AWS sagemaker-unified-studio documentation change
Summary
Updated IAM role creation process to use custom trust policies and granular S3 permissions instead of AmazonS3FullAccess
Security assessment
The change promotes security best practices by implementing least-privilege permissions for S3 access. While it improves security posture, there is no indication it addresses a specific existing vulnerability.
Diff
diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md b/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md index 01b1dd753..cbbb001b8 100644 --- a//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md +++ b//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md @@ -67,20 +67 @@ Work with your admin to complete the following steps: - 3. Under **Trusted entity type** , choose **AWS service**. - - 4. Under **Use case** , select **S3** from the dropdown menu, then choose the **S3** button. - - 5. Choose **Next**. - - 6. Search for and select the **AmazonS3FullAccess** policy, then choose **Next**. - - 7. Enter a name for the role, then choose **Create role**. - - 8. Select the access role from the list on the **Roles** page. - - 9. Under **Trust relationships** choose **Edit trust policy**. - - 10. Edit the trust policy to include the project ID, the project ARN, and the AWS account ID. - -JSON - - -**** + 3. Under **Trusted entity type** , choose **Custom trust policy**. @@ -87,0 +69 @@ JSON + 4. Edit the policy to include the project ID, the project ARN, and the AWS account ID to grant Amazon S3 access permissions. @@ -103 +85 @@ JSON - "aws:SourceAccount": "accountId" + "aws:SourceAccount": "account-id" @@ -148,0 +131,3 @@ JSON + 5. Choose **Next** twice. + + 6. Enter a name for the role, then choose **Create role**. @@ -150 +135 @@ JSON - 11. On the **Permissions** tab of the role, choose **Add permissions** , then **Create inline policy**. + 7. Select the access role from the list on the **Roles** page. @@ -152 +137 @@ JSON - 12. Use the JSON editor to create a policy so that the project has access to an Amazon S3 location, using the Amazon S3 resource ARN that you noted previously. + 8. On the **Permissions** tab of the role, choose **Add permissions** , then **Create inline policy**. @@ -153,0 +139,27 @@ JSON + 9. Use the JSON editor to create a policy that grants Amazon S3 access permissions. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "S3AdditionalBucketPermissions", + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::bucketName" + ] + }, + { + "Sid": "S3AdditionalObjectPermissions", + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::bucketName/key/*" + ] + }, @@ -188 +200 @@ JSON - } + }, @@ -221,0 +234,2 @@ JSON + ] + } @@ -228 +242 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce - 13. Choose **Next**. + 10. Choose **Next**. @@ -230 +244 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce - 14. Enter a name for the policy, then choose **Create policy**. + 11. Enter a name for the policy, then choose **Create policy**. @@ -232 +246 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce - 15. Optional: if you want to support cross-account data sharing for S3, add the following to your policy: + 12. Optional: if you want to support cross-account data sharing for S3, add the following to your policy: @@ -267 +281,5 @@ Amazon SageMaker Unified Studio grants access to subscribed assets using S3 Acce - 16. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example: + 13. Choose **Next**. + + 14. Enter a name for the policy, then choose **Create policy**. + + 15. Optional: If the bucket is in a different account than the the access role, ensure cross-account bucket permissions are set by adding a bucket policy that grants cross-account permissions to the access role. For example: @@ -311 +329 @@ JSON - 17. Choose **Update policy**. + 16. Choose **Update policy**.