AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2025-07-18 · Documentation medium

File: sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md

Summary

Added detailed IAM policy requirements for Amazon EKS clusters with restricted instance groups (RIG), including specific S3 permissions (ListBucket, GetObject, PutObject, DeleteObject) required for data access

Security assessment

The change adds documentation about required permissions for secure S3 data access in restricted environments but does not indicate a security vulnerability fix. It improves security posture by clarifying necessary permissions.

Diff

diff --git a/sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md b/sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md
index 05d194015..904f13870 100644
--- a//sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md
+++ b//sagemaker/latest/dg/sagemaker-hyperpod-prerequisites-iam.md
@@ -419 +419,29 @@ For Amazon EKS support in SageMaker HyperPod, HyperPod creates a service-linked
-**IAM policies for Amazon EKS**
+**Additional IAM policies for Amazon EKS cluster with restricted instance group (RIG)**
+
+Workloads running in restricted instance groups rely on the execution role to load data from Amazon S3. You must add the additional Amazon S3 permissions to the execution role so that customization jobs running in restricted instance groups can properly fetch input data.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:ListBucket"
+          ],
+          "Resource": [
+            "arn:aws:s3:::your-bucket-name"      ]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+          ],
+          "Resource": [
+            "arn:aws:s3:::your-bucket-name/*"
+          ]
+        }
+      ]
+    }