AWS sagemaker-unified-studio documentation change
Summary
Added multiple policy updates including S3 access grants, cross-account access permissions, vector store management, and new IAM policies for data lake operations and QuickSight integration
Security assessment
Documents updates to AWS managed policies with new permissions for various services (S3, Neptune, CloudWatch, etc.) and cross-account access patterns. While these are security-related documentation updates, there is no evidence they address existing security vulnerabilities.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/doc-history.md b/sagemaker-unified-studio/latest/adminguide/doc-history.md index f4a25a348..8ac94f061 100644 --- a//sagemaker-unified-studio/latest/adminguide/doc-history.md +++ b//sagemaker-unified-studio/latest/adminguide/doc-history.md @@ -10,0 +11,7 @@ Change| Description| Date +Policy updates - SageMakerStudioProjectUserRolePolicy| Policy update - adding permissions to allow deletion of AWS Glue databases in Amazon Datalake, adding `sqlworkbench` service principals for the `redshift-serverless:GetCredentials` action, adding permissions to fetch jobs based on tags and resources, adding permissions to update Amazon CloudWatch metrics from job runs and read/write job logs, and adding permissions to support Amazon S3 access grants. Also adding permissions to allow cross-account project access for encrypted domains and adding support for `ProjectRole` and `DescribeResource` actions in order to check for the Amazon S3 tables' Lake Formation registration. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 15, 2025 +Policy updates - SageMakerStudioProjectRoleMachineLearningPolicy| Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support Amazon S3 asset subscription fulfillment using Amazon S3 access grants. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 15, 2025 +Policy updates - SageMakerStudioProjectProvisioningRolePolicy| Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions to create and manage Amazon S3 table buckets and also adding permissions to automate S3 table analytics integration flow within Amazon SageMaker Unified Studio. Also adding permissions to read templates from users' S3 buckets and permissions to validate the template using AWS Cloud Formation. Also adding permissions to get and create an S3 access grant instance in the project account to support managing subscriptions for S3 asset types. Also adding `neptune-graph:*` and `s3vectors:*` permissions to support Knowledge Base vector store management of two new vector store services in Amazon SageMaker Unified Studio: S3Vectors vector buckets and Neptune Analytics graphs. Also adding permissions to allow cross-account project access for encrypted domains. And adding support for the data onboarding in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 15, 2025 +Policy updates - SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy| Policy updates to the SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy - adding `neptune-graph:*` and `s3vectors:*` permissions to support vector read/write on vector stores for two new vector store services: S3Vectors vector buckets and Neptune Analytics graphs. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 15, 2025 +New policy - SageMakerStudioAdminProjectUserRolePolicy| New policy - this IAM policy grants an IAM role full access to the AWS Glue Data Catalog (metadata) and Amazon S3 (actual data) for the data lake operations, with access scoped by region, account, and role tags. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 15, 2025 +Automated onboarding of Amazon SageMaker Lakehouse| Adding support for automated onboarding of Amazon SageMaker Lakehouse. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/data-onboarding.html).| July 15, 2025 +Amazon QuickSight integration| Enabling Amazon QuickSight integration in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/amazon-quicksight.html).| July 15, 2025 @@ -17 +24 @@ Policy update - SageMakerStudioProjectUserRolePolicy| Policy updates to the Sage -Policy updates - AmazonDataZoneBedrockModelConsumptionPolicy| Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy \- adding permissions to call the `ListFoundationModels` action. This permission is added to help get model metadata more programmatically when the user is selecting which models to invoke.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| May 28, 2025 +Policy updates - AmazonDataZoneBedrockModelConsumptionPolicy| Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding permissions to call the `ListFoundationModels` action. This permission is added to help get model metadata more programmatically when the user is selecting which models to invoke.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| May 28, 2025 @@ -35 +42 @@ Policy update - SageMakerStudioProjectRoleMachineLearningPolicy| Policy updates -Policy update - SageMakerStudioProjectProvisioningRolePolicy| Policy updates to the \- renaming Amazon Bedrock tag and adding permission to removeSageMakerStudioProjectProvisioningRolePolicy deprecated tag on roles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| February 28, 2025 +Policy update - SageMakerStudioProjectProvisioningRolePolicy| Policy updates to the - renaming Amazon Bedrock tag and adding permission to removeSageMakerStudioProjectProvisioningRolePolicy deprecated tag on roles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| February 28, 2025