AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio high security documentation change

Service: sagemaker-unified-studio · 2025-11-19 · Security-related high

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md

Summary

Removed IAM 'pass roles' permission when creating Amazon DataZone resources

Security assessment

Removing the ability to pass IAM roles during resource creation mitigates potential privilege escalation risks, a critical security concern. This directly addresses a security weakness by reducing excessive permissions.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md
index 5a13b02f3..9ce56a746 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md
@@ -11 +11 @@ This policy provides individual setup privileges for Amazon SageMaker Unified St
-  * AWS Identity and Access Management permissions are required to allow principals to list and get IAM roles, get IAM users, and pass roles when creating Amazon DataZone resources.
+  * AWS Identity and Access Management permissions are required to allow principals to list and get IAM roles, get IAM users.