AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-07-18 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md

Summary

Replaced inline IAM policy JSON with a reference link to AWS Managed Policy documentation

Security assessment

Similar to the first file, this removes policy details in favor of external reference. The change impacts documentation structure but doesn't indicate any security vulnerability fix or policy modification. Maintains existing security documentation through reference rather than direct content.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md
index 4ebe72b0f..6991350ab 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md
@@ -9,113 +9 @@ Amazon SageMaker Unified Studio creates IAM roles for project users to perform d
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [
-    		{
-    			"Sid": "PassRoleToEMREC2InstanceRole",
-    			"Effect": "Allow",
-    			"Action": "iam:PassRole",
-    			"Resource": "arn:aws:iam::*:role/datazone_emr_ec2_instance_role_${aws:PrincipalTag/AmazonDataZoneProject}_${aws:PrincipalTag/AmazonDataZoneEnvironment}",
-    			"Condition": {
-    				"StringLike": {
-    					"iam:PassedToService": "ec2.amazonaws.com"
-    				},
-    				"StringNotEquals": {
-    					"aws:PrincipalTag/AmazonDataZoneProject": "",
-    					"aws:PrincipalTag/AmazonDataZoneEnvironment": ""
-    				},
-    				"Null": {
-    					"aws:PrincipalTag/AmazonDataZoneProject": "false"
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "CreateInNetworkForSharedSubnet",
-    			"Effect": "Allow",
-    			"Action": [
-    				"ec2:CreateNetworkInterface",
-    				"ec2:RunInstances",
-    				"ec2:CreateFleet"
-    			],
-    			"Resource": [
-    				"*"
-    			],
-    			"Condition": {
-    				"ArnLike": {
-    					"ec2:Vpc": "arn:aws:ec2:*:*:vpc/${aws:PrincipalTag/VpcId}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "EMRKMSPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:CreateGrant",
-    				"kms:ReEncryptFrom",
-    				"kms:ReEncryptTo",
-    				"kms:Decrypt",
-    				"kms:Encrypt",
-    				"kms:GenerateDataKeyWithoutPlaintext"
-    			],
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringLike": {
-    					"kms:ViaService": [
-    						"ec2.*.amazonaws.com"
-    					]
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"Null": {
-    					"kms:EncryptionContextKeys": "false"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AllowGenerateDataKeyForEbsEncryption",
-    			"Effect": "Allow",
-    			"Action": "kms:GenerateDataKey",
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AllowEMRForKMSManagement",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:ListGrants",
-    				"kms:RevokeGrant",
-    				"kms:DescribeKey"
-    			],
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringLike": {
-    					"kms:ViaService": [
-    						"ec2.*.amazonaws.com"
-    					]
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AllowEMRToListKmsAliases",
-    			"Effect": "Allow",
-    			"Action": "kms:ListAliases",
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		}
-    	]
-    }
-    		
+To view the permissions for this policy, see [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioEMRServiceRolePolicy.html) in the _AWS Managed Policy Reference_.