AWS sagemaker-unified-studio documentation change
Summary
Updated description of Project role permissions and tagging controls, specifying new tags for Glue workloads, Amazon Bedrock, and SageMaker ML workloads permissions.
Security assessment
Enhances documentation on granular permission control through IAM role tagging, which is a security feature for access management, but does not indicate a fix for a specific vulnerability or incident.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/security-accesss-control-patterns.md b/sagemaker-unified-studio/latest/adminguide/security-accesss-control-patterns.md index 9835b4bc7..4d76a5bc7 100644 --- a//sagemaker-unified-studio/latest/adminguide/security-accesss-control-patterns.md +++ b//sagemaker-unified-studio/latest/adminguide/security-accesss-control-patterns.md @@ -38 +38 @@ It is important that you understand the different IAM roles used in Amazon SageM -**Project role** \- Amazon SageMaker Unified Studio creates IAM roles that enable project users to perform data analytics, AI, and machine learning tasks. There are two IAM policies governing these permissions: SageMakerStudioProjectUserRolePolicy and SageMakerStudioProjectRoleMachineLearningPolicy. This role grants users read and write access to relevant AWS services including Amazon SageMaker, AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, Amazon Athena, Amazon Q, and Amazon EMR. Additionally, it provides necessary permissions for infrastructure resources such as network interfaces, AWS KMS keys, AWS CodeCommit, and AWS Secrets Manager. Administrators maintain granular control over these permissions through role tagging - for example, they can disable Glue Spark workload permissions by applying the tag 'EnableGlueSparkWorkloads=false', or restrict Generative AI Studio access using the tag 'EnableGenAIStudio=false'. +**Project role** \- Amazon SageMaker Unified Studio creates IAM roles that enable project users to perform data analytics, AI, and machine learning tasks. There are two IAM policies governing these permissions: SageMakerStudioProjectUserRolePolicy and SageMakerStudioProjectRoleMachineLearningPolicy. This role grants users read and write access to relevant AWS services including Amazon SageMaker, AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, Amazon Athena, Amazon Q, and Amazon EMR. Additionally, it provides necessary permissions for infrastructure resources such as network interfaces, AWS KMS keys, AWS CodeCommit, and AWS Secrets Manager. Administrators maintain granular control over these permissions through role tagging. The tag 'EnableGlueWorkloadsPermissions' controls AWS Glue workload permissions (Sessions, Blueprints, Jobs, Data Quality Rulesets, and Workflows), the tag 'EnableAmazonBedrockPermissions' controls Amazon Bedrock permissions, and the tag 'EnableSageMakerMLWorkloadsPermissions' controls SageMaker ML workload permissions (training jobs, processing jobs, and model deployment).