AWS sagemaker-unified-studio documentation change
Summary
Replaced inline IAM policy JSON with reference to AWS Managed Policy documentation
Security assessment
Change removes detailed policy permissions from documentation and points to external reference. No evidence of security vulnerability being addressed. This appears to be documentation simplification rather than security-related modification.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md index 94d81306f..3c63ab072 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md @@ -9,74 +9 @@ This is the default policy for the SageMakerQueryExecutionRole role. This policy - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "GlueGetConnectionOnCatalog", - "Effect": "Allow", - "Action": [ - "glue:GetConnection" - ], - "Resource": [ - "arn:aws:glue:*:*:catalog" - ] - }, - { - "Sid": "GlueGetConnectionsForProject", - "Effect": "Allow", - "Action": [ - "glue:GetConnection", - "glue:GetConnections", - "glue:GetTags" - ], - "Resource": "arn:aws:glue:*:*:connection/*", - "Condition": { - "Null": { - "aws:ResourceTag/AmazonDataZoneProject": "false" - } - } - }, - { - "Sid": "S3GetObjectForAthenaSpillBucket", - "Effect": "Allow", - "Action": [ - "s3:GetObject" - ], - "Resource": [ - "arn:aws:s3:::*/dzd_*/*/dev/sys/athena/*" - ], - "Condition": { - "StringEquals": { - "aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true" - } - } - }, - { - "Sid": "S3ListBucketOwnershipCheckForAthenaSpillBucket", - "Effect": "Allow", - "Action": [ - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::amazon-sagemaker-*" - ], - "Condition": { - "StringEquals": { - "aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true" - } - } - }, - { - "Sid": "InvokeFunctionPermissionsForAthenaCatalogLambda", - "Effect": "Allow", - "Action": "lambda:InvokeFunction", - "Resource": "arn:aws:lambda:*:*:function:*", - "Condition": { - "StringEquals": { - "aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true", - "aws:ResourceTag/federated_athena_datacatalog": "true" - } - } - } - ] - } - +To view the permissions for this policy, see [SageMakerStudioQueryExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioQueryExecutionRolePolicy.html) in the _AWS Managed Policy Reference_.