AWS Security ChangesHomeSearch

AWS sagemaker medium security documentation change

Service: sagemaker · 2026-05-13 · Security-related medium

File: sagemaker/latest/dg/sagemaker-roles.md

Summary

Added required KMS permissions for notebook instance storage encryption.

Security assessment

Explicitly documents necessary KMS permissions for volume encryption. Missing these permissions could lead to failed encryption and potential data exposure. Concrete evidence: Added kms:CreateGrant, kms:DescribeKey, etc. actions.

Diff

diff --git a/sagemaker/latest/dg/sagemaker-roles.md b/sagemaker/latest/dg/sagemaker-roles.md
index 820334189..844b3887d 100644
--- a//sagemaker/latest/dg/sagemaker-roles.md
+++ b//sagemaker/latest/dg/sagemaker-roles.md
@@ -862,0 +863,15 @@ The `cloudwatch` and `logs` actions are applicable for "*" resources. For more i
+If you specify an AWS KMS key to encrypt the storage volume of the notebook instance, add the following permissions to the execution role:
+    
+    
+    {
+        "Effect": "Allow",
+        "Action": [
+            "kms:CreateGrant",
+            "kms:DescribeKey",
+            "kms:Decrypt",
+            "kms:GenerateDataKey",
+            "kms:GenerateDataKeyWithoutPlaintext"
+        ],
+        "Resource": "arn:aws:kms:us-east-1:111122223333:key/kms-key-id"
+    }
+