AWS sagemaker-unified-studio documentation change
Summary
Expanded inline IAM policy example with granular KMS permissions for multiple AWS services (CloudWatch, S3, DataZone, SageMaker, Glue, Bedrock, etc.) including encryption context constraints and service-specific conditions
Security assessment
The change provides detailed encryption policy configuration guidance rather than addressing a specific vulnerability. It enhances security documentation by specifying least-privilege permissions for KMS key usage across integrated services, but there's no evidence of fixing an existing security flaw.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/manage-data-encryption-iam-based-domains.md b/sagemaker-unified-studio/latest/adminguide/manage-data-encryption-iam-based-domains.md index f0581aa50..14fd43a71 100644 --- a//sagemaker-unified-studio/latest/adminguide/manage-data-encryption-iam-based-domains.md +++ b//sagemaker-unified-studio/latest/adminguide/manage-data-encryption-iam-based-domains.md @@ -49 +49,363 @@ Configure customer-managed encryption: - 4. Add the inline policy to your Login and Execution IAM roles to enable KMS key usage. + 4. Add the following inline policy to your Login and Execution IAM roles to enable KMS key usage. + + { + "Version": "2012-10-17", + "Id": "key-consolepolicy", + "Statement": [ + { + "Sid": "ListAndDescribe", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::<account>:root" + }, + "Action": [ + "kms:DescribeKey", + "kms:ListAliases", + "kms:ListGrants" + ], + "Resource": "*", + "Condition": { + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::<account>:role/service-role/AmazonSageMaker*", + "arn:aws:iam::<account>:role/<role_name>" + ] + } + } + }, + { + "Sid": "CloudWatchLogs", + "Effect": "Allow", + "Principal": { "Service": "logs.<region>.amazonaws.com" }, + "Action": [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ], + "Resource": "*", + "Condition": { + "ArnLike": { + "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:*:*:log-group:/aws/mwaa-serverless/*" + } + } + }, + { + "Sid": "S3Table", + "Effect": "Allow", + "Principal": { + "Service": "maintenance.s3tables.amazonaws.com" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "*" + }, + { + "Sid": "DataZone", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::<account>:root" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:Encrypt", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:ReEncryptTo", + "kms:ReEncryptFrom" + ], + "Resource": "*", + "Condition": { + "ForAnyValue:StringEquals": { + "kms:EncryptionContextKeys": "aws:datazone:domainId" + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::<account>:role/service-role/AmazonSageMaker*", + "arn:aws:iam::<account>:role/<role_name<" + ] + } + } + }, + { + "Sid": "S3Kms", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::<account>:root" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "s3.*.amazonaws.com" + }, + "Null": { + "kms:EncryptionContext:aws:s3:arn": "false" + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::<account>:role/service-role/AmazonSageMaker*", + "arn:aws:iam::<account>:role/<role_name>" + ] + } + } + }, + { + "Sid": "SchedulerKms", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::<account>:root" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "Null": { + "kms:EncryptionContext:aws:scheduler:schedule:arn": "false" + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::<account>:role/service-role/AmazonSageMaker*", + "arn:aws:iam::<account>:role/<role_name>" + ] + } + } + }, + { + "Sid": "SecretsKms", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::<account>:root" + }, + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "secretsmanager.*.amazonaws.com" + }, + "Null": { + "kms:EncryptionContext:SecretARN": "false" + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::<account>:role/service-role/AmazonSageMaker*", + "arn:aws:iam::<account>:role/<role_name>" + ] + } + } + }, + { + "Sid": "SageMakerKms", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::<account>:root" + }, + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:ReEncryptTo", + "kms:ReEncryptFrom" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "sagemaker.*.amazonaws.com" + }, + "Null": { + "kms:EncryptionContextKeys": "false" + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::<account>:role/service-role/AmazonSageMaker*", + "arn:aws:iam::<account>:role/<role_name>" + ] + } + } + }, + { + "Sid": "SageMakerCreateGrant", + "Effect": "Allow", + "Principal": {