AWS sagemaker-unified-studio high security documentation change
Summary
Added detailed IAM role policy JSON configuration for S3 data access grants
Security assessment
The added IAM policy defines granular permissions including sts:AssumeRole, sts:SetSourceIdentity, and session tagging with strict conditions (account ID validation, external ID requirements, and principal tagging). These controls directly address identity federation security and data access governance, preventing privilege escalation and enforcing least privilege access.
Diff
diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md b/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md index eb430294f..3fb6e883e 100644 --- a//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md +++ b//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md @@ -70,0 +71,67 @@ Work with your admin to complete the following steps: +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "access-grants.s3.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:SetSourceIdentity" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": "111122223333" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "project-role-arn" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "project-id" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "project-role-arn" + }, + "Action": [ + "sts:SetSourceIdentity" + ], + "Condition": { + "StringLike": { + "sts:SourceIdentity": "${aws:PrincipalTag/datazone:userId}" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "project-role-arn" + }, + "Action": "sts:TagSession", + "Condition": { + "StringEquals": { + "aws:RequestTag/AmazonDataZoneProject": "project-id", + "aws:RequestTag/AmazonDataZoneDomain": "domain-id" + } + } + } + ] + } + +