AWS sagemaker-unified-studio documentation change
Summary
Replaced detailed inline IAM policy JSON with a reference link to the AWS Managed Policy Reference documentation
Security assessment
The change removes the explicit policy definition but maintains equivalent security controls through reference documentation. This is a documentation restructuring rather than a security fix or vulnerability mitigation. The policy content remains security-relevant but is now maintained externally.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md index eeeedde4c..d0fc6b1c1 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md @@ -42,2412 +42 @@ The SageMakerStudioProjectUserRolePermissionsBoundary policy grants read and wri - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DenyAllNonMatchingProjectTag", - "Effect": "Deny", - "Action": "*", - "NotResource": [ - "arn:*:sagemaker:*:*:model-package-group/*", - "arn:*:sagemaker:*:*:model-package/*", - "arn:*:glue:*:*:catalog/*", - "arn:*:glue:*:*:database/*" - ], - "Condition": { - "Null": { - "aws:ResourceTag/AmazonDataZoneProject": "false", - "aws:PrincipalTag/AmazonDataZoneProject": "false", - "aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true" - }, - "StringNotEquals": { - "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}" - } - } - }, - { - "Sid": "AmazonQChatPermissions", - "Effect": "Allow", - "Action": [ - "q:StartConversation", - "q:SendMessage" - ], - "Resource": "*" - }, - { - "Sid": "DataLakeS3BucketActions", - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "SameAccountKMSPermissions", - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:ReEncryptFrom", - "kms:ReEncryptTo", - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "sqs.*.amazonaws.com", - "sagemaker.*.amazonaws.com", - "emr-serverless.*.amazonaws.com", - "s3.*.amazonaws.com", - "redshift.*.amazonaws.com", - "redshift-serverless.*.amazonaws.com", - "bedrock.*.amazonaws.com", - "secretsmanager.*.amazonaws.com", - "ec2.*.amazonaws.com", - "codecommit.*.amazonaws.com", - "glue.*.amazonaws.com" - ] - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "Null": { - "kms:EncryptionContextKeys": "false" - } - } - }, - { - "Sid": "AllowGenerateDataKeyForEmrEbsEncryption", - "Effect": "Allow", - "Action": "kms:GenerateDataKey", - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "SameAccountKMSManagementPermissions", - "Effect": "Allow", - "Action": [ - "kms:ListGrants", - "kms:RevokeGrant", - "kms:DescribeKey" - ], - "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "sqs.*.amazonaws.com", - "sagemaker.*.amazonaws.com", - "emr-serverless.*.amazonaws.com", - "s3.*.amazonaws.com", - "redshift.*.amazonaws.com", - "bedrock.*.amazonaws.com", - "secretsmanager.*.amazonaws.com", - "codecommit.*.amazonaws.com" - ] - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "ListKMSPermissions", - "Effect": "Allow", - "Action": [ - "kms:ListAliases" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "CrossAccountS3Permissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject*", - "s3:PutObject", - "s3:PutObjectRetention", - "s3:RestoreObject", - "s3:ReplicateObject", - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:ListMultipartUploadParts", - "s3:ListBucket", - "s3:AbortMultipartUpload" - ], - "Resource": "*", - "Condition": { - "StringNotEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "CrossAccountKMSPermissions", - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "StringNotEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "kms:ViaService": [ - "s3.*.amazonaws.com", - "sqs.*.amazonaws.com", - "sagemaker.*.amazonaws.com" - ] - }, - "Null": { - "kms:EncryptionContextKeys": "false" - } - } - }, - { - "Sid": "CrossAccountKMSManagementPermissions", - "Effect": "Allow", - "Action": [ - "kms:DescribeKey", - "kms:ListGrants", - "kms:GetPublicKey" - ], - "Resource": "*", - "Condition": { - "StringNotEquals": {