AWS sagemaker-unified-studio documentation change
Summary
Replaced inline IAM policy JSON with reference link to AWS Managed Policy documentation
Security assessment
Change removes detailed permissions listing and points to external policy reference. While related to security documentation, there's no evidence of addressing a specific vulnerability - this is a documentation consolidation change rather than a security fix.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md index 790ac9bf3..e9d2ad22e 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md @@ -24,147 +24 @@ This policy allows the Amazon Bedrock service to access specific resources tagge - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "BedrockEvaluationInferenceProfileInvocationPermissions", - "Effect": "Allow", - "Action": [ - "bedrock:InvokeModel", - "bedrock:InvokeModelWithResponseStream", - "bedrock:GetInferenceProfile" - ], - "Resource": [ - "arn:aws:bedrock:*:*:application-inference-profile/*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "BedrockInvokeModelPermissions", - "Effect": "Allow", - "Action": [ - "bedrock:InvokeModel", - "bedrock:InvokeModelWithResponseStream" - ], - "Resource": [ - "arn:aws:bedrock:*::foundation-model/*", - "arn:aws:bedrock:*:*:custom-model/*", - "arn:aws:bedrock:*:*:provisioned-model/*" - ], - "Condition": { - "Null": { - "bedrock:InferenceProfileArn": "false" - } - } - }, - { - "Sid": "BedrockModelInvocationPermissions", - "Effect": "Allow", - "Action": [ - "bedrock:CreateModelInvocationJob", - "bedrock:StopModelInvocationJob", - "bedrock:GetProvisionedModelThroughput" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "S3GetBucketLocationPermissions", - "Effect": "Allow", - "Action": "s3:GetBucketLocation", - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "" - } - } - }, - { - "Sid": "S3ListBucketPermissions", - "Effect": "Allow", - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "s3:prefix": "${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/*" - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "" - } - } - }, - { - "Sid": "S3EvaluationPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:PutObject", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload" - ], - "Resource": [ - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "" - } - } - }, - { - "Sid": "KmsDescribeKeyPermissions", - "Effect": "Allow", - "Action": "kms:DescribeKey", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "S3KmsPermissions", - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": "s3.*.amazonaws.com" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "ArnLike": { - "kms:EncryptionContext:aws:s3:arn": [ - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/*" - ] - } - } - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioBedrockEvaluationJobServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockEvaluationJobServiceRolePolicy.html) in the _AWS Managed Policy Reference_.