AWS sagemaker documentation change
Summary
Added specific IAM policy requirement for 'sagemaker:DescribeAlgorithm' permission when using AlgorithmArn parameter in training jobs.
Security assessment
This change documents additional IAM permissions needed for algorithm resources, improving security documentation but not addressing a specific security incident.
Diff
diff --git a/sagemaker/latest/dg/sagemaker-roles.md b/sagemaker/latest/dg/sagemaker-roles.md index 0dfc83775..2f0112901 100644 --- a//sagemaker/latest/dg/sagemaker-roles.md +++ b//sagemaker/latest/dg/sagemaker-roles.md @@ -1279,0 +1280,11 @@ If `CreateTrainingJob.AlgorithSpecifications.TrainingImage` needs to access othe +If you specify an algorithm resource by using the `AlgorithmSpecification.AlgorithmArn` parameter, the execution role must also have the following permission: + + + { + "Effect": "Allow", + "Action": [ + "sagemaker:DescribeAlgorithm" + ], + "Resource": "arn:aws:sagemaker:*:*:algorithm/*" + } +