Amazon SageMaker Unified Studio updates to AWS managed policies

Policy update - SageMakerStudioFullAccess

Policy update - generalizing the scope for SecretsManager create and tag permissions for new domains that will have the format of dzd- instead of dzd_... Also adding permissions to allow users to use custom blueprint templates from Amazon S3 as well as upload their own template files to Amazon S3.

Policy update - SageMakerStudioEMRServiceRolePolicy

Policy update - removing unwanted KMS permissions for EMR cluster AtRestEncryption in the Amazon SageMaker Unified Studio EmrOnEc2 blueprint and adding permissions for EMR clsuter to encrypt customer data using customer managed KMS for logs pushed to Amazon S3 bucket in Amazon SageMaker Unified Studio when using EmrOnEc2 blueprint with customer managed encryption.

Policy update - SageMakerStudioProjectRoleMachineLearningPolicy

Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support cross-account Amazon S3 asset subscription fulfillment using Amazon S3 access grants.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions to create and manage Amazon S3 table buckets and also adding permissions to automate S3 table analytics integration flow within Amazon SageMaker Unified Studio. Also adding permissions to read templates from users' S3 buckets and permissions to validate the template using AWS Cloud Formation. Also adding permissions to get and create an S3 access grant instance in the project account to support managing subscriptions for S3 asset types. Also adding neptune-graph:* and s3vectors:* permissions to support Knowledge Base vector store management of two new vector store services in Amazon SageMaker Unified Studio: S3Vectors vector buckets and Neptune Analytics graphs. Also adding permissions to allow cross-account project access for encrypted domains. And adding support for the data onboarding in Amazon SageMaker Unified Studio.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy update - adding permissions to allow deletion of AWS Glue databases in Amazon Datalake, adding sqlworkbench service principals for the redshift-serverless:GetCredentials action, adding permissions to fetch jobs based on tags and resources, adding permissions to update Amazon CloudWatch metrics from job runs and read/write job logs, and adding permissions to support Amazon S3 access grants. Also adding permissions to allow cross-account project access for encrypted domains and adding support for ProjectRole and DescribeResource actions in order to check for the Amazon S3 tables' Lake Formation registration.

New policy - SageMakerStudioAdminProjectUserRolePolicy

New policy - This IAM policy grants an IAM role full access to the AWS Glue Data Catalog (metadata) and Amazon S3 (actual data) for the data lake operations, with access scoped by region, account, and role tags.

Policy update - SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy

Policy updates to the SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy - adding neptune-graph:* and s3vectors:* permissions to support vector read/write on vector stores for two new vector store services: S3Vectors vector buckets and Neptune Analytics graphs.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy update - adding permissions to access Amazon Athena default catalog resource.

Policy update - SageMakerStudioDomainExecutionRolePolicy

Policy updates to the SageMakerStudioDomainExecutionRolePolicy - adding support for the Amazon Q GetIdentityMetadata API action in order to obtain user's Q subscription information to set an appropriate subscription tier badge.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy updates to the SageMakerStudioProjectUserRolePolicy - bring back previously removed permission to ListBucket to fix issues in AWS Glue sessions and connections.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy updates to the SageMakerStudioProjectUserRolePolicy - adding permissions to list Amazon Bedrock foundation models. Removing permissions to terminate EMR Cluster, change security group rules, Amazon Athena default catalog permissions, and list S3 buckets permissions at bucket level.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding the untag role permission to fix project update failure. Also adding permissions to integrate with Amazon QuickSight. Also optimizing to reduce the policy size. And adding permissions to enable automatic sync of repositories.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy updates to the SageMakerStudioProjectUserRolePolicy - removing RedshiftDbUser format restriction. Adding KMS permissions required by dependent services for Federated Data Connection. Adding permissions to support Amazon QuickSight integration.

Policy update - AmazonDataZoneBedrockModelConsumptionPolicy

Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding permissions to call the ListFoundationModels action. This permission is added to help get model metadata more programmatically when the user is selecting which models to invoke.

Policy update - SageMakerStudioFullAccess

Policy updates to the SageMakerStudioFullAccess - adding permissions to support attaching or updating AWS managed permissions in AWS RAM resource shares in the Amazon SageMaker console.

Policy update - AmazonDataZoneBedrockModelConsumptionPolicy

Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding support for the conversation history feature powered by Amazon Bedrock session management in generative AI playgrounds.

Policy update - SageMakerStudioProjectRoleMachineLearningPolicy

Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - as CodeEditor (VS Code) is introduced into Amazon SageMaker Unified Studio, users need the ability to create/delete CodeEditor space applications in Amazon SageMaker. Currently, only Amazon SageMaker space apps are allowed to be created with the JupyterLab app type. This change extends the current capability of creating/deleting JupyterLab space applications to CodeEditor (VS Code).

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding IAM permissions for the AmazonSageMakerQueryExecution role to support query execution role creation during enabling of the Tooling blueprint. Adding the DeleteSchedule permission so that when projects are deleted, the Schedule Group can be deleted. EventBridge runs DeleteSchedule automatically on Schedule Groups when it attempts to delete them, regardless of whether the Schedule Group actually has schedules in it. This permission allows for that deleteSchedule call to be made during project deletion.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy updates to the SageMakerStudioProjectUserRolePolicy - adding permissions for integration with Amazon Bedrock Data Automation. Adding permissions to show Amazon Bedrock agent versions and their details to users. Adding permission to support Trusted Identity Propagation in QEv2. Ensuring project isolation for Amazon Bedrock Inline Agents.

Policy update - SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy

Policy updates to the SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy - adding support for structured data sources in Amazon Bedrock knowledge bases for generative AI app development projects.

Policy update - SageMakerStudioBedrockFlowServiceRolePolicy

Policy updates to the SageMakerStudioBedrockFlowServiceRolePolicy - adding support for using Amazon Bedrock agent nodes in Amazon Bedrock flows for generative AI app development projects.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy updates to the SageMakerStudioProjectUserRolePolicy - preventing sharing provisioned Amazon Redshift-Serverless across all projects. Adding EventBridge Scheduler permissions for users to create schedules in the project schedule group. Adding permissions to handle Amazon SageMaker Studio migration to Amazon SageMaker Unified Studio. Adding support for the Amazon SageMaker App type CodeEditor.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding lakeformation:DescribeResource to improve deregistering of federated connections. Adding EventBridge Scheduler permissions to manage a schedule group for each project. Adding permission to manage Amazon Bedrock resources directly from the Amazon DataZone service. Add support for the Amazon SageMaker App type CodeEditor.

Policy update - SageMakerStudioDomainExecutionRolePolicy

Policy updates to the SageMakerStudioDomainExecutionRolePolicy - adding support for the GetUpdateEligibility API required by Amazon SageMaker Unified Studio to fetch update comments and determine project's eligibility for the workflow of updating projects. Also adding support for the existing Amazon DataZone Rule APIs required by Amazon SageMaker Unified Studio to mange and enforce rules.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy updates to the SageMakerStudioProjectUserRolePolicy - preventing default AWS Glue database from being listed as it causes issues with Spark SQL. Also adding permission to use new project-wide Amazon Bedrock service role for improved scalability.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permission to describe stack event for better error reporting.

Policy update - SageMakerStudioBedrockFlowServiceRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding KMS permissions to decrypt Amazon Bedrock guardrails attached to the Amazon Bedrock flows.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permission to change trust policy during project update to address confused deputy problem. Also adding permission to attach PartnerApps policy to the user role.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding support for ProjectUpdate for EMR Serverless blueprint to proactively notify users on invalid updates on EMR Serverless application.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - renaming Amazon Bedrock tag and adding permission to remove deprecated tag on roles.

Policy update - SageMakerStudioProjectRoleMachineLearningPolicy

Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding support for the MLFlow Tracking Server for Shared VPC, applying visibility condition to Amazon SageMaker Search API.

Policy update - SageMakerStudioProjectUserRolePolicy

Policy updates to the SageMakerStudioProjectUserRolePolicy - changes to support shared VPC by removing ResourceAccount condition on actions dependent on VPC/subnets. Moving permissions from inline to this AWS managed policy for Amazon EMR, EMR-Serverless, and federated connections. Adding support for buckets with public access blocked with permission s3:GetBucketPublicAccessBlock. Adding permission to support data lineage in Amazon DataZone. Supporting Amazon LakeFormation ABAC by adding session tag the access role. Supporting users operating on private ECR. Also adding support for managing AWS Glue subscriptions by the user.

Policy update - SageMakerStudioEMRServiceRolePolicy

Policy updates to the SageMakerStudioEMRServiceRolePolicy - adding permissions to allow Amazon EMR to create network interfaces against Shared VPC.

New policy - SageMakerStudioEMRInstanceRolePolicy

Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to EMR.

New policy - SageMakerStudioBedrockFunctionExecutionRolePolicy

This policy allows AWS Lambda to access an Amazon Bedrock function component's configuration in Amazon SageMaker Unified Studio.

New policy - SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy

This policy provides access to configure vector stores and Amazon Bedrock knowledge bases in Amazon SageMaker Unified Studio.

New policy - SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy

This policy allows Amazon Bedrock Knowledge Bases to access Amazon Bedrock models and data sources in Amazon SageMaker Unified Studio.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions for batch grants in AWS LakeFormation to give grants to IDC users. Adding various Update* permissions to allow managing project resources. Removing ResourceAccount condition on resources depending on VPC to allow usage of shared VPC. Using new Amazon Bedrock managed policy name. Adding permissions to clean up Amazon EMR project level resources during project deletion.

New policy - SageMakerStudioBedrockEvaluationJobServiceRolePolicy

This policy allows Amazon Bedrock to access Amazon Bedrock models and datasets for evaluation jobs in Amazon SageMaker Unified Studio.

New policy - SageMakerStudioBedrockPromptUserRolePolicy

This policy provides access to an Amazon Bedrock prompt and its configuration in Amazon SageMaker Unified Studio.

New policy - SageMakerStudioBedrockFlowServiceRolePolicy

This policy allows Amazon Bedrock Flows to access Amazon Bedrock models and other resources attached to a flow in Amazon SageMaker Unified Studio.

New policy - SageMakerStudioBedrockChatAgentUserRolePolicy

This policy provides access to an Amazon Bedrock chat agent app's configuration and Amazon Bedrock agent in Amazon SageMaker Unified Studio.

New policy - SageMakerStudioBedrockAgentServiceRolePolicy

This policy allows Amazon Bedrock Agents to access Amazon Bedrock models and other resources attached to an agent in Amazon SageMaker Unified Studio.

Policy update - SageMakerStudioProjectRoleMachineLearningPolicy

Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permission for DescribeAutoMLJobV2, moving multiple Amazon SageMaker List operations to tag based authorization, adding CMK permissions for JupyterLab, add Amazon SageMaker ListModelPackages and CreateModel permissions for cross-account use case.

New Policy - SageMakerStudioEMRServiceRolePolicy

New policy SageMakerStudioEMRServiceRolePolicy - Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to Amazon EMR.

New Policy - SageMakerStudioQueryExecutionRolePolicy

New policy SageMakerStudioQueryExecutionRolePolicy - this is the default policy for the SageMakerQueryExecutionRole role. This policy provides permissions to run query executions on federated connections.

Policy update - SageMakerStudioProjectProvisioningRolePolicy

Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to manage IAM roles with only AWS managed policies attached to them and no permissions boundary. Also adding permissions to update the AWS Lambda function for Amazon Athena federated connections.

Policy update - SageMakerStudioFullAccess

Policy updates to SageMakerStudioFullAccess - updating the CodeConnections tagging permissions to support tagging for CodeConnections host resources in the Amazon SageMaker console.

Policy update - SageMakerStudioDomainExecutionRolePolicy

Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding support for the AWS CodeConnections APIs in order to make the Copy button available for self-managed Git providers.

Policy updates to SageMakerStudioProjectProvisioningRolePolicy

Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support CMK in CodeCommit, AWS Glue Catalog, and Amazon Redshift Serverless.

Policy updates to SageMakerStudioProjectUserRolePolicy.

Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support CMK in CodeCommit, and AWS Glue Catalog.

Policy updates to SageMakerStudioProjectUserRolePermissionsBoundary

Policy updates to SageMakerStudioProjectUserRolePermissionsBoundary - adding permissions to support CMK in CodeCommit, AWS Glue Catalog, Amazon Redshift Serverless, and EMR on EC2.

New policy - SageMakerStudioFullAccess

Adding a new managed policy - this policy provides full access to Amazon SageMaker Unified Studio via the Amazon SageMaker management console.

New policy - SageMakerStudioProjectUserRolePermissionsBoundary

Adding a new managed policy - SageMakerStudioProjectUserRolePermissionsBoundary. Amazon SageMaker Unified Studio creates IAM roles for Projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the boundary of their permissions.

New policy - SageMakerStudioProjectProvisioningRolePolicy

Adding a new managed policy - SageMakerStudioProjectProvisioningRolePolicy. Amazon SageMaker Unified Studio uses this policy to provision and manage resources in your account.

New policy - SageMakerStudioDomainExecutionRolePolicy

Adding a new managed policy - SageMakerStudioDomainExecutionRolePolicy - Default policy for the SageMakerUnifiedStudioDomainExecutionRole service role. This role is used by Amazon SageMaker Unified Studio to catalog, discover, govern, share, and analyze data in the Amazon SageMaker Unified Studio domain.

New policy - SageMakerStudioDomainServiceRolePolicy

Adding a new managed policy - SageMakerStudioDomainServiceRolePolic. This is the default policy for the SageMakerUnifiedStudioDomainServiceRole service role. This policy is used by Amazon SageMaker Unified Studio to access the SSM parameters in the user’s account. Those parameters are set by the administrator in the Amazon SageMaker Unified Studio project profiles. This policy also has permissions to AWS KMS for encrypted SSM parameters. The KMS key must be tagged with EnableKeyForAmazonDataZone to allow decrypting the SSM parameters.

New policy - SageMakerStudioProjectUserRolePolicy

Adding a new managed policy - SageMakerStudioProjectUserRolePolicy. Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions.

New policy - SageMakerStudioProjectRoleMachineLearningPolicy

Adding a new managed policy - SageMakerStudioProjectRoleMachineLearningPolicy. Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions.

New policy - AmazonDataZoneBedrockModelManagementPolicy

Adding a new managed policy - AmazonDataZoneBedrockModelManagementPolicy - that provides permissions to manage Amazon Bedrock model access, including creating, tagging and deleting application inference profiles.

New policy - AmazonDataZoneBedrockModelConsumptionPolicy

Adding a new managed policy - AmazonDataZoneBedrockModelConsumptionPolicy - that provides permissions to consume Amazon Bedrock models, including invoking Amazon Bedrock application inference profile created for particular Amazon DataZone domain.

Amazon SageMaker Unified Studio started tracking changes

Amazon SageMaker Unified Studio started tracking changes for its AWS managed policies.