AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2026-04-10 · Documentation low

File: sagemaker/latest/dg/security-iam-awsmanpol-training-plan.md

Summary

Added new AWS managed policy 'AmazonSageMakerCapacityReservationServiceRolePolicy' documentation for service-linked role

Security assessment

This change documents a new service-linked role policy that allows SageMaker to publish CloudWatch metrics. It's IAM policy documentation (security-related) but doesn't address a specific security vulnerability.

Diff

diff --git a/sagemaker/latest/dg/security-iam-awsmanpol-training-plan.md b/sagemaker/latest/dg/security-iam-awsmanpol-training-plan.md
index cdefff793..7da6f83ba 100644
--- a//sagemaker/latest/dg/security-iam-awsmanpol-training-plan.md
+++ b//sagemaker/latest/dg/security-iam-awsmanpol-training-plan.md
@@ -5 +5 @@
-AmazonSageMakerTrainingPlanCreateAccessSageMaker training plans policy updates
+AmazonSageMakerTrainingPlanCreateAccessAmazonSageMakerCapacityReservationServiceRolePolicySageMaker training plans policy updates
@@ -14,0 +15,2 @@ This AWS managed policy grants permissions needed to create and manage Amazon Sa
+  * AWS managed policy: AmazonSageMakerCapacityReservationServiceRolePolicy
+
@@ -100,0 +103,41 @@ JSON
+## AWS managed policy: AmazonSageMakerCapacityReservationServiceRolePolicy
+
+This policy is used by the service-linked role named AWSServiceRoleForSageMakerCapacityReservation to publish CloudWatch metrics for Reserved Capacity utilization into customer accounts. The service-linked role is created by the service principal capacityreservation.sagemaker.amazonaws.com.
+
+###### Note
+
+This is a service-linked role policy. You cannot attach this policy to your IAM identities. SageMaker AI creates this policy and attaches it to a service-linked role that allows SageMaker AI to perform actions on your behalf.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `cloudwatch` – Allows publishing metric data to CloudWatch. This permission is scoped to the `aws/sagemaker/CapacityReservations` namespace using a condition key.
+
+
+
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "CloudwatchPutMetricDataAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "cloudwatch:PutMetricData"
+                ],
+                "Resource": [
+                    "*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "cloudwatch:namespace": "aws/sagemaker/CapacityReservations"
+                    }
+                }
+            }
+        ]
+    }
+
+For more information, see [AmazonSageMakerCapacityReservationServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerCapacityReservationServiceRolePolicy.html) in the AWS Managed Policy Reference Guide.
+
@@ -106,0 +150 @@ Policy | Version | Change | Date
+AmazonSageMakerCapacityReservationServiceRolePolicy – New policy | 1 |  Initial policy | March 5, 2026