AWS Security ChangesHomeSearch

AWS sagemaker documentation change

Service: sagemaker · 2026-07-07 · Documentation medium

File: sagemaker/latest/dg/pipelines-step-decorator-best.md

Summary

Added security guidance for securing serialized pipeline data in S3

Security assessment

The change adds security best practices for protecting pipeline data storage but doesn't address a specific vulnerability

Diff

diff --git a/sagemaker/latest/dg/pipelines-step-decorator-best.md b/sagemaker/latest/dg/pipelines-step-decorator-best.md
index f8916105c..10e8e1c1a 100644
--- a//sagemaker/latest/dg/pipelines-step-decorator-best.md
+++ b//sagemaker/latest/dg/pipelines-step-decorator-best.md
@@ -7 +7 @@
-Use warm poolsStructure your directory
+Use warm poolsStructure your directorySecure your serialized data
@@ -38,0 +39,20 @@ You are advised to use code modules while using the `@step` decorator. Put the `
+## Secure your serialized data
+
+The `@step` decorator saves function inputs and outputs to Amazon S3. By default, SageMaker AI uses the default bucket. Other projects or users in your account might share this bucket.
+
+To keep your pipeline data safe, set `S3RootUri` in your SageMaker AI configuration file. Use a bucket that only your pipeline uses. The following example shows how to set this value:
+    
+    
+    SchemaVersion: '1.0'
+    SageMaker:
+      PythonSDK:
+        Modules:
+          RemoteFunction:
+            S3RootUri: 's3://amzn-s3-demo-bucket/pipeline-data'
+
+###### Important
+
+Restrict write access to the `S3RootUri` path. This prevents unauthorized users from modifying your pipeline data. Apply a bucket policy so that only the SageMaker AI execution role used by your jobs can write to this path.
+
+For more information about the configuration file, see [Configuration file](https://docs.aws.amazon.com/sagemaker/latest/dg/train-remote-decorator-config.html).
+