AWS sagemaker-unified-studio documentation change
Summary
Added a new IAM policy statement (AllowCreateGrantForProjectRoles) to the KMS key policy that allows CreateGrant action with specific conditions including domainId context and grant operations constraints.
Security assessment
This change adds documentation about a security configuration for KMS key permissions, specifically allowing CreateGrant operations under constrained conditions. While it relates to security features (encryption key management), there is no evidence in the diff that this addresses a specific security vulnerability or incident - it appears to be routine documentation of a security policy configuration.
Diff
diff --git a/sagemaker-unified-studio/latest/adminguide/sagemaker-unified-studio-provisioned-resources-key-permissions.md b/sagemaker-unified-studio/latest/adminguide/sagemaker-unified-studio-provisioned-resources-key-permissions.md index f1d31e634..550e9ebc5 100644 --- a//sagemaker-unified-studio/latest/adminguide/sagemaker-unified-studio-provisioned-resources-key-permissions.md +++ b//sagemaker-unified-studio/latest/adminguide/sagemaker-unified-studio-provisioned-resources-key-permissions.md @@ -186,0 +187,33 @@ JSON + }, + { + "Sid": "AllowCreateGrantForProjectRoles", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "kms:CreateGrant", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:EncryptionContext:aws:datazone:domainId": "dzd_0123456789" + }, + "StringLike": { + "kms:GrantConstraintType": "EncryptionContextSubset" + }, + "Null": { + "kms:GrantOperations": "false" + }, + "ForAllValues:StringEquals": { + "kms:GrantOperations": [ + "Encrypt", + "Decrypt", + "ReEncryptFrom", + "ReEncryptTo", + "GenerateDataKey", + "GenerateDataKeyWithoutPlaintext", + "DescribeKey", + "RetireGrant", + "CreateGrant" + ] + } + }