AWS sagemaker-unified-studio documentation change
Summary
Replaced service role policy JSON with external documentation reference
Security assessment
Change removes explicit KMS and SSM permissions from documentation but doesn't indicate any security remediation or new security features being added.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy.md index 0dfda1d4f..87feee155 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy.md @@ -9,37 +9 @@ This is the default policy for the SageMakerUnifiedStudioDomainServiceRole servi - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "SSMGetParameterStatement", - "Effect": "Allow", - "Action": [ - "ssm:GetParameter" - ], - "Resource": [ - "arn:aws:ssm:*:*:parameter/amazon/datazone/profiles/*" - ] - }, - { - "Sid": "UseKMSKeyPermissionsStatement", - "Effect": "Allow", - "Action": [ - "kms:Decrypt" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/EnableKeyForAmazonDataZone": "true" - }, - "Null": { - "aws:ResourceTag/EnableKeyForAmazonDataZone": "false" - }, - "StringLike": { - "kms:ViaService": "ssm.*.amazonaws.com", - "kms:EncryptionContext:PARAMETER_ARN": "arn:aws:ssm:*:*:parameter/amazon/datazone/profiles*" - } - } - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioDomainServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioDomainServiceRolePolicy.html) in the _AWS Managed Policy Reference_.