AWS Security ChangesHomeSearch

AWS sagemaker-unified-studio documentation change

Service: sagemaker-unified-studio · 2026-04-22 · Documentation low

File: sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md

Summary

Updated policy documentation to clarify permission control via tags, changing from disabling permissions with false values to enabling permissions with true values (default true). Added detailed descriptions for EnableGlueWorkloadsPermissions and EnableAmazonBedrockPermissions tags.

Security assessment

This change enhances security documentation by providing clearer guidance on permission scoping through role tags. It improves the principle of least privilege by allowing administrators to explicitly enable/disable specific permissions (Glue workloads and Bedrock access) rather than disabling them. No evidence of addressing a specific security vulnerability.

Diff

diff --git a/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md b/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
index 17d650338..8da32941d 100644
--- a//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
+++ b//sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md
@@ -13 +13,8 @@ This is the main policy for the SageMakerUnifiedStudioProjectRole role. The Sage
-An administrator can disable certain permissions in this policy by tagging the role to which the policy is attached to. The tag EnableGlueSparkWorkloads=false disables all Glue Spark workloads related permissions. The tag EnableGenAIStudio=false disables all Generative AI Studio related permissions. 
+An administrator can control certain permissions in this policy by tagging the role to which the policy is attached. The following tags control permission scoping:
+
+  * EnableGlueWorkloadsPermissions — When set to "true" (default), grants permissions for AWS Glue workloads including creating and managing Glue Sessions, Blueprints, Jobs, Data Quality Rulesets, and Workflows. When not set to "true", these Glue workload permissions are not granted. Glue Data Catalog permissions (such as GetCatalogs, GetDatabases, GetTables) are not affected by this tag and remain available regardless of this setting.
+
+  * EnableAmazonBedrockPermissions — When set to "true" (default), grants permissions for Amazon Bedrock including foundation model access and Bedrock agent operations. When not set to "true", these Bedrock permissions are not granted.
+
+
+