AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio high security documentation change

Service: sagemaker-unified-studio · 2025-10-22 · Security-related high

File: sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md

Summary

Added detailed IAM role policy JSON configuration for S3 data access grants

Security assessment

The added IAM policy defines granular permissions including sts:AssumeRole, sts:SetSourceIdentity, and session tagging with strict conditions (account ID validation, external ID requirements, and principal tagging). These controls directly address identity federation security and data access governance, preventing privilege escalation and enforcing least privilege access.

Diff

diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md b/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
index eb430294f..3fb6e883e 100644
--- a//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
+++ b//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md
@@ -70,0 +71,67 @@ Work with your admin to complete the following steps:
+JSON
+    
+
+****
+    
+        
+                {
+            "Version":"2012-10-17",		 	 	 
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "Service": "access-grants.s3.amazonaws.com"
+                    },
+                    "Action": [
+                        "sts:AssumeRole",
+                        "sts:SetSourceIdentity"
+                    ],
+                    "Condition": {
+                        "StringEquals": {
+                        "aws:SourceAccount": "111122223333"
+                        }
+                    }
+                },
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": "project-role-arn"
+                    },
+                    "Action": "sts:AssumeRole",
+                    "Condition": {
+                        "StringEquals": {
+                            "sts:ExternalId": "project-id"
+                        }
+                    }
+                },
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": "project-role-arn"
+                    },
+                    "Action": [
+                        "sts:SetSourceIdentity"
+                    ],
+                    "Condition": {
+                        "StringLike": {
+                            "sts:SourceIdentity": "${aws:PrincipalTag/datazone:userId}"
+                        }
+                    }
+                },
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": "project-role-arn"
+                    },
+                    "Action": "sts:TagSession",
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:RequestTag/AmazonDataZoneProject": "project-id",
+                            "aws:RequestTag/AmazonDataZoneDomain": "domain-id"
+                        }
+                    }
+                }
+            ]
+        }        
+        
+