AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-07-18 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md

Summary

Replaced inline IAM policy JSON with a reference link to AWS Managed Policy documentation

Security assessment

The change removes detailed policy permissions from the documentation and replaces them with a link. While IAM policies are security-related, this appears to be a documentation restructuring rather than addressing a specific security vulnerability. No evidence of security incident remediation or policy changes - only documentation format changed.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md
index 1d39fae73..1ad80b72f 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md
@@ -9,136 +9 @@ Amazon SageMaker Unified Studio creates IAM roles for project users to perform d
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [
-    		{
-    			"Sid": "AccessCertificateLocationS3Permission",
-    			"Effect": "Allow",
-    			"Action": "s3:GetObject",
-    			"Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/certificate_location/*",
-    			"Condition": {
-    				"StringNotEquals": {
-    					"aws:PrincipalTag/DomainBucketName": "",
-    					"aws:PrincipalTag/AmazonDataZoneDomain": ""
-    				},
-    				"Null": {
-    					"aws:PrincipalTag/AmazonDataZoneProject": "false"
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AccessPatchingRPMsS3Permission",
-    			"Effect": "Allow",
-    			"Action": "s3:GetObject",
-    			"Resource": [
-    				"arn:aws:s3:::default-env-blueprint-*/*",
-    				"arn:aws:s3:*:*:accesspoint/env-blueprint-accesspoint*"
-    			],
-    			"Condition": {
-    				"ArnLike": {
-    					"s3:DataAccessPointArn": "arn:aws:s3:*:*:accesspoint/env-blueprint-accesspoint"
-    				},
-    				"StringNotEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AccessBootstrapActionScriptS3Permission",
-    			"Effect": "Allow",
-    			"Action": "s3:GetObject",
-    			"Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/${aws:PrincipalTag/AmazonDataZoneScopeName}/sys/emr/bootstrap-script/*",
-    			"Condition": {
-    				"StringNotEquals": {
-    					"aws:PrincipalTag/DomainBucketName": "",
-    					"aws:PrincipalTag/AmazonDataZoneDomain": "",
-    					"aws:PrincipalTag/AmazonDataZoneProject": "",
-    					"aws:PrincipalTag/AmazonDataZoneScopeName": ""
-    				},
-    				"Null": {
-    					"aws:PrincipalTag/AmazonDataZoneProject": "false"
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "EMRClusterLogUploadS3Permission",
-    			"Effect": "Allow",
-    			"Action": "s3:PutObject",
-    			"Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/${aws:PrincipalTag/AmazonDataZoneScopeName}/sys/emr/*",
-    			"Condition": {
-    				"StringNotEquals": {
-    					"aws:PrincipalTag/DomainBucketName": "",
-    					"aws:PrincipalTag/AmazonDataZoneDomain": "",
-    					"aws:PrincipalTag/AmazonDataZoneProject": "",
-    					"aws:PrincipalTag/AmazonDataZoneScopeName": ""
-    				},
-    				"Null": {
-    					"aws:PrincipalTag/AmazonDataZoneProject": "false"
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "EMRRuntimeRoleAssumePermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"sts:AssumeRole",
-    				"sts:TagSession"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"ForAllValues:StringEquals": {
-    					"aws:TagKeys": [
-    						"LakeFormationAuthorizedCaller"
-    					]
-    				},
-    				"StringEquals": {
-    					"iam:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "EMRKMSPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:CreateGrant",
-    				"kms:Decrypt",
-    				"kms:Encrypt",
-    				"kms:GenerateDataKeyWithoutPlaintext"
-    			],
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringLike": {
-    					"kms:ViaService": [
-    						"ec2.*.amazonaws.com"
-    					]
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"Null": {
-    					"kms:EncryptionContextKeys": "false"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AllowGenerateDataKeyForEbsEncryption",
-    			"Effect": "Allow",
-    			"Action": "kms:GenerateDataKey",
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		}
-    	]
-    }
-    		
+To view the permissions for this policy, see [SageMakerStudioEMRInstanceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioEMRInstanceRolePolicy.html) in the _AWS Managed Policy Reference_.