AWS sagemaker documentation change
Summary
Added detailed IAM policy requirements for Amazon EKS clusters with restricted instance groups (RIG), including specific S3 permissions (ListBucket, GetObject, PutObject, DeleteObject) required for data access
Security assessment
The change adds documentation about required permissions for secure S3 data access in restricted environments but does not indicate a security vulnerability fix. It improves security posture by clarifying necessary permissions.
Diff
diff --git a/sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md b/sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md index 05d194015..904f13870 100644 --- a//sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md +++ b//sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md @@ -419 +419,29 @@ For Amazon EKS support in SageMaker HyperPod, HyperPod creates a service-linked -**IAM policies for Amazon EKS** +**Additional IAM policies for Amazon EKS cluster with restricted instance group (RIG)** + +Workloads running in restricted instance groups rely on the execution role to load data from Amazon S3. You must add the additional Amazon S3 permissions to the execution role so that customization jobs running in restricted instance groups can properly fetch input data. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::your-bucket-name" ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + ], + "Resource": [ + "arn:aws:s3:::your-bucket-name/*" + ] + } + ] + }