AWS whitepapers medium security documentation change
Summary
Removed multiple detailed IAM policy examples (training, ECR access, model deployment, etc.) and replaced them with placeholder JSON sections and formatting markers.
Security assessment
The removed IAM policies included overly permissive permissions (e.g., Resource: '*' in training jobs, s3:ListAllMyBuckets in bucket policies). Removing these examples reduces the risk of users copying insecure configurations, addressing potential privilege escalation or data exposure risks.
Diff
diff --git a/whitepapers/latest/build-secure-enterprise-ml-platform/permissions.md b/whitepapers/latest/build-secure-enterprise-ml-platform/permissions.md index 5e42b69c5..e67e0f855 100644 --- a//whitepapers/latest/build-secure-enterprise-ml-platform/permissions.md +++ b//whitepapers/latest/build-secure-enterprise-ml-platform/permissions.md @@ -14,0 +15,6 @@ IAM policies need to be created and attached to different roles to perform diffe +JSON + + +**** + + @@ -32,0 +40,6 @@ IAM policies need to be created and attached to different roles to perform diffe +JSON + + +**** + + @@ -55,0 +70,6 @@ The previous example uses `aws:userid` to manage fine-grained access to the Sage +JSON + + +**** + + @@ -78,0 +100,6 @@ The previous example uses `aws:userid` to manage fine-grained access to the Sage +JSON + + +**** + + @@ -83 +110 @@ The previous example uses `aws:userid` to manage fine-grained access to the Sage - "Sid": "SageMakerStudioAccessbyOwner" + "Sid": "SageMakerStudioAccessbyOwner", @@ -95,0 +123 @@ The previous example uses `aws:userid` to manage fine-grained access to the Sage + } @@ -102,29 +129,0 @@ The following sample policy allows a SageMaker AI notebook execution role to cre - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "SageMakerTraining", - "Effect": "Allow", - "Action": [ - "sagemaker:CreateTrainingJob", - "sagemaker:CreateHyperParameterTuningJob", - "sagemaker:CreateProcessingJob" - ], - "Resource": "*" - }, - { - "Sid": "SageMakerPassRoleTraining", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "<SAGEMAKER_TRAINING_EXECUTION_ROLE_ARN>", - "Condition": { - "StringEquals": { - "iam:PassedToService": "sagemaker.amazonaws.com" - } - } - } - ] - } - @@ -133,56 +131,0 @@ For quick experimentation, data scientists can build and push Docker images for - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "SagemakerCreateECR", - "Effect": "Allow", - "Action": [ - "ecr:CreateRepository" - ], - "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*", - "Condition": { - "StringEquals": { - "aws:RequestTag/CreatedBy": "SageMaker" - } - } - }, - { - "Sid": "SageMakerECRAccess", - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken" - ], - "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*" - }, - { - "Sid": "SagemakerECRRepo", - "Effect": "Allow", - "Action": [ - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:DescribeImages", - "ecr:ListImages", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:PutImage" - ], - "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/CreatedBy": "SageMaker" - } - } - }, - { - "Sid": "SagemakerECRRead", - "Effect": "Allow", - "Action": [ - "ecr:DescribeRepositories" - ], - "Resource": "arn:aws:ecr:*:*:repository/*" - } - ] - } - @@ -191,31 +133,0 @@ The following sample policy, when attached to the SageMaker AI notebook executio - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "SageMakerModel", - "Effect": "Allow", - "Action": [ - "sagemaker:CreateModel", - "sagemaker:DescribeEndpointConfig", - "sagemaker:CreateEndpointConfig", - "sagemaker:CreateEndpoint", - "sagemaker:DescribeEndpoint" - ], - "Resource": "*" - }, - { - "Sid": "SageMakerPassRoleModel", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "<SAGEMAKER_MODEL_EXECUTION_ROLE_ARN>", - "Condition": { - "StringEquals": { - "iam:PassedToService": "sagemaker.amazonaws.com" - } - } - } - ] - } - @@ -229,79 +140,0 @@ The following sample shows a policy that can be attached to a training / tuning - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "SageMakerLog", - "Effect": "Allow", - "Action": [ - "cloudwatch:PutMetricData", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:DescribeLogStreams" - ], - "Resource": "*" - }, - { - "Sid": "SageMakerEC2Management", - "Effect": "Allow", - "Action": [ - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterface", - "ec2:DeleteNetworkInterfacePermission", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeVpcs", - "ec2:DescribeDhcpOptions", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups" - ], - "Resource": "*" - }, - { - "Sid": "SageMakerKMSUsage", - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt" - ], - "Resource": "<DATA_KMS_CMK_ARN>" - }, - {