AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio medium security documentation change

Service: sagemaker-unified-studio · 2025-07-25 · Security-related medium

File: sagemaker-unified-studio/latest/adminguide/doc-history.md

Summary

Updated AWS managed policies documentation for SageMakerStudioFullAccess (SecretsManager permissions scope, S3 template support), SageMakerStudioEMRServiceRolePolicy (KMS permissions adjustment), and SageMakerStudioProjectRoleMachineLearningPolicy (cross-account S3 access grants)

Security assessment

The SageMakerStudioEMRServiceRolePolicy change removes unwanted KMS permissions and enforces customer-managed encryption for logs, directly addressing encryption control and reducing attack surface. The SageMakerStudioFullAccess policy update generalizes SecretsManager permissions to prevent domain format conflicts. Both changes improve security posture through policy hardening.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/doc-history.md b/sagemaker-unified-studio/latest/adminguide/doc-history.md
index 8ac94f061..b59aa1b67 100644
--- a//sagemaker-unified-studio/latest/adminguide/doc-history.md
+++ b//sagemaker-unified-studio/latest/adminguide/doc-history.md
@@ -10,0 +11,2 @@ Change| Description| Date
+Policy updates - SageMakerStudioFullAccess| Policy updates to the SageMakerStudioFullAccess - generalizing the scope for SecretsManager `create` and `tag` permissions for new domains that will have the format of `dzd-` instead of `dzd_..`. Also adding permissions to allow users to use custom blueprint templates from Amazon S3 as well as upload their own template files to Amazon S3. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 23, 2025  
+Policy updates - SageMakerStudioEMRServiceRolePolicy| Policy updates to SageMakerStudioEMRServiceRolePolicy - removing unwanted KMS permissions for EMR cluster AtRestEncryption in the Amazon SageMaker Unified Studio EmrOnEc2 blueprint and adding permissions for EMR clsuter to encrypt customer data using customer managed KMS for logs pushed to Amazon S3 bucket in Amazon SageMaker Unified Studio when using EmrOnEc2 blueprint with customer managed encryption. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 23, 2025  
@@ -12 +14 @@ Policy updates - SageMakerStudioProjectUserRolePolicy| Policy update - adding pe
-Policy updates - SageMakerStudioProjectRoleMachineLearningPolicy| Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support Amazon S3 asset subscription fulfillment using Amazon S3 access grants. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 15, 2025  
+Policy updates - SageMakerStudioProjectRoleMachineLearningPolicy| Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support cross-account Amazon S3 asset subscription fulfillment using Amazon S3 access grants. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html).| July 15, 2025