AWS sagemaker-unified-studio documentation change
Summary
Added documentation for five policy updates to SageMaker Unified Studio IAM policies, including new permissions for CloudWatch metrics, SageMaker Feature Store, LakeFormation data filtering, SSO, Admin UI, notebook import/export, and KMS encryption for IAM Identity Center.
Security assessment
This change documents routine IAM policy updates for new features and integrations (Feature Store, LakeFormation, SSO, Admin UI). While it adds security documentation about IAM policies, there is no evidence of addressing a specific security vulnerability, weakness, or incident. The changes appear to be standard feature expansion with appropriate permission grants.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md index e7ab7496e..2199a273f 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md +++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-updates.md @@ -10,0 +11,5 @@ Change | Description | Date +Policy update - [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding cloudwatch:GetMetricData, SageMaker Feature store, LakeFormation data filter, SSO and Admin UI permission to SageMaker Unified Studio. | 03/30/2026 +Policy update - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding cloudwatch:GetMetricData, notebook import and export functionality for permissive users SageMaker Feature store, and LakeFormation data filter for SageMaker Unified Studio. These permissions are applied to default IAM users. | 03/30/2026 +Policy update - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adds notebook import and export functionality for permissive users. These permissions are applied to default IAM users when using the permissive role. | 03/30/2026 +Policy update - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adds SSO permissions for permissive admin policies. Also adds Admin and LakeFormation data filter permissions to permissive admin roles. | 03/30/2026 +Policy update - [SageMakerStudioAdminIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy) | Policy updates to SageMakerStudioAdminIAMConsolePolicy - adding sso:DeleteApplication permission to allow deleting DataZone domain integrated with AWS IAM Identity Center. Adding KMS permissions required for IAM Identity Center instances that use customer managed keys for encryption. | 03/30/2026