AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-07-18 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md

Summary

Replaced inline IAM policy JSON with reference to AWS Managed Policy documentation

Security assessment

Change removes detailed policy permissions from documentation and points to external reference. No evidence of security vulnerability being addressed. This appears to be documentation simplification rather than security-related modification.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md
index 94d81306f..3c63ab072 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md
@@ -9,74 +9 @@ This is the default policy for the SageMakerQueryExecutionRole role. This policy
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [
-    		{
-    			"Sid": "GlueGetConnectionOnCatalog",
-    			"Effect": "Allow",
-    			"Action": [
-    				"glue:GetConnection"
-    			],
-    			"Resource": [
-    				"arn:aws:glue:*:*:catalog"
-    			]
-    		},
-    		{
-    			"Sid": "GlueGetConnectionsForProject",
-    			"Effect": "Allow",
-    			"Action": [
-    				"glue:GetConnection",
-    				"glue:GetConnections",
-    				"glue:GetTags"
-    			],
-    			"Resource": "arn:aws:glue:*:*:connection/*",
-    			"Condition": {
-    				"Null": {
-    					"aws:ResourceTag/AmazonDataZoneProject": "false"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "S3GetObjectForAthenaSpillBucket",
-    			"Effect": "Allow",
-    			"Action": [
-    				"s3:GetObject"
-    			],
-    			"Resource": [
-    				"arn:aws:s3:::*/dzd_*/*/dev/sys/athena/*"
-    			],
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "S3ListBucketOwnershipCheckForAthenaSpillBucket",
-    			"Effect": "Allow",
-    			"Action": [
-    				"s3:ListBucket"
-    			],
-    			"Resource": [
-    				"arn:aws:s3:::amazon-sagemaker-*"
-    			],
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true"
-    				}
-    			}
-    		},
-    		{
-    			"Sid": "InvokeFunctionPermissionsForAthenaCatalogLambda",
-    			"Effect": "Allow",
-    			"Action": "lambda:InvokeFunction",
-    			"Resource": "arn:aws:lambda:*:*:function:*",
-    			"Condition": {
-    				"StringEquals": {
-    					"aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true",
-    					"aws:ResourceTag/federated_athena_datacatalog": "true"
-    				}
-    			}
-    		}
-    	]
-    }
-    		
+To view the permissions for this policy, see [SageMakerStudioQueryExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioQueryExecutionRolePolicy.html) in the _AWS Managed Policy Reference_.