AWS sagemaker medium security documentation change
Summary
Added policy version update note indicating role scope restriction (adding 'service-role' prefix) and new EKS pod identity association permissions.
Security assessment
The 'role scope-down to include service-role prefix' change demonstrates a security improvement by limiting IAM role permissions to more specific resources, reducing potential privilege escalation risks. This qualifies as a security-related hardening measure.
Diff
diff --git a/sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md b/sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md index eacad48e0..df9b6438d 100644 --- a//sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md +++ b//sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md @@ -32,0 +33 @@ Policy | Version | Change | Date +[AmazonSageMakerHyperPodObservabilityAdminAccess](./security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.html) \- Updated policy | 2 | Updated the policy to fix the role scope-down to include the `service-role` prefix. Also added permissions for `eks:DeletePodIdentityAssociation` and `eks:UpdatePodIdentityAssociation` that are required for end-to-end administrative actions. | August 19, 2025