AWS sagemaker-unified-studio documentation change
Summary
Replaced inline IAM policy configuration with reference to external managed policy documentation
Security assessment
Documentation change removes specific permission details but shows no evidence of addressing security vulnerabilities or adding security features.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockPromptUserRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockPromptUserRolePolicy.md index d6438862f..df8b70631 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockPromptUserRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockPromptUserRolePolicy.md @@ -24,95 +24 @@ This policy allows users to access individually shared Amazon Bedrock IDE prompt - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "BedrockPromptReadOnlyPermissions", - "Effect": "Allow", - "Action": "bedrock:GetPrompt", - "Resource": "arn:aws:bedrock:*:*:prompt/${aws:PrincipalTag/PromptId}:${aws:PrincipalTag/PromptVersion}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}", - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "S3ListPromptDefinitionPermissions", - "Effect": "Allow", - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "Condition": { - "StringEquals": { - "s3:prefix": "${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/${aws:PrincipalTag/PromptDefinitionPath}", - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "", - "aws:PrincipalTag/PromptDefinitionPath": "" - } - } - }, - { - "Sid": "S3GetPromptDefinitionPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion" - ], - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/${aws:PrincipalTag/PromptDefinitionPath}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "", - "aws:PrincipalTag/PromptDefinitionPath": "" - } - } - }, - { - "Sid": "BedrockPromptKmsPermissions", - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": "bedrock.*.amazonaws.com", - "kms:EncryptionContext:aws:bedrock-prompts:arn": "arn:aws:bedrock:*:${aws:PrincipalAccount}:prompt/${aws:PrincipalTag/PromptId}" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "S3KmsPermissions", - "Effect": "Allow", - "Action": "kms:Decrypt", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": "s3.*.amazonaws.com" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "ArnLike": { - "kms:EncryptionContext:aws:s3:arn": [ - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}", - "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/*" - ] - } - } - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioBedrockPromptUserRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockPromptUserRolePolicy.html) in the _AWS Managed Policy Reference_.