AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-07-18 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy.md

Summary

Replaced inline IAM policy JSON with reference link to AWS Managed Policy documentation

Security assessment

Simplifies documentation by linking to central policy reference. No security vulnerabilities are mentioned or patched - this is a documentation structure improvement rather than a security update. The policy itself remains security-related documentation.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy.md
index 4750d60dd..47315200d 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy.md
@@ -22,37 +22 @@ This policy allows the AWS Lambda service to access specific resources tagged wi
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [
-    		{
-    			"Sid": "SecretsManagerReadPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"secretsmanager:DescribeSecret",
-    				"secretsmanager:GetSecretValue"
-    			],
-    			"Resource": "arn:aws:secretsmanager:*:*:secret:amazon-bedrock*",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}",
-    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "KMSSameAccountBedrockViaSecretsManagerPermissions",
-    			"Effect": "Allow",
-    			"Action": "kms:Decrypt",
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringLike": {
-    					"kms:ViaService": "secretsmanager.*.amazonaws.com",
-    					"kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:*:${aws:PrincipalAccount}:secret:amazon-bedrock*"
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		}
-    	]
-    }
-    	
+To view the permissions for this policy, see [SageMakerStudioBedrockFunctionExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockFunctionExecutionRolePolicy.html) in the _AWS Managed Policy Reference_.