AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-07-18 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md

Summary

Replaced inline IAM policy JSON with reference link to AWS Managed Policy documentation

Security assessment

Change removes detailed permissions listing and points to external policy reference. While related to security documentation, there's no evidence of addressing a specific vulnerability - this is a documentation consolidation change rather than a security fix.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md
index 790ac9bf3..e9d2ad22e 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md
@@ -24,147 +24 @@ This policy allows the Amazon Bedrock service to access specific resources tagge
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [
-    		{
-    			"Sid": "BedrockEvaluationInferenceProfileInvocationPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"bedrock:InvokeModel",
-    				"bedrock:InvokeModelWithResponseStream",
-    				"bedrock:GetInferenceProfile"
-    			],
-    			"Resource": [
-    				"arn:aws:bedrock:*:*:application-inference-profile/*"
-    			],
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "BedrockInvokeModelPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"bedrock:InvokeModel",
-    				"bedrock:InvokeModelWithResponseStream"
-    			],
-    			"Resource": [
-    				"arn:aws:bedrock:*::foundation-model/*",
-    				"arn:aws:bedrock:*:*:custom-model/*",
-    				"arn:aws:bedrock:*:*:provisioned-model/*"
-    			],
-    			"Condition": {
-    				"Null": {
-    					"bedrock:InferenceProfileArn": "false"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "BedrockModelInvocationPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"bedrock:CreateModelInvocationJob",
-    				"bedrock:StopModelInvocationJob",
-    				"bedrock:GetProvisionedModelThroughput"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "S3GetBucketLocationPermissions",
-    			"Effect": "Allow",
-    			"Action": "s3:GetBucketLocation",
-    			"Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"StringNotEquals": {
-    					"aws:PrincipalTag/DomainBucketName": ""
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "S3ListBucketPermissions",
-    			"Effect": "Allow",
-    			"Action": "s3:ListBucket",
-    			"Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"StringLike": {
-    					"s3:prefix": "${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/*"
-    				},
-    				"StringNotEquals": {
-    					"aws:PrincipalTag/DomainBucketName": "",
-    					"aws:PrincipalTag/AmazonDataZoneDomain": "",
-    					"aws:PrincipalTag/AmazonDataZoneProject": ""
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "S3EvaluationPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"s3:GetObject",
-    				"s3:PutObject",
-    				"s3:ListMultipartUploadParts",
-    				"s3:AbortMultipartUpload"
-    			],
-    			"Resource": [
-    				"arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/*"
-    			],
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"StringNotEquals": {
-    					"aws:PrincipalTag/DomainBucketName": "",
-    					"aws:PrincipalTag/AmazonDataZoneDomain": "",
-    					"aws:PrincipalTag/AmazonDataZoneProject": ""
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "KmsDescribeKeyPermissions",
-    			"Effect": "Allow",
-    			"Action": "kms:DescribeKey",
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "S3KmsPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:Decrypt",
-    				"kms:GenerateDataKey"
-    			],
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringLike": {
-    					"kms:ViaService": "s3.*.amazonaws.com"
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"ArnLike": {
-    					"kms:EncryptionContext:aws:s3:arn": [
-    						"arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}",
-    						"arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/*"
-    					]
-    				}
-    			}
-    		}
-    	]
-    }
-    		
+To view the permissions for this policy, see [SageMakerStudioBedrockEvaluationJobServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockEvaluationJobServiceRolePolicy.html) in the _AWS Managed Policy Reference_.