AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-07-18 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md

Summary

Replaced detailed inline IAM policy JSON with a reference link to the AWS Managed Policy Reference documentation

Security assessment

The change removes the explicit policy definition but maintains equivalent security controls through reference documentation. This is a documentation restructuring rather than a security fix or vulnerability mitigation. The policy content remains security-relevant but is now maintained externally.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md
index eeeedde4c..d0fc6b1c1 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md
@@ -42,2412 +42 @@ The SageMakerStudioProjectUserRolePermissionsBoundary policy grants read and wri
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [
-    		{
-    			"Sid": "DenyAllNonMatchingProjectTag",
-    			"Effect": "Deny",
-    			"Action": "*",
-    			"NotResource": [
-    				"arn:*:sagemaker:*:*:model-package-group/*",
-    				"arn:*:sagemaker:*:*:model-package/*",
-    				"arn:*:glue:*:*:catalog/*",
-    				"arn:*:glue:*:*:database/*"
-    			],
-    			"Condition": {
-    				"Null": {
-    					"aws:ResourceTag/AmazonDataZoneProject": "false",
-    					"aws:PrincipalTag/AmazonDataZoneProject": "false",
-    					"aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true"
-    				},
-    				"StringNotEquals": {
-    					"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AmazonQChatPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"q:StartConversation",
-    				"q:SendMessage"
-    			],
-    			"Resource": "*"
-    		},
-    		{
-    			"Sid": "DataLakeS3BucketActions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"s3:GetBucketLocation"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "SameAccountKMSPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:CreateGrant",
-    				"kms:ReEncryptFrom",
-    				"kms:ReEncryptTo",
-    				"kms:Decrypt",
-    				"kms:Encrypt",
-    				"kms:GenerateDataKey",
-    				"kms:GenerateDataKeyWithoutPlaintext"
-    			],
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringLike": {
-    					"kms:ViaService": [
-    						"sqs.*.amazonaws.com",
-    						"sagemaker.*.amazonaws.com",
-    						"emr-serverless.*.amazonaws.com",
-    						"s3.*.amazonaws.com",
-    						"redshift.*.amazonaws.com",
-    						"redshift-serverless.*.amazonaws.com",
-    						"bedrock.*.amazonaws.com",
-    						"secretsmanager.*.amazonaws.com",
-    						"ec2.*.amazonaws.com",
-    						"codecommit.*.amazonaws.com",
-    						"glue.*.amazonaws.com"
-    					]
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"Null": {
-    					"kms:EncryptionContextKeys": "false"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "AllowGenerateDataKeyForEmrEbsEncryption",
-    			"Effect": "Allow",
-    			"Action": "kms:GenerateDataKey",
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "SameAccountKMSManagementPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:ListGrants",
-    				"kms:RevokeGrant",
-    				"kms:DescribeKey"
-    			],
-    			"Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
-    			"Condition": {
-    				"StringLike": {
-    					"kms:ViaService": [
-    						"sqs.*.amazonaws.com",
-    						"sagemaker.*.amazonaws.com",
-    						"emr-serverless.*.amazonaws.com",
-    						"s3.*.amazonaws.com",
-    						"redshift.*.amazonaws.com",
-    						"bedrock.*.amazonaws.com",
-    						"secretsmanager.*.amazonaws.com",
-    						"codecommit.*.amazonaws.com"
-    					]
-    				},
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "ListKMSPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:ListAliases"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "CrossAccountS3Permissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"s3:GetObject*",
-    				"s3:PutObject",
-    				"s3:PutObjectRetention",
-    				"s3:RestoreObject",
-    				"s3:ReplicateObject",
-    				"s3:DeleteObject",
-    				"s3:DeleteObjectVersion",
-    				"s3:ListMultipartUploadParts",
-    				"s3:ListBucket",
-    				"s3:AbortMultipartUpload"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"StringNotEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "CrossAccountKMSPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:CreateGrant",
-    				"kms:Decrypt",
-    				"kms:Encrypt",
-    				"kms:GenerateDataKey",
-    				"kms:GenerateDataKeyWithoutPlaintext"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"StringNotEquals": {
-    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
-    				},
-    				"StringLike": {
-    					"kms:ViaService": [
-    						"s3.*.amazonaws.com",
-    						"sqs.*.amazonaws.com",
-    						"sagemaker.*.amazonaws.com"
-    					]
-    				},
-    				"Null": {
-    					"kms:EncryptionContextKeys": "false"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "CrossAccountKMSManagementPermissions",
-    			"Effect": "Allow",
-    			"Action": [
-    				"kms:DescribeKey",
-    				"kms:ListGrants",
-    				"kms:GetPublicKey"
-    			],
-    			"Resource": "*",
-    			"Condition": {
-    				"StringNotEquals": {