AWS Security ChangesHomeSearch

AWS sagemaker medium security documentation change

Service: sagemaker · 2025-08-25 · Security-related medium

File: sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md

Summary

Added policy version update note indicating role scope restriction (adding 'service-role' prefix) and new EKS pod identity association permissions.

Security assessment

The 'role scope-down to include service-role prefix' change demonstrates a security improvement by limiting IAM role permissions to more specific resources, reducing potential privilege escalation risks. This qualifies as a security-related hardening measure.

Diff

diff --git a/sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md b/sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md
index eacad48e0..df9b6438d 100644
--- a//sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md
+++ b//sagemaker/latest/dg/security-iam-awsmanpol-hyperpod.md
@@ -32,0 +33 @@ Policy | Version | Change | Date
+[AmazonSageMakerHyperPodObservabilityAdminAccess](./security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.html) \- Updated policy | 2 |  Updated the policy to fix the role scope-down to include the `service-role` prefix. Also added permissions for `eks:DeletePodIdentityAssociation` and `eks:UpdatePodIdentityAssociation` that are required for end-to-end administrative actions. | August 19, 2025