker:PipelineVersionId` condition key. For example, the policy below grants access to start executions or update pipeline version only for version ID 6 and above. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowStartPipelineExecution", + "Effect": "Allow", + "Action": [ + "sagemaker:StartPipelineExecution", + "sagemaker:UpdatePipelineVersion" + ], + "Resource": "*", + "Condition": { + "NumericGreaterThanEquals": { + "sagemaker:PipelineVersionId": 6 + } + } + } + } + +For more information about supported condition keys, see [Condition keys for Amazon SageMaker AI](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-policy-keys). +