AWS sagemaker-unified-studio documentation change
Summary
Replaced inline IAM policy JSON with a reference link to AWS Managed Policy documentation
Security assessment
The change removes detailed policy permissions from the documentation and replaces them with a link. While IAM policies are security-related, this appears to be a documentation restructuring rather than addressing a specific security vulnerability. No evidence of security incident remediation or policy changes - only documentation format changed.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md index 1d39fae73..1ad80b72f 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md @@ -9,136 +9 @@ Amazon SageMaker Unified Studio creates IAM roles for project users to perform d - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AccessCertificateLocationS3Permission", - "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/certificate_location/*", - "Condition": { - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "" - }, - "Null": { - "aws:PrincipalTag/AmazonDataZoneProject": "false" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AccessPatchingRPMsS3Permission", - "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": [ - "arn:aws:s3:::default-env-blueprint-*/*", - "arn:aws:s3:*:*:accesspoint/env-blueprint-accesspoint*" - ], - "Condition": { - "ArnLike": { - "s3:DataAccessPointArn": "arn:aws:s3:*:*:accesspoint/env-blueprint-accesspoint" - }, - "StringNotEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AccessBootstrapActionScriptS3Permission", - "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/${aws:PrincipalTag/AmazonDataZoneScopeName}/sys/emr/bootstrap-script/*", - "Condition": { - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "", - "aws:PrincipalTag/AmazonDataZoneScopeName": "" - }, - "Null": { - "aws:PrincipalTag/AmazonDataZoneProject": "false" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "EMRClusterLogUploadS3Permission", - "Effect": "Allow", - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::${aws:PrincipalTag/DomainBucketName}/${aws:PrincipalTag/AmazonDataZoneDomain}/${aws:PrincipalTag/AmazonDataZoneProject}/${aws:PrincipalTag/AmazonDataZoneScopeName}/sys/emr/*", - "Condition": { - "StringNotEquals": { - "aws:PrincipalTag/DomainBucketName": "", - "aws:PrincipalTag/AmazonDataZoneDomain": "", - "aws:PrincipalTag/AmazonDataZoneProject": "", - "aws:PrincipalTag/AmazonDataZoneScopeName": "" - }, - "Null": { - "aws:PrincipalTag/AmazonDataZoneProject": "false" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "EMRRuntimeRoleAssumePermissions", - "Effect": "Allow", - "Action": [ - "sts:AssumeRole", - "sts:TagSession" - ], - "Resource": "*", - "Condition": { - "ForAllValues:StringEquals": { - "aws:TagKeys": [ - "LakeFormationAuthorizedCaller" - ] - }, - "StringEquals": { - "iam:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "EMRKMSPermissions", - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "ec2.*.amazonaws.com" - ] - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "kms:EncryptionContextKeys": "false" - } - } - }, - { - "Sid": "AllowGenerateDataKeyForEbsEncryption", - "Effect": "Allow", - "Action": "kms:GenerateDataKey", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioEMRInstanceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioEMRInstanceRolePolicy.html) in the _AWS Managed Policy Reference_.