AWS sagemaker-unified-studio medium security documentation change
Summary
Expanded IAM role configuration details with specific inline policies for KMS usage, role assumption conditions, and service principal restrictions
Security assessment
Added granular IAM policies with service-specific conditions (aws:SourceAccount, iam:PassedToService) and KMS encryption context requirements. These changes enforce least privilege and prevent cross-service role misuse, directly impacting security posture.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md b/sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md index 1318de45f..16b1bf0f7 100644 --- a//sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md +++ b//sagemaker-unified-studio/latest/adminguide/setup-iam-based-domains.md @@ -19 +19,93 @@ In addition, you must choose encryption settings before you can complete setup. - 4. Add the inline policy to your Login and Execution IAM roles to enable KMS key usage. + 4. Do one of the following: + + * Add the following inline policy to your Login IAM role if you are choosing to use a new role as the Execution IAM role: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CreateRoleStatement", + "Effect": "Allow", + "Action": [ + "iam:CreatePolicy", + "iam:CreateRole" + ], + "Resource": [ + "arn:aws:iam::*:policy/service-role/AmazonSageMaker*", + "arn:aws:iam::*:role/service-role/AmazonSageMaker*" + ] + }, + { + "Sid": "AttachRolePolicyStatement", + "Effect": "Allow", + "Action": "iam:AttachRolePolicy", + "Resource": "arn:aws:iam::*:role/service-role/AmazonSageMaker*", + "Condition": { + "ArnLike": { + "iam:PolicyARN": [ + "arn:aws:iam::aws:policy/SageMakerStudio*", + "arn:aws:iam::*:policy/service-role/AmazonSageMaker*" + ] + } + } + } + ] + } + + + * Add the following inline policy to your Login IAM role if you are choosing to use an existing role as the Execution IAM role: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "IAMPassRoleStatement", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": [ + "arn:aws:iam::*:role/<execution_role>" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "datazone.amazonaws.com" + ] + } + } + } + ] + } + + + 5. Add the following inline policy to your Login and Execution IAM roles to enable KMS key usage. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "KMSDescribePermissions", + "Effect": "Allow", + "Action": "kms:DescribeKey", + "Resource": [ + "<KmsKeyArn>" + ] + }, + { + "Sid": "KMSPermissions", + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": [ + "<KmsKeyArn>" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "kms:EncryptionContextKeys": "aws:datazone:domainId" + } + } + } + ] + } + @@ -28,5 +120,40 @@ Amazon SageMaker Unified Studio provides two methods to configure the Execution - * Managed policy: Data access and permission will be defined by `SageMakerStudioAdminIAMPermissiveExecutionPolicy`. It will not have the data access of the login - - * Add a trust policy: Allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role. - - * AWS Lake Formation administrator: This role will be assigned as an administrator to enable data discovery and access management. + 1. Managed policy: Data access and permission will be defined by `SageMakerStudioAdminIAMPermissiveExecutionPolicy`. It will not have the data access of the login + + 2. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "datazone.amazonaws.com", + "sagemaker.amazonaws.com", + "glue.amazonaws.com", + "bedrock.amazonaws.com", + "scheduler.amazonaws.com", + "lakeformation.amazonaws.com", + "airflow-serverless.amazonaws.com", + "athena.amazonaws.com", + "redshift.amazonaws.com", + "emr-serverless.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession", + "sts:SetContext", + "sts:SetSourceIdentity" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": "<domain_account>" + } + } + } + ] + } + + + 3. AWS Lake Formation administrator: This role will be assigned as an administrator to enable data discovery and access management. @@ -45 +172,67 @@ Alternatively, Amazon SageMaker Unified Studio can use an existing IAM role as t - 4. Add the inline policy to allow this role to pass itself to other services. + 4. Add the following inline policy to allow this role to pass itself to other services. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "PassRoleSelf", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": [ + "arn:aws:iam::*:role/<role_name>" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "sagemaker.amazonaws.com", + "glue.amazonaws.com", + "lakeformation.amazonaws.com", + "bedrock.amazonaws.com", + "scheduler.amazonaws.com", + "airflow-serverless.amazonaws.com", + "athena.amazonaws.com", + "redshift.amazonaws.com", + "emr-serverless.amazonaws.com" + ] + } + } + } + ] + } + + + 5. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "datazone.amazonaws.com", + "sagemaker.amazonaws.com", + "glue.amazonaws.com", + "bedrock.amazonaws.com", + "scheduler.amazonaws.com", + "lakeformation.amazonaws.com", + "airflow-serverless.amazonaws.com", + "athena.amazonaws.com", + "redshift.amazonaws.com", + "emr-serverless.amazonaws.com" + ] + },