AWS whitepapers high security documentation change
Summary
Added JSON placeholders and corrected IAM condition operator
Security assessment
Critical fix changing StringNotLike to ArnNotLike in IAM policy prevents potential privilege escalation through ARN mismatches
Diff
diff --git a/whitepapers/latest/sagemaker-studio-admin-best-practices/permissions-management.md b/whitepapers/latest/sagemaker-studio-admin-best-practices/permissions-management.md index baf5c0154..a8496b3d1 100644 --- a//whitepapers/latest/sagemaker-studio-admin-best-practices/permissions-management.md +++ b//whitepapers/latest/sagemaker-studio-admin-best-practices/permissions-management.md @@ -139,0 +140,6 @@ This service control policy can be used to limit the instance types that data sc +JSON + + +**** + + @@ -168,0 +176,6 @@ For SageMaker AI Studio domains, the following service control policy may be use +JSON + + +**** + + @@ -194,0 +209,6 @@ The following policy prevents a user from launching an unauthorized SageMaker AI +JSON + + +**** + + @@ -206 +226 @@ The following policy prevents a user from launching an unauthorized SageMaker AI - "ForAllValues:StringNotLike": { + "ForAllValues:ArnNotLike": { @@ -220,0 +242,6 @@ In addition to VPC endpoints for the SageMaker AI control plane, SageMaker AI su +JSON + + +**** + + @@ -248,0 +277,6 @@ Corporations will often limit SageMaker AI Studio access to certain allowed corp +JSON + + +**** + + @@ -278,0 +314,6 @@ Next, attach the following policy to the role the user will assume when launchin +JSON + + +**** + + @@ -304,0 +347,6 @@ For SageMaker AI Studio apps, ensure the user profile is tagged. Tags are automa +JSON + + +**** + + @@ -326,0 +376,6 @@ For other resources, such as training jobs and processing jobs, you can make tag +JSON + + +**** + + @@ -336 +391 @@ For other resources, such as training jobs and processing jobs, you can make tag - "sagemaker:CreateProcessingJob", + "sagemaker:CreateProcessingJob"