AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio medium security documentation change

Service: sagemaker-unified-studio · 2025-11-28 · Security-related medium

File: sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md

Summary

Expanded IAM role configuration details with specific inline policies for KMS usage, role assumption conditions, and service principal restrictions

Security assessment

Added granular IAM policies with service-specific conditions (aws:SourceAccount, iam:PassedToService) and KMS encryption context requirements. These changes enforce least privilege and prevent cross-service role misuse, directly impacting security posture.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md b/sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md
index 1318de45f..16b1bf0f7 100644
--- a//sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md
+++ b//sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md
@@ -19 +19,93 @@ In addition, you must choose encryption settings before you can complete setup.
-  4. Add the inline policy to your Login and Execution IAM roles to enable KMS key usage.
+  4. Do one of the following:
+
+     * Add the following inline policy to your Login IAM role if you are choosing to use a new role as the Execution IAM role:
+        
+                {
+            "Version": "2012-10-17",		 	 	 
+            "Statement": [
+                {
+                    "Sid": "CreateRoleStatement",
+                    "Effect": "Allow",
+                    "Action": [
+                        "iam:CreatePolicy",
+                        "iam:CreateRole"
+                    ],
+                    "Resource": [
+                        "arn:aws:iam::*:policy/service-role/AmazonSageMaker*",
+                        "arn:aws:iam::*:role/service-role/AmazonSageMaker*"
+                    ]
+                },
+                {
+                    "Sid": "AttachRolePolicyStatement",
+                    "Effect": "Allow",
+                    "Action": "iam:AttachRolePolicy",
+                    "Resource": "arn:aws:iam::*:role/service-role/AmazonSageMaker*",
+                    "Condition": {
+                        "ArnLike": {
+                            "iam:PolicyARN": [
+                                "arn:aws:iam::aws:policy/SageMakerStudio*",
+                                "arn:aws:iam::*:policy/service-role/AmazonSageMaker*"
+                            ]
+                        }
+                    }
+                }
+            ]
+        }
+                
+
+     * Add the following inline policy to your Login IAM role if you are choosing to use an existing role as the Execution IAM role:
+        
+                {
+            "Version": "2012-10-17",		 	 	 
+            "Statement": [
+                {
+                    "Sid": "IAMPassRoleStatement",
+                    "Effect": "Allow",
+                    "Action": "iam:PassRole",
+                    "Resource": [
+                        "arn:aws:iam::*:role/<execution_role>"
+                    ],
+                    "Condition": {
+                        "StringEquals": {
+                            "iam:PassedToService": [
+                                "datazone.amazonaws.com"
+                            ]
+                        }
+                    }
+                }
+            ]
+        }
+                    
+
+  5. Add the following inline policy to your Login and Execution IAM roles to enable KMS key usage.
+    
+        {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+              {
+                 "Sid": "KMSDescribePermissions",
+                 "Effect": "Allow",
+                 "Action": "kms:DescribeKey",
+                 "Resource": [
+                   "<KmsKeyArn>"
+                 ]
+             },
+             {
+                 "Sid": "KMSPermissions",
+                 "Effect": "Allow",
+                 "Action": [
+                     "kms:Decrypt",
+                     "kms:GenerateDataKey"
+                 ],
+                 "Resource": [
+                   "<KmsKeyArn>"
+                 ],
+                 "Condition": {
+                     "ForAnyValue:StringEquals": {
+                         "kms:EncryptionContextKeys": "aws:datazone:domainId"
+                     }
+                 }
+             }
+         ]
+     }
+    
@@ -28,5 +120,40 @@ Amazon SageMaker Unified Studio provides two methods to configure the Execution
-  * Managed policy: Data access and permission will be defined by `SageMakerStudioAdminIAMPermissiveExecutionPolicy`. It will not have the data access of the login
-
-  * Add a trust policy: Allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
-
-  * AWS Lake Formation administrator: This role will be assigned as an administrator to enable data discovery and access management.
+  1. Managed policy: Data access and permission will be defined by `SageMakerStudioAdminIAMPermissiveExecutionPolicy`. It will not have the data access of the login
+
+  2. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
+    
+        {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "datazone.amazonaws.com",
+                        "sagemaker.amazonaws.com",
+                        "glue.amazonaws.com",
+                        "bedrock.amazonaws.com",
+                        "scheduler.amazonaws.com",
+                        "lakeformation.amazonaws.com",
+                        "airflow-serverless.amazonaws.com",
+                        "athena.amazonaws.com",
+                        "redshift.amazonaws.com",
+                        "emr-serverless.amazonaws.com"
+                    ]
+                },
+                "Action": [
+                    "sts:AssumeRole",
+                    "sts:TagSession",
+                    "sts:SetContext",
+                    "sts:SetSourceIdentity"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:SourceAccount": "<domain_account>"
+                    }
+                }
+            }
+        ]
+    }
+    
+
+  3. AWS Lake Formation administrator: This role will be assigned as an administrator to enable data discovery and access management.
@@ -45 +172,67 @@ Alternatively, Amazon SageMaker Unified Studio can use an existing IAM role as t
-  4. Add the inline policy to allow this role to pass itself to other services.
+  4. Add the following inline policy to allow this role to pass itself to other services.
+    
+        {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "PassRoleSelf",
+                "Effect": "Allow",
+                "Action": "iam:PassRole",
+                "Resource": [
+                    "arn:aws:iam::*:role/<role_name>"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "iam:PassedToService": [
+                            "sagemaker.amazonaws.com",
+                            "glue.amazonaws.com",
+                            "lakeformation.amazonaws.com",
+                            "bedrock.amazonaws.com",
+                            "scheduler.amazonaws.com",
+                            "airflow-serverless.amazonaws.com",
+                            "athena.amazonaws.com",
+                            "redshift.amazonaws.com",
+                            "emr-serverless.amazonaws.com"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+    
+
+  5. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
+    
+        {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "datazone.amazonaws.com",
+                        "sagemaker.amazonaws.com",
+                        "glue.amazonaws.com",
+                        "bedrock.amazonaws.com",
+                        "scheduler.amazonaws.com",
+                        "lakeformation.amazonaws.com",
+                        "airflow-serverless.amazonaws.com",
+                        "athena.amazonaws.com",
+                        "redshift.amazonaws.com",
+                        "emr-serverless.amazonaws.com"
+                    ]
+                },