AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-08-16 · Documentation medium

File: sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md

Summary

Updated IAM role creation process to use custom trust policies and granular S3 permissions instead of AmazonS3FullAccess

Security assessment

The change promotes security best practices by implementing least-privilege permissions for S3 access. While it improves security posture, there is no indication it addresses a specific existing vulnerability.

Diff

diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md b/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
index 01b1dd753..cbbb001b8 100644
--- a//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
+++ b//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
@@ -67,20 +67 @@ Work with your admin to complete the following steps:
-    3. Under **Trusted entity type** , choose **AWS service**.
-
-    4. Under **Use case** , select **S3** from the dropdown menu, then choose the **S3** button.
-
-    5. Choose **Next**.
-
-    6. Search for and select the **AmazonS3FullAccess** policy, then choose **Next**.
-
-    7. Enter a name for the role, then choose **Create role**.
-
-    8. Select the access role from the list on the **Roles** page.
-
-    9. Under **Trust relationships** choose **Edit trust policy**.
-
-    10. Edit the trust policy to include the project ID, the project ARN, and the AWS account ID.
-
-JSON
-    
-
-****
+    3. Under **Trusted entity type** , choose **Custom trust policy**.
@@ -87,0 +69 @@ JSON
+    4. Edit the policy to include the project ID, the project ARN, and the AWS account ID to grant Amazon S3 access permissions.
@@ -103 +85 @@ JSON
-                            "aws:SourceAccount": "accountId"
+                            "aws:SourceAccount": "account-id"
@@ -148,0 +131,3 @@ JSON
+    5. Choose **Next** twice.
+
+    6. Enter a name for the role, then choose **Create role**.
@@ -150 +135 @@ JSON
-    11. On the **Permissions** tab of the role, choose **Add permissions** , then **Create inline policy**.
+    7. Select the access role from the list on the **Roles** page.
@@ -152 +137 @@ JSON
-    12. Use the JSON editor to create a policy so that the project has access to an Amazon S3 location, using the Amazon S3 resource ARN that you noted previously.
+    8. On the **Permissions** tab of the role, choose **Add permissions** , then **Create inline policy**.
@@ -153,0 +139,27 @@ JSON
+    9. Use the JSON editor to create a policy that grants Amazon S3 access permissions.
+        
+                {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "S3AdditionalBucketPermissions",
+                    "Effect": "Allow",
+                    "Action": [
+                        "s3:ListBucket",
+                        "s3:GetBucketLocation"
+                    ],
+                    "Resource": [
+                        "arn:aws:s3:::bucketName"
+                    ]
+                },
+                {
+                    "Sid": "S3AdditionalObjectPermissions",
+                    "Effect": "Allow",
+                    "Action": [
+                        "s3:GetObject*",
+                        "s3:PutObject"
+                    ],
+                    "Resource": [
+                        "arn:aws:s3:::bucketName/key/*"
+                    ]
+                },
@@ -188 +200 @@ JSON
-                }
+                },
@@ -221,0 +234,2 @@ JSON
+            ]
+        }
@@ -228 +242 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce
-    13. Choose **Next**.
+    10. Choose **Next**.
@@ -230 +244 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce
-    14. Enter a name for the policy, then choose **Create policy**.
+    11. Enter a name for the policy, then choose **Create policy**.
@@ -232 +246 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce
-    15. Optional: if you want to support cross-account data sharing for S3, add the following to your policy:
+    12. Optional: if you want to support cross-account data sharing for S3, add the following to your policy:
@@ -267 +281,5 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce
-    16. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example:
+    13. Choose **Next**.
+
+    14. Enter a name for the policy, then choose **Create policy**.
+
+    15. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example:
@@ -311 +329 @@ JSON
-    17. Choose **Update policy**.
+    16. Choose **Update policy**.