AWS sagemaker documentation change
Summary
Added IAM permissions requirement for accessing recipes pages and specified required SageMaker distribution image versions
Security assessment
The change adds required IAM permissions (s3:GetObject on model-customization-recipes bucket) which relates to access control security, but there's no evidence this addresses an active vulnerability. The image version requirements suggest using updated components but don't explicitly mention security patches.
Diff
diff --git a/sagemaker/latest/dg/nova-model-recipes.md b/sagemaker/latest/dg/nova-model-recipes.md index 09d21601f..d7c099356 100644 --- a//sagemaker/latest/dg/nova-model-recipes.md +++ b//sagemaker/latest/dg/nova-model-recipes.md @@ -12,0 +13,20 @@ You can also access Nova recipes through Amazon SageMaker Studio and Amazon Sage +To access the recipes pages in Amazon SageMaker Studio, the execution role must have the following permissions. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::*model-customization-recipes*" + ] + } + ] + } + +To execute the sample notebooks on SageMaker training jobs and SageMaker HyperPod, use one of the following SageMaker distribution image versions: `2.7.1+`, `2.8.0+`, `3.2.1+`, `3.3.0+`. This applies to both Amazon SageMaker Studio and Amazon SageMaker Unified Studio. +