AWS sagemaker-unified-studio medium security documentation change
Summary
Removed detailed IAM policy examples for cross-VPC access and EMR cluster permissions
Security assessment
The removed JSON policies included critical security configurations like sts:AssumeRole conditions with ExternalId validation and session tagging requirements. Removing these examples could lead to insecure IAM configurations if users no longer have reference implementations for proper access control between SageMaker and EMR components. The deletion of security-sensitive policy details constitutes a security-related documentation change.
Diff
diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md b/sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md index 5466a92bf..8a320f466 100644 --- a//sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md +++ b//sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md @@ -3 +3 @@ -[Documentation](/index.html)[Amazon SageMaker Unified Studio](/sagemaker/index.html)[User Guide](what-is-sagemaker-unified-studio.html) +[Documentation](/index.html)[Amazon SageMaker Unified Studio](/next-generation-sagemaker/index.html)[User Guide](what-is-sagemaker-unified-studio.html) @@ -88,52 +87,0 @@ If the Amazon SageMaker Unified Studio project uses a different VPC than the Ama -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "project-role-arn" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "project-id" - } - } - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "project-role-arn" - }, - "Action": [ - "sts:SetSourceIdentity" - ], - "Condition": { - "StringLike": { - "sts:SourceIdentity": "${aws:PrincipalTag/datazone:userId}" - } - } - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "project-role-arn" - }, - "Action": "sts:TagSession", - "Condition": { - "StringEquals": { - "aws:RequestTag/AmazonDataZoneProject": "project-id", - "aws:RequestTag/AmazonDataZoneDomain": "domain-id" - } - } - } - ] - } - - @@ -167,44 +114,0 @@ You can use an asterisk instead of the Amazon EMR cluster ID if you want to gran -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "EmrAccess", - "Effect": "Allow", - "Action": [ - "elasticmapreduce:ListInstances", - "elasticmapreduce:DescribeCluster", - "elasticmapreduce:ListBootstrapActions", - "elasticmapreduce:GetClusterSessionCredentials" # Skip this for non-runtime role clusters - ], - "Resource": "arn:aws:elasticmapreduce:us-east-1:666777888999:cluster/j-AB1CDEFGHIJK" # EMR cluster ARN - }, - { - "Sid": "EMRSelfSignedCertAccess", - "Effect": "Allow", - "Action": [ - "s3:GetObject" - ], - "Resource": [ - "arn:aws:s3:::666777888999-us-east-1-sam-dev/my-certs.zip" # Cert path defined in the EMR security configuration - ] - }, - { - "Sid": "EMRSecurityConfigurationAccess", - "Effect": "Allow", - "Action": [ - "elasticmapreduce:DescribeSecurityConfiguration" - ], - "Resource": [ - "*" - ] - } - ] - } - -