AWS sagemaker-unified-studio high security documentation change
Summary
Removed IAM 'pass roles' permission when creating Amazon DataZone resources
Security assessment
Removing the ability to pass IAM roles during resource creation mitigates potential privilege escalation risks, a critical security concern. This directly addresses a security weakness by reducing excessive permissions.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md index 5a13b02f3..9ce56a746 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md @@ -11 +11 @@ This policy provides individual setup privileges for Amazon SageMaker Unified St - * AWS Identity and Access Management permissions are required to allow principals to list and get IAM roles, get IAM users, and pass roles when creating Amazon DataZone resources. + * AWS Identity and Access Management permissions are required to allow principals to list and get IAM roles, get IAM users.