AWS sagemaker-unified-studio documentation change
Summary
Replaced inline IAM policy JSON with reference to AWS Managed Policy documentation
Security assessment
The change removes detailed policy permissions and replaces them with a link to external documentation. While IAM policies are security-related, this appears to be a documentation consolidation rather than addressing a specific security vulnerability. No evidence of security incident remediation or vulnerability patching in the change.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockAgentServiceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockAgentServiceRolePolicy.md index caebb13ba..edb455cb5 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockAgentServiceRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockAgentServiceRolePolicy.md @@ -26,137 +26 @@ This policy allows the Amazon Bedrock service to access specific resources tagge - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "BedrockAppInferenceProfileInvocationPermissions", - "Effect": "Allow", - "Action": [ - "bedrock:GetInferenceProfile", - "bedrock:InvokeModel", - "bedrock:InvokeModelWithResponseStream" - ], - "Resource": "arn:aws:bedrock:*:*:application-inference-profile/*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "BedrockModelInvocationPermissions", - "Effect": "Allow", - "Action": [ - "bedrock:InvokeModel", - "bedrock:InvokeModelWithResponseStream" - ], - "Resource": [ - "arn:aws:bedrock:*::foundation-model/*", - "arn:aws:bedrock:*:*:custom-model/*", - "arn:aws:bedrock:*:*:provisioned-model/*" - ], - "Condition": { - "Null": { - "bedrock:InferenceProfileArn": "false" - } - } - }, - { - "Sid": "BedrockApplyGuardrailPermissions", - "Effect": "Allow", - "Action": "bedrock:ApplyGuardrail", - "Resource": "arn:aws:bedrock:*:*:guardrail/*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}", - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "BedrockRetrieveAndGeneratePermissions", - "Effect": "Allow", - "Action": "bedrock:RetrieveAndGenerate", - "Resource": "*" - }, - { - "Sid": "LambdaInvokeFunctionInProjectPermissions", - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": "arn:aws:lambda:*:*:function:amazon-bedrock*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}", - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "BedrockRetrievePermissions", - "Effect": "Allow", - "Action": "bedrock:Retrieve", - "Resource": "arn:aws:bedrock:*:*:knowledge-base/*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}", - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "S3GetObjectPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:GetObjectVersionAttributes", - "s3:GetObjectAttributes" - ], - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "" - } - } - }, - { - "Sid": "BedrockGuardrailKmsPermissions", - "Effect": "Allow", - "Action": "kms:Decrypt", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "kms:EncryptionContext:aws:bedrock:guardrail-id": "false" - } - } - }, - { - "Sid": "S3KmsPermissions", - "Effect": "Allow", - "Action": "kms:Decrypt", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": "s3.*.amazonaws.com" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "ArnLike": { - "kms:EncryptionContext:aws:s3:arn": [ - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/*" - ] - } - } - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioBedrockAgentServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockAgentServiceRolePolicy.html) in the _AWS Managed Policy Reference_.