AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio medium security documentation change

Service: sagemaker-unified-studio · 2025-07-25 · Security-related medium

File: sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md

Summary

Added IAM policy statements for S3 Access Grants permissions including PassRole, tagging, and cross-account resource sharing

Security assessment

The changes add explicit IAM permissions required for secure S3 access management, including PassRole with service restrictions and cross-account sharing controls. These policies enforce least privilege and proper access controls for sensitive S3 operations.

Diff

diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md b/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
index 51549f986..910810d2f 100644
--- a//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
+++ b//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
@@ -182,0 +183,33 @@ Work with your admin to complete the following steps:
+                {
+                    "Sid": "AllowPassRoleOnProjectRoles",
+                    "Effect": "Allow",
+                    "Action": [
+                        "iam:PassRole"
+                    ],
+                    "Resource": "access-role-arn",
+                    "Condition": {
+                        "StringEquals": {
+                            "iam:PassedToService": [
+                                "access-grants.s3.amazonaws.com"
+                            ],
+                            "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                        }
+                    }
+                },
+                {
+                  "Sid": "S3AGTaggingPermission",
+                  "Effect": "Allow",
+                  "Action": [
+                    "s3:TagResource",
+                    "s3:ListTagsForResource"
+                  ],
+                  "Resource": [
+                    "arn:aws:s3:*:*:access-grants/default/location/*",
+                    "arn:aws:s3:*:*:access-grants/default/grant/*"
+                  ],
+                  "Condition": {
+                    "StringEquals": {
+                      "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                    }
+                  }
+                }
@@ -189 +222 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce
-    13. Choose **Next**
+    13. Choose **Next**.
@@ -193 +226,36 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce
-    15. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example:
+    15. Optional: if you want to support cross-account data sharing for S3, add the following to your policy:
+        
+                {
+            "Sid": "CrossAccountS3AGResourceSharingPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "ram:CreateResourceShare"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEqualsIfExists": {
+                    "ram:RequestedResourceType": [
+                        "s3:AccessGrants"
+                    ]
+                },
+                "StringEquals": {
+                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                }
+            }
+        },
+        {
+            "Sid": "CrossAccountS3AGResourceSharingPolicyPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutAccessGrantsInstanceResourcePolicy"
+            ],
+            "Resource": "arn:aws:s3:*:*:access-grants/default",
+            "Condition": {
+                "StringEquals": {
+                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                }
+            }
+        }
+                                
+
+    16. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example:
@@ -230 +298 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce
-    16. Choose **Update policy**.
+    17. Choose **Update policy**.