AWS sagemaker documentation change
Summary
Added security guidance for securing serialized pipeline data in S3
Security assessment
The change adds security best practices for protecting pipeline data storage but doesn't address a specific vulnerability
Diff
diff --git a/sagemaker/latest/dg/pipelines-step-decorator-best.md b/sagemaker/latest/dg/pipelines-step-decorator-best.md index f8916105c..10e8e1c1a 100644 --- a//sagemaker/latest/dg/pipelines-step-decorator-best.md +++ b//sagemaker/latest/dg/pipelines-step-decorator-best.md @@ -7 +7 @@ -Use warm poolsStructure your directory +Use warm poolsStructure your directorySecure your serialized data @@ -38,0 +39,20 @@ You are advised to use code modules while using the `@step` decorator. Put the ` +## Secure your serialized data + +The `@step` decorator saves function inputs and outputs to Amazon S3. By default, SageMaker AI uses the default bucket. Other projects or users in your account might share this bucket. + +To keep your pipeline data safe, set `S3RootUri` in your SageMaker AI configuration file. Use a bucket that only your pipeline uses. The following example shows how to set this value: + + + SchemaVersion: '1.0' + SageMaker: + PythonSDK: + Modules: + RemoteFunction: + S3RootUri: 's3://amzn-s3-demo-bucket/pipeline-data' + +###### Important + +Restrict write access to the `S3RootUri` path. This prevents unauthorized users from modifying your pipeline data. Apply a bucket policy so that only the SageMaker AI execution role used by your jobs can write to this path. + +For more information about the configuration file, see [Configuration file](https://docs.aws.amazon.com/sagemaker/latest/dg/train-remote-decorator-config.html). +