AWS sagemaker-unified-studio medium security documentation change
Summary
Added IAM policy statements for S3 Access Grants permissions including PassRole, tagging, and cross-account resource sharing
Security assessment
The changes add explicit IAM permissions required for secure S3 access management, including PassRole with service restrictions and cross-account sharing controls. These policies enforce least privilege and proper access controls for sensitive S3 operations.
Diff
diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md b/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md index 51549f986..910810d2f 100644 --- a//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md +++ b//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md @@ -182,0 +183,33 @@ Work with your admin to complete the following steps: + { + "Sid": "AllowPassRoleOnProjectRoles", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": "access-role-arn", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "access-grants.s3.amazonaws.com" + ], + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "S3AGTaggingPermission", + "Effect": "Allow", + "Action": [ + "s3:TagResource", + "s3:ListTagsForResource" + ], + "Resource": [ + "arn:aws:s3:*:*:access-grants/default/location/*", + "arn:aws:s3:*:*:access-grants/default/grant/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } @@ -189 +222 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce - 13. Choose **Next** + 13. Choose **Next**. @@ -193 +226,36 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce - 15. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example: + 15. Optional: if you want to support cross-account data sharing for S3, add the following to your policy: + + { + "Sid": "CrossAccountS3AGResourceSharingPermissions", + "Effect": "Allow", + "Action": [ + "ram:CreateResourceShare" + ], + "Resource": "*", + "Condition": { + "StringEqualsIfExists": { + "ram:RequestedResourceType": [ + "s3:AccessGrants" + ] + }, + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "CrossAccountS3AGResourceSharingPolicyPermissions", + "Effect": "Allow", + "Action": [ + "s3:PutAccessGrantsInstanceResourcePolicy" + ], + "Resource": "arn:aws:s3:*:*:access-grants/default", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } + + + 16. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example: @@ -230 +298 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce - 16. Choose **Update policy**. + 17. Choose **Update policy**.