AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio medium security documentation change

Service: sagemaker-unified-studio · 2025-08-28 · Security-related medium

File: sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md

Summary

Removed detailed IAM policy examples for cross-VPC access and EMR cluster permissions

Security assessment

The removed JSON policies included critical security configurations like sts:AssumeRole conditions with ExternalId validation and session tagging requirements. Removing these examples could lead to insecure IAM configurations if users no longer have reference implementations for proper access control between SageMaker and EMR components. The deletion of security-sensitive policy details constitutes a security-related documentation change.

Diff

diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md b/sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md
index 5466a92bf..8a320f466 100644
--- a//sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md
+++ b//sagemaker-unified-studio/latest/userguide/adding-existing-emr-on-ec2-clusters.md
@@ -3 +3 @@
-[Documentation](/index.html)[Amazon SageMaker Unified Studio](/sagemaker/index.html)[User Guide](what-is-sagemaker-unified-studio.html)
+[Documentation](/index.html)[Amazon SageMaker Unified Studio](/next-generation-sagemaker/index.html)[User Guide](what-is-sagemaker-unified-studio.html)
@@ -88,52 +87,0 @@ If the Amazon SageMaker Unified Studio project uses a different VPC than the Ama
-JSON
-    
-
-****
-    
-    
-        {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "project-role-arn"
-                },
-                "Action": "sts:AssumeRole",
-                "Condition": {
-                    "StringEquals": {
-                        "sts:ExternalId": "project-id"
-                    }
-                }
-            },
-            {
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "project-role-arn"
-                },
-                "Action": [
-                    "sts:SetSourceIdentity"
-                ],
-                "Condition": {
-                    "StringLike": {
-                        "sts:SourceIdentity": "${aws:PrincipalTag/datazone:userId}"
-                    }
-                }
-            },
-            {
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "project-role-arn"
-                },
-                "Action": "sts:TagSession",
-                "Condition": {
-                    "StringEquals": {
-                        "aws:RequestTag/AmazonDataZoneProject": "project-id",
-                        "aws:RequestTag/AmazonDataZoneDomain": "domain-id"
-                    }
-                }
-            }
-        ]
-    }
-    
-
@@ -167,44 +114,0 @@ You can use an asterisk instead of the Amazon EMR cluster ID if you want to gran
-JSON
-    
-
-****
-    
-    
-        {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "EmrAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "elasticmapreduce:ListInstances",
-                    "elasticmapreduce:DescribeCluster",
-                    "elasticmapreduce:ListBootstrapActions",
-                    "elasticmapreduce:GetClusterSessionCredentials" # Skip this for non-runtime role clusters
-                ],
-                "Resource": "arn:aws:elasticmapreduce:us-east-1:666777888999:cluster/j-AB1CDEFGHIJK" # EMR cluster ARN
-            },
-            {
-                "Sid": "EMRSelfSignedCertAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "s3:GetObject"
-                ],
-                "Resource": [
-                    "arn:aws:s3:::666777888999-us-east-1-sam-dev/my-certs.zip" # Cert path defined in the EMR security configuration
-                ]
-            },
-            {
-                "Sid": "EMRSecurityConfigurationAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "elasticmapreduce:DescribeSecurityConfiguration"
-                ],
-                "Resource": [
-                    "*"
-                ]
-            }
-        ]
-    }
-    
-