AWS sagemaker documentation change
Summary
Removed SageMaker Python SDK v2 (Legacy) deployment examples and cross-account policy implementation code.
Security assessment
Deleted content includes legacy deployment patterns and cross-account access policies, but removal doesn't indicate security issues. No evidence of vulnerability fixes or new security guidance in the changes.
Diff
diff --git a/sagemaker/latest/dg/model-registry-deploy.md b/sagemaker/latest/dg/model-registry-deploy.md index 44cd0cf72..a63fc0f40 100644 --- a//sagemaker/latest/dg/model-registry-deploy.md +++ b//sagemaker/latest/dg/model-registry-deploy.md @@ -32,3 +31,0 @@ To deploy a model version using the [Amazon SageMaker Python SDK](https://sagema -SageMaker Python SDK v3 - - @@ -53,13 +49,0 @@ SageMaker Python SDK v3 -SageMaker Python SDK v2 (Legacy) - - - - from sagemaker import ModelPackage - from time import gmtime, strftime - - model_package_arn = 'arn:aws:sagemaker:us-east-2:12345678901:model-package/modeltest/1' - model = ModelPackage(role=role, - model_package_arn=model_package_arn, - sagemaker_session=sagemaker_session) - model.deploy(initial_instance_count=1, instance_type='ml.m5.xlarge') - @@ -74,3 +57,0 @@ Create a model object from the model version by calling the [create_model](https -SageMaker Python SDK v3 - - @@ -88,14 +68,0 @@ SageMaker Python SDK v3 -SageMaker Python SDK v2 (Legacy) - - - import time - import os - from sagemaker import get_execution_role, session - import boto3 - - region = boto3.Session().region_name - - role = get_execution_role() - - sm_client = boto3.client('sagemaker', region_name=region) - @@ -117,3 +83,0 @@ SageMaker Python SDK v2 (Legacy) -SageMaker Python SDK v3 - - @@ -128,14 +91,0 @@ SageMaker Python SDK v3 -SageMaker Python SDK v2 (Legacy) - - - import time - import os - from sagemaker import get_execution_role, session - import boto3 - - region = boto3.Session().region_name - - role = get_execution_role() - - sm_client = boto3.client('sagemaker', region_name=region) - @@ -172,3 +121,0 @@ The following example creates cross-account policies for all three of these reso -SageMaker Python SDK v3 - - @@ -280,79 +226,0 @@ SageMaker Python SDK v3 -SageMaker Python SDK v2 (Legacy) - - - - import json - - # The Model Registry account id of the Model Group - model_registry_account = "111111111111" - - # The model training account id where training happens - model_training_account = "222222222222" - - # 1. Create a policy for access to the ECR repository - # in the model training account for the Model Registry account Model Group - ecr_repository_policy = {"Version": "2012-10-17", - "Statement": [{"Sid": "AddPerm", - "Effect": "Allow", - "Principal": { - "AWS": f"arn:aws:iam::{model_registry_account}:root" - }, - "Action": [ - "ecr:BatchGetImage", - "ecr:Describe*" - ] - }] - } - - # Convert the ECR policy from JSON dict to string - ecr_repository_policy = json.dumps(ecr_repository_policy) - - # Set the new ECR policy - ecr = boto3.client('ecr') - response = ecr.set_repository_policy( - registryId = model_training_account, - repositoryName = "decision-trees-sample", - policyText = ecr_repository_policy - ) - - # 2. Create a policy in the model training account for access to the S3 bucket - # where the model is present in the Model Registry account Model Group - bucket_policy = {"Version": "2012-10-17", - "Statement": [{"Sid": "AddPerm", - "Effect": "Allow", - "Principal": {"AWS": f"arn:aws:iam::{model_registry_account}:root" - }, - "Action": [ - "s3:GetObject", - "s3:GetBucketAcl", - "s3:GetObjectAcl" - ], - "Resource": [ - "arn:aws:s3:::{bucket}/*", - "Resource: arn:aws:s3:::{bucket}" - ] - }] - } - - # Convert the S3 policy from JSON dict to string - bucket_policy = json.dumps(bucket_policy) - - # Set the new bucket policy - s3 = boto3.client("s3") - response = s3.put_bucket_policy( - Bucket = bucket, - Policy = bucket_policy) - - # 3. Create the KMS grant for the key used during training for encryption - # in the model training account to the Model Registry account Model Group - client = boto3.client("kms") - - response = client.create_grant( - GranteePrincipal=model_registry_account, - KeyId=kms_key_id - Operations=[ - "Decrypt", - "GenerateDataKey", - ], - ) -