AWS Security ChangesHomeSearch

AWS sagemaker high security documentation change

Service: sagemaker · 2025-08-19 · Security-related high

File: sagemaker/latest/dg/sagemaker-projects-studio-updates.md

Summary

Added detailed instructions for granting new domain roles access to Service Catalog portfolios to use SageMaker Projects

Security assessment

The change addresses proper access control configuration by documenting required permissions for domain roles. Failure to grant these permissions could lead to unauthorized access issues, as users would be unable to create/use projects. The documentation explicitly states security consequences of missing these steps.

Diff

diff --git a/sagemaker/latest/dg/sagemaker-projects-studio-updates.md b/sagemaker/latest/dg/sagemaker-projects-studio-updates.md
index b091553a5..ba9066046 100644
--- a//sagemaker/latest/dg/sagemaker-projects-studio-updates.md
+++ b//sagemaker/latest/dg/sagemaker-projects-studio-updates.md
@@ -4,0 +5,2 @@
+Grant new domain roles access to projects
+
@@ -18,0 +21,35 @@ Since SageMaker Projects is backed by Service Catalog, you must add each role th
+## Grant new domain roles access to projects
+
+When you change your domain's execution role or add user profiles with different roles, you must grant these new roles access to the Service Catalog portfolio to use SageMaker Projects. Follow these steps to ensure all roles have the necessary permissions:
+
+###### To grant new domain roles access to projects
+
+  1. Open the [Service Catalog console](https://console.aws.amazon.com/servicecatalog/).
+
+  2. In the left navigation menu, choose **Portfolios**.
+
+  3. Select the **Imported** section.
+
+  4. Select **Amazon SageMaker Solutions and ML Ops products**.
+
+  5. Choose the **Access** tab.
+
+  6. Choose **Grant access**.
+
+  7. In the **Grant access** dialog, select **Roles**.
+
+  8. Grant access for all roles that are used by the domain's user profiles, including:
+
+     * The domain's execution role
+
+     * Any custom execution roles assigned to individual user profiles
+
+  9. Choose **Grant access** to confirm.
+
+
+
+
+###### Important
+
+You must complete this process whenever you change your domain's execution role or add user profiles with new execution roles. Without this access, users will not be able to create or use SageMaker Projects.
+