AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2026-07-01 · Documentation low

File: sagemaker/latest/dg/model-registry-deploy.md

Summary

Removed SageMaker Python SDK v2 (Legacy) deployment examples and cross-account policy implementation code.

Security assessment

Deleted content includes legacy deployment patterns and cross-account access policies, but removal doesn't indicate security issues. No evidence of vulnerability fixes or new security guidance in the changes.

Diff

diff --git a/sagemaker/latest/dg/model-registry-deploy.md b/sagemaker/latest/dg/model-registry-deploy.md
index 44cd0cf72..a63fc0f40 100644
--- a//sagemaker/latest/dg/model-registry-deploy.md
+++ b//sagemaker/latest/dg/model-registry-deploy.md
@@ -32,3 +31,0 @@ To deploy a model version using the [Amazon SageMaker Python SDK](https://sagema
-SageMaker Python SDK v3
-    
-    
@@ -53,13 +49,0 @@ SageMaker Python SDK v3
-SageMaker Python SDK v2 (Legacy)
-    
-    
-    
-    from sagemaker import ModelPackage
-    from time import gmtime, strftime
-    
-    model_package_arn = 'arn:aws:sagemaker:us-east-2:12345678901:model-package/modeltest/1'
-    model = ModelPackage(role=role, 
-                         model_package_arn=model_package_arn, 
-                         sagemaker_session=sagemaker_session)
-    model.deploy(initial_instance_count=1, instance_type='ml.m5.xlarge')
-
@@ -74,3 +57,0 @@ Create a model object from the model version by calling the [create_model](https
-SageMaker Python SDK v3
-    
-    
@@ -88,14 +68,0 @@ SageMaker Python SDK v3
-SageMaker Python SDK v2 (Legacy)
-    
-    
-        import time
-    import os
-    from sagemaker import get_execution_role, session
-    import boto3
-    
-    region = boto3.Session().region_name
-    
-    role = get_execution_role()
-    
-    sm_client = boto3.client('sagemaker', region_name=region)
-
@@ -117,3 +83,0 @@ SageMaker Python SDK v2 (Legacy)
-SageMaker Python SDK v3
-    
-    
@@ -128,14 +91,0 @@ SageMaker Python SDK v3
-SageMaker Python SDK v2 (Legacy)
-    
-    
-        import time
-    import os
-    from sagemaker import get_execution_role, session
-    import boto3
-    
-    region = boto3.Session().region_name
-    
-    role = get_execution_role()
-    
-    sm_client = boto3.client('sagemaker', region_name=region)
-
@@ -172,3 +121,0 @@ The following example creates cross-account policies for all three of these reso
-SageMaker Python SDK v3
-    
-    
@@ -280,79 +226,0 @@ SageMaker Python SDK v3
-SageMaker Python SDK v2 (Legacy)
-    
-    
-    
-    import json
-    
-    # The Model Registry account id of the Model Group 
-    model_registry_account = "111111111111"
-    
-    # The model training account id where training happens
-    model_training_account = "222222222222"
-    
-    # 1. Create a policy for access to the ECR repository 
-    # in the model training account for the Model Registry account Model Group
-    ecr_repository_policy = {"Version": "2012-10-17",
-        "Statement": [{"Sid": "AddPerm",
-            "Effect": "Allow",
-            "Principal": {
-              "AWS": f"arn:aws:iam::{model_registry_account}:root"
-            },
-            "Action": [
-              "ecr:BatchGetImage",
-              "ecr:Describe*"
-            ]
-        }]
-    }
-    
-    # Convert the ECR policy from JSON dict to string
-    ecr_repository_policy = json.dumps(ecr_repository_policy)
-    
-    # Set the new ECR policy
-    ecr = boto3.client('ecr')
-    response = ecr.set_repository_policy(
-        registryId = model_training_account,
-        repositoryName = "decision-trees-sample",
-        policyText = ecr_repository_policy
-    )
-    
-    # 2. Create a policy in the model training account for access to the S3 bucket 
-    # where the model is present in the Model Registry account Model Group
-    bucket_policy = {"Version": "2012-10-17",
-        "Statement": [{"Sid": "AddPerm",
-            "Effect": "Allow",
-            "Principal": {"AWS": f"arn:aws:iam::{model_registry_account}:root"
-            },
-            "Action": [
-              "s3:GetObject",
-              "s3:GetBucketAcl",
-              "s3:GetObjectAcl"
-            ],
-            "Resource": [
-              "arn:aws:s3:::{bucket}/*",
-    	  "Resource: arn:aws:s3:::{bucket}"
-            ]
-        }]
-    }
-    
-    # Convert the S3 policy from JSON dict to string
-    bucket_policy = json.dumps(bucket_policy)
-    
-    # Set the new bucket policy
-    s3 = boto3.client("s3")
-    response = s3.put_bucket_policy(
-        Bucket = bucket,
-        Policy = bucket_policy)
-    
-    # 3. Create the KMS grant for the key used during training for encryption
-    # in the model training account to the Model Registry account Model Group
-    client = boto3.client("kms")
-    
-    response = client.create_grant(
-        GranteePrincipal=model_registry_account,
-        KeyId=kms_key_id
-        Operations=[
-            "Decrypt",
-            "GenerateDataKey",
-        ],
-    )
-