AWS sagemaker-unified-studio documentation change
Summary
Replaced inline IAM policy JSON with a reference link to AWS Managed Policy documentation
Security assessment
Similar to the first file, this removes policy details in favor of external reference. The change impacts documentation structure but doesn't indicate any security vulnerability fix or policy modification. Maintains existing security documentation through reference rather than direct content.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md index 4ebe72b0f..6991350ab 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md @@ -9,113 +9 @@ Amazon SageMaker Unified Studio creates IAM roles for project users to perform d - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "PassRoleToEMREC2InstanceRole", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/datazone_emr_ec2_instance_role_${aws:PrincipalTag/AmazonDataZoneProject}_${aws:PrincipalTag/AmazonDataZoneEnvironment}", - "Condition": { - "StringLike": { - "iam:PassedToService": "ec2.amazonaws.com" - }, - "StringNotEquals": { - "aws:PrincipalTag/AmazonDataZoneProject": "", - "aws:PrincipalTag/AmazonDataZoneEnvironment": "" - }, - "Null": { - "aws:PrincipalTag/AmazonDataZoneProject": "false" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "CreateInNetworkForSharedSubnet", - "Effect": "Allow", - "Action": [ - "ec2:CreateNetworkInterface", - "ec2:RunInstances", - "ec2:CreateFleet" - ], - "Resource": [ - "*" - ], - "Condition": { - "ArnLike": { - "ec2:Vpc": "arn:aws:ec2:*:*:vpc/${aws:PrincipalTag/VpcId}" - } - } - }, - { - "Sid": "EMRKMSPermissions", - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:ReEncryptFrom", - "kms:ReEncryptTo", - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "ec2.*.amazonaws.com" - ] - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "kms:EncryptionContextKeys": "false" - } - } - }, - { - "Sid": "AllowGenerateDataKeyForEbsEncryption", - "Effect": "Allow", - "Action": "kms:GenerateDataKey", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowEMRForKMSManagement", - "Effect": "Allow", - "Action": [ - "kms:ListGrants", - "kms:RevokeGrant", - "kms:DescribeKey" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "ec2.*.amazonaws.com" - ] - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowEMRToListKmsAliases", - "Effect": "Allow", - "Action": "kms:ListAliases", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioEMRServiceRolePolicy.html) in the _AWS Managed Policy Reference_.