AWS sagemaker-unified-studio documentation change
Summary
Replaced detailed inline IAM policy JSON with a reference to AWS managed policy documentation
Security assessment
The change removes explicit policy details and directs users to AWS managed policy documentation. While this impacts how administrators view permissions, there's no evidence of addressing a specific security vulnerability. This appears to be a documentation simplification rather than a security fix. The change promotes using AWS-managed policies which is a security best practice, but doesn't introduce new security content.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md index 5474c96ec..8e74efbfa 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md @@ -38,2841 +38 @@ This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId> - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "CfnCreate", - "Effect": "Allow", - "Action": [ - "cloudformation:CreateStack", - "cloudformation:TagResource" - ], - "Resource": [ - "arn:aws:cloudformation:*:*:stack/DataZone*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "aws:ResourceTag/AmazonDataZoneProject": "false", - "aws:TagKeys": "false" - }, - "ForAllValues:StringLike": { - "aws:TagKeys": [ - "AmazonDataZone*" - ] - } - } - }, - { - "Sid": "CfnManage", - "Effect": "Allow", - "Action": [ - "cloudformation:DescribeStacks", - "cloudformation:DescribeStackEvents", - "cloudformation:UpdateStack" - ], - "Resource": [ - "arn:aws:cloudformation:*:*:stack/DataZone*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "aws:ResourceTag/AmazonDataZoneProject": "false" - } - } - }, - { - "Sid": "CfnDelete", - "Effect": "Allow", - "Action": [ - "cloudformation:DeleteStack", - "cloudformation:DescribeStacks" - ], - "Resource": [ - "arn:aws:cloudformation:*:*:stack/DataZone*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "LFManage", - "Effect": "Allow", - "Action": [ - "lakeformation:GetDataLakeSettings", - "lakeformation:PutDataLakeSettings", - "lakeformation:RevokePermissions", - "lakeformation:BatchRevokePermissions", - "lakeformation:ListPermissions", - "lakeformation:RegisterResource", - "lakeformation:DeregisterResource", - "lakeformation:GrantPermissions", - "lakeformation:BatchGrantPermissions", - "lakeformation:ListResources", - "lakeformation:DescribeResource" - ], - "Resource": "*" - }, - { - "Sid": "GetDataZoneTemplate", - "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": "*", - "Condition": { - "StringNotEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringEquals": { - "aws:CalledViaFirst": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CodeCommitCreate", - "Effect": "Allow", - "Action": [ - "codecommit:CreateRepository", - "codecommit:TagResource" - ], - "Resource": "arn:aws:codecommit:*:*:datazone*", - "Condition": { - "StringEquals": { - "aws:CalledViaFirst": "cloudformation.amazonaws.com", - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "aws:ResourceTag/AmazonDataZoneProject": "false", - "aws:TagKeys": "false" - }, - "ForAllValues:StringLike": { - "aws:TagKeys": [ - "AmazonDataZone*" - ] - } - } - }, - { - "Sid": "CodeCommitDeletion", - "Effect": "Allow", - "Action": [ - "codecommit:DeleteRepository", - "codecommit:UpdateRepositoryEncryptionKey", - "codecommit:PutRepositoryTriggers" - ], - "Resource": "arn:aws:codecommit:*:*:datazone*", - "Condition": { - "StringEquals": { - "aws:CalledViaFirst": "cloudformation.amazonaws.com", - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "aws:ResourceTag/AmazonDataZoneProject": "false" - } - } - }, - { - "Sid": "CodeCommitAccess", - "Effect": "Allow", - "Action": [ - "codecommit:GetBranch", - "codecommit:CreateCommit", - "codecommit:GetRepository", - "codecommit:GetFile" - ], - "Resource": "arn:aws:codecommit:*:*:datazone*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "CodeCommitList", - "Effect": "Allow", - "Action": [ - "codecommit:ListRepositories" - ], - "Resource": "*" - }, - { - "Sid": "CodeCommitKms", - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:ReEncryptTo", - "kms:ReEncryptFrom", - "kms:GenerateDataKey" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "kms:ViaService": [ - "codecommit.*.amazonaws.com" - ] - }, - "Null": { - "kms:EncryptionContext:aws:codecommit:id": "false" - } - } - }, - { - "Sid": "GetIAMRole", - "Effect": "Allow", - "Action": [ - "iam:GetRole" - ], - "Resource": [