AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2025-11-22 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy.md

Summary

Added requirements for EC2, CloudFormation, S3, and KMS permissions. Added mandatory tagging policy for EC2 resources.

Security assessment

The change documents required permissions for infrastructure management and introduces resource tagging for governance. While tagging improves resource lifecycle management (a security best practice), there's no evidence of a specific vulnerability being addressed.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy.md
index 6cfea45a7..37002442e 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy.md
@@ -14,0 +15 @@ This policy provides initial administrative and individual setup privileges for
+  * Amazon EC2 permissions are required to describe, create, modify, and delete VPC infrastructure including VPCs, subnets, security groups, internet gateways, NAT gateways, route tables, VPC endpoints, and elastic IP addresses for Amazon SageMaker Unified Studio environments.
@@ -15,0 +17 @@ This policy provides initial administrative and individual setup privileges for
+  * CloudFormation permissions are required to create and manage infrastructure stacks for Amazon SageMaker Unified Studio deployment.
@@ -16,0 +19,8 @@ This policy provides initial administrative and individual setup privileges for
+  * Amazon S3 permissions are required to allow CloudFormation to access template files from S3 buckets, including cross-account scenarios.
+
+  * AWS KMS permissions are required to manage encryption keys, perform encrypt/decrypt operations, and create grants for Amazon DataZone resources.
+
+
+
+
+All EC2 resources must be tagged with `CreatedForUseWithSageMakerUnifiedStudio: true` for creation, modification, and deletion operations to ensure proper resource governance and lifecycle management.