AWS sagemaker-unified-studio medium security documentation change
Summary
Multiple policy updates including KMS encryption changes for EMR clusters, cross-account S3 access grants, and SecretsManager permission scope adjustments
Security assessment
The SageMakerStudioEMRServiceRolePolicy update explicitly addresses encryption by removing unwanted KMS permissions and adding customer-managed KMS encryption for logs. This demonstrates a security control improvement for data protection. Cross-account access grants and SecretsManager format changes also have security implications for access control.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md index 14c4f0638..8062c8d41 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md @@ -11,2 +11,4 @@ Change | Description | Date -Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy) | Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support Amazon S3 asset subscription fulfillment using Amazon S3 access grants. | 7/15/2025 -Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions to create and manage Amazon S3 table buckets and also adding permissions to automate S3 table analytics integration flow within Amazon SageMaker Unified Studio. Also adding permissions to read templates from users' S3 buckets and permissions to validate the template using AWS Cloud Formation. Also adding permissions to get and create an S3 access grant instance in the project account to support managing subscriptions for S3 asset types. Also adding `neptune-graph:*` and `s3vectors:*` permissions to support Knowledge Base vector store management of two new vector store services in Amazon SageMaker Unified Studio: S3Vectors vector buckets and Neptune Analytics graphs. Also adding permissions to allow cross-account project access for encrypted domains. And adding support for the data onboarding in Amazon SageMaker Unified Studio. | 7/15/2025 +Policy update - [SageMakerStudioFullAccess](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioFullAccess) | Policy update - generalizing the scope for SecretsManager `create` and `tag` permissions for new domains that will have the format of `dzd-` instead of `dzd_..`. Also adding permissions to allow users to use custom blueprint templates from Amazon S3 as well as upload their own template files to Amazon S3. | 7/23/2025 +Policy update - [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy) | Policy update - removing unwanted KMS permissions for EMR cluster AtRestEncryption in the Amazon SageMaker Unified Studio EmrOnEc2 blueprint and adding permissions for EMR clsuter to encrypt customer data using customer managed KMS for logs pushed to Amazon S3 bucket in Amazon SageMaker Unified Studio when using EmrOnEc2 blueprint with customer managed encryption. | 7/23/2025 +Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy) | Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support cross-account Amazon S3 asset subscription fulfillment using Amazon S3 access grants. | 7/23/2025 +Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy \- adding permissions to create and manage Amazon S3 table buckets and also adding permissions to automate S3 table analytics integration flow within Amazon SageMaker Unified Studio. Also adding permissions to read templates from users' S3 buckets and permissions to validate the template using AWS Cloud Formation. Also adding permissions to get and create an S3 access grant instance in the project account to support managing subscriptions for S3 asset types. Also adding `neptune-graph:*` and `s3vectors:*` permissions to support Knowledge Base vector store management of two new vector store services in Amazon SageMaker Unified Studio: S3Vectors vector buckets and Neptune Analytics graphs. Also adding permissions to allow cross-account project access for encrypted domains. And adding support for the data onboarding in Amazon SageMaker Unified Studio. | 7/15/2025 @@ -22 +24 @@ Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.c -Policy update - [AmazonDataZoneBedrockModelConsumptionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy) | Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding permissions to call the `ListFoundationModels` action. This permission is added to help get model metadata more programmatically when the user is selecting which models to invoke. | 5/28/2025 +Policy update - [AmazonDataZoneBedrockModelConsumptionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy) | Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy \- adding permissions to call the `ListFoundationModels` action. This permission is added to help get model metadata more programmatically when the user is selecting which models to invoke. | 5/28/2025 @@ -31 +33 @@ Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.c -Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding `lakeformation:DescribeResource` to improve deregistering of federated connections. Adding EventBridge Scheduler permissions to manage a schedule group for each project. Adding permission to manage Amazon Bedrock resources directly from the Amazon DataZone service. Add support for the Amazon SageMaker App type CodeEditor. | 4/09/2025 +Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy \- adding `lakeformation:DescribeResource` to improve deregistering of federated connections. Adding EventBridge Scheduler permissions to manage a schedule group for each project. Adding permission to manage Amazon Bedrock resources directly from the Amazon DataZone service. Add support for the Amazon SageMaker App type CodeEditor. | 4/09/2025 @@ -46 +48 @@ New policy - [SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](https://docs -Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions for batch grants in AWS LakeFormation to give grants to IDC users. Adding various `Update*` permissions to allow managing project resources. Removing `ResourceAccount` condition on resources depending on VPC to allow usage of shared VPC. Using new Amazon Bedrock managed policy name. Adding permissions to clean up Amazon EMR project level resources during project deletion. | 2/24/2025 +Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy \- adding permissions for batch grants in AWS LakeFormation to give grants to IDC users. Adding various `Update*` permissions to allow managing project resources. Removing `ResourceAccount` condition on resources depending on VPC to allow usage of shared VPC. Using new Amazon Bedrock managed policy name. Adding permissions to clean up Amazon EMR project level resources during project deletion. | 2/24/2025