AWS sagemaker medium security documentation change
Summary
Added required KMS permissions for notebook instance storage encryption.
Security assessment
Explicitly documents necessary KMS permissions for volume encryption. Missing these permissions could lead to failed encryption and potential data exposure. Concrete evidence: Added kms:CreateGrant, kms:DescribeKey, etc. actions.
Diff
diff --git a/sagemaker/latest/dg/sagemaker-roles.md b/sagemaker/latest/dg/sagemaker-roles.md index 820334189..844b3887d 100644 --- a//sagemaker/latest/dg/sagemaker-roles.md +++ b//sagemaker/latest/dg/sagemaker-roles.md @@ -862,0 +863,15 @@ The `cloudwatch` and `logs` actions are applicable for "*" resources. For more i +If you specify an AWS KMS key to encrypt the storage volume of the notebook instance, add the following permissions to the execution role: + + + { + "Effect": "Allow", + "Action": [ + "kms:CreateGrant", + "kms:DescribeKey", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "arn:aws:kms:us-east-1:111122223333:key/kms-key-id" + } +