AWS sagemaker-unified-studio documentation change
Summary
Updated documentation for adding S3 data to SageMaker Unified Studio projects. Changes include: removing CORS policy configuration steps, updating navigation instructions, adding detailed IAM policy examples for S3 Access Grants with multiple buckets, adding a 'Verify the setup' section, and providing notes about using StringEquals/StringLike for single buckets.
Security assessment
The changes primarily update procedural documentation and provide more detailed IAM policy examples for S3 Access Grants. While the changes involve security configurations (IAM policies), there is no evidence in the diff that this addresses a specific security vulnerability, weakness, or incident. The removal of CORS configuration might simplify setup but doesn't indicate a security fix. The addition of more granular IAM policy examples with conditions like 'ForAnyValue:StringEquals' and account-based conditions improves security documentation by showing best practices for least-privilege access.
Diff
diff --git a/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md b/sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md index 7d5f20370..33f1b1488 100644 --- a//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md +++ b//sagemaker-unified-studio/latest/userguide/adding-existing-s3-data.md @@ -7 +7 @@ -Prerequisite option 1 (recommended): Gain access using an access rolePrerequisite option 2: Gain access using the project roleAdd the data to your project +Prerequisite option 1 (recommended): Gain access using an access rolePrerequisite option 2: Gain access using the project roleAdd the data to your projectVerify the setup @@ -25 +25 @@ Work with your admin to complete the following steps: - 2. Navigate to the project that you want to add Amazon S3 data to. You can do this by choosing **Browse all projects** from the center menu, and then selecting the name of the project. + 2. Navigate to the project that you want to add Amazon S3 data to. You can do this by choosing a project from the project selector dropdown at the top of the page. @@ -29,35 +29 @@ Work with your admin to complete the following steps: - 2. The admin then must go to the Amazon S3 console and add a CORS policy to the bucket that you want to access in your project. - - 1. Navigate to the Amazon S3 console. - - 2. Navigate to the bucket you want to grant access to. - - 3. On the **Permissions** tab, under **Cross-origin resource sharing (CORS)** , choose **Edit**. - - 4. Enter in the new CORS policy, then choose **Save changes**. - - [ - { - "AllowedHeaders": [ - "*" - ], - "AllowedMethods": [ - "PUT", - "GET", - "POST", - "DELETE", - "HEAD" - ], - "AllowedOrigins": [ - "domainUrl" // example: https://dzd_abcdefg1234567.sagemaker.us-east-1.on.aws - ], - "ExposeHeaders": [ - "x-amz-version-id" - ] - } - ] - - - 5. Choose the name of an object to view its details. On the **Properties** tab, note the resource name ARN and the S3 URI. You will need to use these later. - - 3. The admin then must go to the IAM console and create an access role. + 2. The admin then must go to the IAM console and create an access role. @@ -148 +114,113 @@ JSON - 9. Use the JSON editor to create a policy that grants Amazon S3 access permissions. + 9. Use the JSON editor to create a policy that grants Amazon S3 access permissions. The following example shows a policy that grants access to multiple S3 buckets and folders. Replace the bucket and folder names with your own values. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "S3AdditionalBucketPermissions", + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::bucket1", + "arn:aws:s3:::bucket2", + "arn:aws:s3:::bucket3" + ] + }, + { + "Sid": "S3AdditionalObjectPermissions", + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::bucket1/*", + "arn:aws:s3:::bucket2/folderA/*", + "arn:aws:s3:::bucket3/*" + ] + }, + { + "Sid": "S3AGLocationManagement", + "Effect": "Allow", + "Action": [ + "s3:CreateAccessGrantsLocation", + "s3:DeleteAccessGrantsLocation", + "s3:GetAccessGrantsLocation" + ], + "Resource": [ + "arn:aws:s3:*:*:access-grants/default/*" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "s3:accessGrantsLocationScope": [ + "s3://bucket1/", + "s3://bucket2/folderA/", + "s3://bucket3/" + ] + } + } + }, + { + "Sid": "S3AGPermissionManagement", + "Effect": "Allow", + "Action": [ + "s3:CreateAccessGrant", + "s3:DeleteAccessGrant" + ], + "Resource": [ + "arn:aws:s3:*:*:access-grants/default/location/*", + "arn:aws:s3:*:*:access-grants/default/grant/*" + ], + "Condition": { + "ForAnyValue:StringLike": { + "s3:accessGrantScope": [ + "s3://bucket1/*", + "s3://bucket2/folderA/*", + "s3://bucket3/*" + ] + } + } + }, + { + "Sid": "AllowPassRoleOnProjectRoles", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": "access-role-arn", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "access-grants.s3.amazonaws.com" + ], + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "S3AGTaggingPermission", + "Effect": "Allow", + "Action": [ + "s3:TagResource", + "s3:ListTagsForResource" + ], + "Resource": [ + "arn:aws:s3:*:*:access-grants/default/location/*", + "arn:aws:s3:*:*:access-grants/default/grant/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } + ] + } + + +###### Note + +Replace ``access-role-arn`` with the ARN of this access role. For a single bucket, you can use `StringEquals` and `StringLike` instead of `ForAnyValue:StringEquals` and `ForAnyValue:StringLike` with a single value instead of an array. @@ -254 +332 @@ Work with your admin to complete the following steps: - 2. Navigate to the project that you want to add Amazon S3 data to. You can do this by choosing **Browse all projects** from the center menu, and then selecting the name of the project. + 2. Navigate to the project that you want to add Amazon S3 data to. You can do this by choosing a project from the project selector dropdown at the top of the page. @@ -258,35 +336 @@ Work with your admin to complete the following steps: - 2. The admin then must go to the Amazon S3 console and add a CORS policy to the bucket that you want to access in your project. - - 1. Navigate to the Amazon S3 console. - - 2. Navigate to the bucket you want to grant access to. - - 3. On the **Permissions** tab, under **Cross-origin resource sharing (CORS)** , choose **Edit**. - - 4. Enter in the new CORS policy, then choose **Save changes**. - - [ - { - "AllowedHeaders": [ - "*" - ], - "AllowedMethods": [ - "PUT", - "GET", - "POST", - "DELETE", - "HEAD" - ], - "AllowedOrigins": [ - "domainUrl" // example: https://dzd_abcdefg1234567.sagemaker.us-east-1.on.aws - ], - "ExposeHeaders": [ - "x-amz-version-id" - ] - } - ] - - - 5. Choose the name of an object to view its details. On the **Properties** tab, note the resource name ARN and the S3 URI. You will need to use these later. -