AWS sagemaker-unified-studio documentation change
Summary
Replaced detailed IAM policy JSON with external reference link to managed policy documentation
Security assessment
Removal of explicit policy details doesn't indicate a security fix. The change appears to be documentation consolidation rather than addressing security vulnerabilities.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy.md index 13880561d..f02b04af0 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy.md @@ -28,151 +28 @@ This policy allows the Amazon Bedrock service to access specific resources tagge - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "BedrockAppInferenceProfileInvocationPermissions", - "Effect": "Allow", - "Action": [ - "bedrock:GetInferenceProfile", - "bedrock:InvokeModel", - "bedrock:InvokeModelWithResponseStream" - ], - "Resource": "arn:aws:bedrock:*:*:application-inference-profile/*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "BedrockModelInvocationPermission", - "Effect": "Allow", - "Action": [ - "bedrock:InvokeModel", - "bedrock:InvokeModelWithResponseStream" - ], - "Resource": [ - "arn:aws:bedrock:*::foundation-model/*", - "arn:aws:bedrock:*:*:custom-model/*", - "arn:aws:bedrock:*:*:provisioned-model/*" - ], - "Condition": { - "Null": { - "bedrock:InferenceProfileArn": "false" - } - } - }, - { - "Sid": "OpenSearchServerlessPermissions", - "Effect": "Allow", - "Action": "aoss:APIAccessAll", - "Resource": "arn:aws:aoss:*:*:collection/*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "aoss:collection": "bedrock*" - } - } - }, - { - "Sid": "ListDomainS3BucketPermissions", - "Effect": "Allow", - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "s3:prefix": [ - "${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}", - "${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/*" - ] - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "" - } - } - }, - { - "Sid": "AccessDomainS3BucketPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion" - ], - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "" - } - } - }, - { - "Sid": "BedrockKnowledgeBaseKmsPermissions", - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:*:${aws:PrincipalAccount}:knowledge-base/*" - } - } - }, - { - "Sid": "S3KmsPermissions", - "Effect": "Allow", - "Action": "kms:Decrypt", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": "s3.*.amazonaws.com" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "ArnLike": { - "kms:EncryptionContext:aws:s3:arn": [ - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/*" - ] - } - } - }, - { - "Sid": "SqlWorkbenchAccessPermissions", - "Effect": "Allow", - "Action": [ - "sqlworkbench:GetSqlRecommendations", - "sqlworkbench:PutSqlGenerationContext", - "sqlworkbench:GetSqlGenerationContext", - "sqlworkbench:DeleteSqlGenerationContext" - ], - "Resource": "*" - }, - { - "Sid": "BedrockGenerateQueryPermissions", - "Effect": "Allow", - "Action": [ - "bedrock:GenerateQuery" - ], - "Resource": "*" - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy.html) in the _AWS Managed Policy Reference_.