# Document history for the Amazon SageMaker Unified Studio Administrator Guide The following table describes the documentation releases for Amazon SageMaker Unified Studio. | Change | Description | Date | | --- |--- |--- | | [Policy update - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding permissions to support Amazon EMR on EC2 Spark Connect sessions and AWS Glue session endpoints. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2026 | | [Policy update - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions to support Amazon EMR on EC2 Spark Connect sessions and AWS Glue session endpoints. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2026 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support Amazon EMR on EC2 Spark Connect sessions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2026 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support Amazon EMR on EC2 Spark Connect sessions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2026 | | [Policy update - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding permissions to support Amazon EMR on EC2 Spark Connect sessions and AWS Glue session endpoints. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2026 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions to support Amazon EMR on EC2 Spark Connect sessions and AWS Glue session endpoints. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2026 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - adding `datazone:CreateAsset*` permissions to the DataZoneUserPermissions statement to support scheduling notebook runs using the Data Agent. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 21, 2026 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - updating the DataZoneUserPermissions statement to support the Business Data Catalog within Data Agent. Adding `datazone:List*` and `datazone:Search*` permissions for catalog discovery, and replacing `datazone:SendMessage` with `datazone:*Message*` to support conversation management. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 13, 2026 | | [Policy update - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding permissions to support integration with Amazon EMR Serverless Spark Connect in DataZone Data Notebook. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 11, 2026 | | [Policy update - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless Spark Connect in DataZone Data Notebook, Amazon Managed Workflows for Apache Airflow (MWAA) environments, and AWS Glue Data Quality. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 11, 2026 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support integration with AWS Glue Data Quality. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 11, 2026 | | [Policy update - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless Spark Connect in DataZone Data Notebook, Amazon Managed Workflows for Apache Airflow (MWAA) environments, and AWS Resource Access Manager. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 11, 2026 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless Spark Connect in DataZone Data Notebook, Amazon Managed Workflows for Apache Airflow (MWAA) environments, AWS Glue Data Quality, and AWS Resource Access Manager. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 11, 2026 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support integration of CloudFormation LanguageExtensions transform and admin project IAM policy attachment. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 6, 2026 | | [Policy update - SageMakerStudioUserIAMConsolePolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMConsolePolicy - adding permissions for `datazone:GetConnection` and `datazone:ListConnections` to support IAM role federation in Local IDE. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 31, 2026 | | [Policy update - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adds notebook import and export functionality for permissive users. These permissions are applied to default IAM users when using the permissive role. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 30, 2026 | | [Policy update - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding cloudwatch:GetMetricData, notebook import and export functionality for permissive users, SageMaker Feature store, and LakeFormation data filter for SageMaker Unified Studio. These permissions are applied to default IAM users. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 30, 2026 | | [Policy update - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adds SSO permissions for permissive admin policies. Also adds Admin and LakeFormation data filter permissions to permissive admin roles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 30, 2026 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding cloudwatch:GetMetricData, SageMaker Feature store, LakeFormation data filter, SSO and Admin UI permissions to SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 30, 2026 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding cloudwatch:GetMetricData, SageMaker Feature store, LakeFormation data filter, SSO and Admin UI permissions to SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 30, 2026 | | [Policy update - SageMakerStudioAdminIAMConsolePolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMConsolePolicy - adding sso:DeleteApplication permission to allow deleting DataZone domain integrated with AWS IAM Identity Center. Adding KMS permissions required for IAM Identity Center instances that use customer managed keys for encryption. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 30, 2026 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - adding AWS Glue permissions scoped to S3 Tables catalog resource to support querying S3 Tables from SageMaker Unified Studio IdC domains. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 24, 2026 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding iam:CreateServiceLinkedRole permission to allow creating the Amazon Athena service-linked role for Athena Spark workgroup provisioning. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 9, 2026 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support Airflow Serverless. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 2, 2026 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to pass roles to Amazon Athena for Athena Spark workgroup support. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 2, 2026 | | [Policy update - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding Amazon S3 Tables permissions to support integration with S3 table buckets IAM mode. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 27, 2026 | | [Policy update - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding Amazon S3 Tables permissions to support integration with S3 table buckets IAM mode. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 27, 2026 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support SageMaker Notebooks, Data Agent, and Airflow Serverless workflows. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 26, 2026 | | [Policy update - SageMakerStudioDomainExecutionRolePolicy](#doc-history) | Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding permissions to support graph-based entity search capabilities. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 25, 2026 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support integration with encrypted Identity Center instances. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 5, 2026 | | [Policy update - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions to support integration with MLflow App to track runs and experiments. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 27, 2026 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support integration with MLflow App to track runs and experiments. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 27, 2026 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support integration with MLflow App to track runs and experiments. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 27, 2026 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions to support integration with MLflow App to track runs and experiments. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 27, 2026 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support integration with SageMaker Unified Studio MCP. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 21, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - fix KMS permissions for integration with Scheduler. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 20, 2025 | | [Policy update - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 18, 2025 | | [Policy update - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 18, 2025 | | [Policy update - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 18, 2025 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 18, 2025 | | [Policy update - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 14, 2025 | | [Policy update - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 14, 2025 | | [Policy update - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 14, 2025 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 14, 2025 | | [Policy update - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 10, 2025 | | [Policy update - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 10, 2025 | | [Policy update - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 10, 2025 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | November 10, 2025 | | [Policy update - SageMakerStudioEMRContainersSystemNamespaceRolePolicy](#doc-history) | Policy updates to SageMakerStudioEMRContainersSystemNamespaceRolePolicy - this revision refactors the scope of STS actions required for the EMR Containers service. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | October 31, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - permissions updates for the following features: EMR on EKS compute capabilities, trusted identity propagation with user background sessions, AWS resource custom tags support, support default AWS Glue catalog encryption, Amazon SageMaker Unified Studio per project S3 bucket. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | October 30, 2025 | | [New policy - SageMakerStudioEMRContainersSystemNamespaceRolePolicy](#doc-history) | New policy - SageMakerStudioEMRContainersSystemNamespaceRolePolicy - Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to Amazon EMR. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | October 24, 2025 | | [Policy updates](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding `sagemaker:StartSession` to allow users to connect to a space from the local IDE. Also adding `glue:UntagResource` permission. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | October 10, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding support for customers who opt-in to the Trusted Identity Propagation (TIP) feature, additional resources and configurations are required which require additional permissions, including LakeFormation IdentityCenterConfiguration resource permissions, AWS Glue IdentityCenterConfiguration resource permissions, EMR SecurityConfiguration `Describe` permission SSO resource permissions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | September 26, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - restoring table tag visibility in the asset page of Amazon SageMaker Unified Studio for Amazon SageMaker unified domains. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | September 18, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - adding AWS Glue permissions to enable users to delete AWS Glue databases in their Amazon SageMaker Unified Studio projects. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | September 12, 2025 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - adding support for the SageMaker:StartSession permission to enable remote connections to Amazon SageMaker spaces. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | September 8, 2025 | | [Policy updates](#doc-history) | Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy, SageMakerStudioAdminIAMPermissiveExecutionPolicy, and SageMakerStudioUserIAMPermissiveExecutionPolicy - adding additional permissions required to create service linked roles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 29, 2025 | | [Policy update - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions iam:CreateServiceLinkedRole and s3:DeleteBucketPolicy for resource management. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 29, 2025 | | [Support for account pools in Amazon SageMaker Unified Studio](#doc-history) | You can configure your domain to create and manage account pools for your custom project profile. For more information, see [Account pools in Amazon SageMaker Unified Studio](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/account-pools.html) and [Custom project profile](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/custom.html). | August 21, 2025 | | [Policy update - SageMakerStudioDomainExecutionRolePolicy](#doc-history) | Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding support for the new API actions - AssociateGovernedTerms and DisassociateGovernedTerms for the asset classification using restricted glossary terms feature in the catalog where users can associate or disassociate restricted glossary terms to an asset. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 20, 2025 | | [New policy - SageMakerStudioUserIAMPermissiveExecutionPolicy](#doc-history) | New policy - This is an execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants access to users to access resources, including broad access to data resources. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 20, 2025 | | [New policy - SageMakerStudioUserIAMDefaultExecutionPolicy](#doc-history) | New policy - This is the execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants access to users to resources. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 20, 2025 | | [New policy - SageMakerStudioUserIAMConsolePolicy](#doc-history) | New policy - This policy provides individual setup privileges for Amazon SageMaker Unified Studio using the AWS Management Console and SDK. It grants permissions for launching Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 20, 2025 | | [New policy - SageMakerStudioAdminIAMPermissiveExecutionPolicy](#doc-history) | New policy - This is an administrative execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants administrative access to provision, manage, and access resources, including broad access to data resources. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 20, 2025 | | [New policy - SageMakerStudioAdminIAMDefaultExecutionPolicy](#doc-history) | New policy - This is the administrative execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants administrative access to provision, manage, and access resources (excluding data resources) in your account. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 20, 2025 | | [New policy - SageMakerStudioAdminIAMConsolePolicy](#doc-history) | New policy - This policy provides administrative and individual setup privileges for Amazon SageMaker Unified Studio using the AWS Management Console and SDK. It grants permissions for launching Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 20, 2025 | | [Policy updates - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions to untag Amazon Athena, AWS CodeCommit, logs, scheduler, and Amazon EC2 resources. Also adding permissions to update Amazon Athena workgroups and delete the IAM role policy for Amazon SageMaker Unified Studio projects. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 15, 2025 | | [Policy updates - SageMakerStudioDomainExecutionRolePolicy](#doc-history) | Policy updates to the SageMakerStudioDomainExecutionRolePolicy - adding support for the following APIs: `GetAccountPool`, `ListAccountPools`, `ListAccountsInAccountPool`. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | August 11, 2025 | | [Policy updates - SageMakerStudioProjectUserRolePolicy](#doc-history) | Adding permissions to support Amazon SageMaker Unified Studio seamlessly for customers with Data Catalog Encryption. Also adding `STS:SetContext` permission to support trusted identity propagation for external computes. Also updaing CloudWatch log groups to be more specific. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 30, 2025 | | [Policy updates - SageMakerStudioFullAccess](#doc-history) | Policy updates to the SageMakerStudioFullAccess - generalizing the scope for SecretsManager `create` and `tag` permissions for new domains that will have the format of `dzd-` instead of `dzd_..`. Also adding permissions to allow users to use custom blueprint templates from Amazon S3 as well as upload their own template files to Amazon S3. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 23, 2025 | | [Policy updates - SageMakerStudioEMRServiceRolePolicy](#doc-history) | Policy updates to SageMakerStudioEMRServiceRolePolicy - removing unwanted KMS permissions for EMR cluster AtRestEncryption in the Amazon SageMaker Unified Studio EmrOnEc2 blueprint and adding permissions for EMR clsuter to encrypt customer data using customer managed KMS for logs pushed to Amazon S3 bucket in Amazon SageMaker Unified Studio when using EmrOnEc2 blueprint with customer managed encryption. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 23, 2025 | | [Policy updates - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy update - adding permissions to allow deletion of AWS Glue databases in Amazon Datalake, adding `sqlworkbench` service principals for the `redshift-serverless:GetCredentials` action, adding permissions to fetch jobs based on tags and resources, adding permissions to update Amazon CloudWatch metrics from job runs and read/write job logs, and adding permissions to support Amazon S3 access grants. Also adding permissions to allow cross-account project access for encrypted domains and adding support for `ProjectRole` and `DescribeResource` actions in order to check for the Amazon S3 tables' Lake Formation registration. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 15, 2025 | | [Policy updates - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support cross-account Amazon S3 asset subscription fulfillment using Amazon S3 access grants. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 15, 2025 | | [Policy updates - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions to create and manage Amazon S3 table buckets and also adding permissions to automate S3 table analytics integration flow within Amazon SageMaker Unified Studio. Also adding permissions to read templates from users' S3 buckets and permissions to validate the template using AWS Cloud Formation. Also adding permissions to get and create an S3 access grant instance in the project account to support managing subscriptions for S3 asset types. Also adding `neptune-graph:*` and `s3vectors:*` permissions to support Knowledge Base vector store management of two new vector store services in Amazon SageMaker Unified Studio: S3Vectors vector buckets and Neptune Analytics graphs. Also adding permissions to allow cross-account project access for encrypted domains. And adding support for the data onboarding in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 15, 2025 | | [Policy updates - SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](#doc-history) | Policy updates to the SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy - adding `neptune-graph:*` and `s3vectors:*` permissions to support vector read/write on vector stores for two new vector store services: S3Vectors vector buckets and Neptune Analytics graphs. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 15, 2025 | | [New policy - SageMakerStudioAdminProjectUserRolePolicy](#doc-history) | New policy - this IAM policy grants an IAM role full access to the AWS Glue Data Catalog (metadata) and Amazon S3 (actual data) for the data lake operations, with access scoped by region, account, and role tags. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | July 15, 2025 | | [Automated onboarding of Amazon SageMaker Lakehouse](#doc-history) | Adding support for automated onboarding of Amazon SageMaker Lakehouse. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/data-onboarding.html). | July 15, 2025 | | [Amazon QuickSight integration](#doc-history) | Enabling Amazon QuickSight integration in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/amazon-quicksight.html). | July 15, 2025 | | [Policy updates - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to access Amazon Athena default catalog resource. [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 25, 2025 | | [Policy updates - SageMakerStudioDomainExecutionRolePolicy](#doc-history) | Policy updates to the SageMakerStudioDomainExecutionRolePolicy - adding support for the Amazon Q `GetIdentityMetadata` API action in order to obtain user's Q subscription information to set an appropriate subscription tier badge. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 18, 2025 | | [Policy updates - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectUserRolePolicy - adding permissions to list Amazon Bedrock foundation models. Removing permissions to terminate EMR Cluster, change security group rules, Amazon Athena default catalog permissions, and list S3 buckets permissions at bucket level. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 13, 2025 | | [Policy updates - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectUserRolePolicy - bring back previously removed permission to `ListBucket` to fix issues in AWS Glue sessions and connections. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 13, 2025 | | [Policy updates - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding the untag role permission to fix project update failure. Also adding permissions to integrate with Amazon QuickSight. Also optimizing to reduce the policy size. And adding permissions to enable automatic sync of repositories. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectUserRolePolicy - removing RedshiftDbUser format restriction. Adding KMS permissions required by dependent services for Federated Data Connection. Adding permissions to support Amazon QuickSight integration.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | June 4, 2025 | | [Policy updates - AmazonDataZoneBedrockModelConsumptionPolicy](#doc-history) | Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding permissions to call the `ListFoundationModels` action. This permission is added to help get model metadata more programmatically when the user is selecting which models to invoke.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 28, 2025 | | [Policy update - SageMakerStudioFullAccess](#doc-history) | Policy updates to the SageMakerStudioFullAccess - adding permissions to support attaching or updating AWS managed permissions in AWS RAM resource shares in the Amazon SageMaker console. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 22, 2025 | | [Policy update - AmazonDataZoneBedrockModelConsumptionPolicy](#doc-history) | Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding support for the conversation history feature powered by Amazon Bedrock session management in generative AI playgrounds. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 13, 2025 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - as CodeEditor (VS Code) is introduced into Amazon SageMaker Unified Studio, users need the ability to create/delete CodeEditor space applications in Amazon SageMaker. Currently, only Amazon SageMaker space apps are allowed to be created with the JupyterLab app type. This change extends the current capability of creating/deleting JupyterLab space applications to CodeEditor (VS Code). For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | May 1, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectUserRolePolicy - adding permissions for integration with Amazon Bedrock Data Automation. Adding permissions to show Amazon Bedrock agent versions and their details to users. Adding permission to support Trusted Identity Propagation in QEv2. Ensuring project isolation for Amazon Bedrock Inline Agents. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | April 28, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding IAM permissions for the AmazonSageMakerQueryExecution role to support query execution role creation during enabling of the Tooling blueprint. Adding the DeleteSchedule permission so that when projects are deleted, the Schedule Group can be deleted. EventBridge runs DeleteSchedule automatically on Schedule Groups when it attempts to delete them, regardless of whether the Schedule Group actually has schedules in it. This permission allows for that deleteSchedule call to be made during project deletion. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | April 28, 2025 | | [Policy update - SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](#doc-history) | Policy updates to the SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy - adding support for structured data sources in Amazon Bedrock knowledge bases for generative AI app development projects. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | April 16, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectUserRolePolicy - preventing sharing provisioned Amazon Redshift-Serverless across all projects. Adding EventBridge Scheduler permissions for users to create schedules in the project schedule group. Adding permissions to handle Amazon SageMaker Studio migration to Amazon SageMaker Unified Studio. Adding support for the Amazon SageMaker App type CodeEditor. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | April 9, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding `lakeformation:DescribeResource` to improve deregistering of federated connections. Adding EventBridge Scheduler permissions to manage a schedule group for each project. Adding permission to manage Amazon Bedrock resources directly from the Amazon DataZone service. Add support for the Amazon SageMaker App type CodeEditor. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | April 9, 2025 | | [Policy update - SageMakerStudioBedrockFlowServiceRolePolicy](#doc-history) | Policy updates to the SageMakerStudioBedrockFlowServiceRolePolicy - adding support for using Amazon Bedrock agent nodes in Amazon Bedrock flows for generative AI app development projects. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | April 9, 2025 | | [Policy update - SageMakerStudioDomainExecutionRolePolicy](#doc-history) | Policy updates to the SageMakerStudioDomainExecutionRolePolicy - adding support for the GetUpdateEligibility API required by Amazon SageMaker Unified Studio to fetch update comments and determine project's eligibility for the workflow of updating projects. Also adding support for the existing Amazon DataZone Rule APIs required by Amazon SageMaker Unified Studio to mange and enforce rules. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 25, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectUserRolePolicy - preventing default AWS Glue database from being listed as it causes issues with Spark SQL. Also adding permission to use new project-wide Amazon Bedrock service role for improved scalability.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 21, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permission to describe stack event for better error reporting. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 21, 2025 | | [Policy update - SageMakerStudioBedrockFlowServiceRolePolicy](#doc-history) | Policy updates to the SageMakerStudioBedrockFlowServiceRolePolicy - adding KMS permissions to decrypt Amazon Bedrock guardrails attached to the Amazon Bedrock flows. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 10, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permission to change trust policy during project update to address confused deputy problem. Also adding permission to attach PartnerApps policy to the user role. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 5, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the - renaming Amazon Bedrock tag and adding permission to removeSageMakerStudioProjectProvisioningRolePolicy deprecated tag on roles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | March 4, 2025 | | [Policy update - SageMakerStudioProjectUserRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectUserRolePolicy - changes to support shared VPC by removing ResourceAccount condition on actions dependent on VPC/subnets. Moving permissions from inline to this AWS managed policy for Amazon EMR, EMR-Serverless, and federated connections. Adding support for buckets with public access blocked with permission `s3:GetBucketPublicAccessBlock`. Adding permission to support data lineage in Amazon DataZone. Supporting Amazon LakeFormation ABAC by adding session tag the access role. Supporting users operating on private ECR. Also adding support for managing AWS Glue subscriptions by the user. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 28, 2025 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding support for the MLFlow Tracking Server for Shared VPC, applying visibility condition to Amazon SageMaker Search API. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 28, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the - renaming Amazon Bedrock tag and adding permission to removeSageMakerStudioProjectProvisioningRolePolicy deprecated tag on roles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 28, 2025 | | [Policy update - SageMakerStudioEMRServiceRolePolicy](#doc-history) | Policy updates to the SageMakerStudioEMRServiceRolePolicy - adding permissions to allow Amazon EMR to create network interfaces against Shared VPC.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 28, 2025 | | [New policies - SageMakerStudioEMRInstanceRolePolicy](#doc-history) | Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to EMR. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 28, 2025 | | [New policy - SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](#doc-history) | This policy allows Amazon Bedrock Knowledge Bases to access Amazon Bedrock models and data sources in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 25, 2025 | | [New policy - SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy](#doc-history) | This policy provides access to configure vector stores and Amazon Bedrock knowledge bases in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 25, 2025 | | [New policy - SageMakerStudioBedrockFunctionExecutionRolePolicy](#doc-history) | This policy allows AWS Lambda to access an Amazon Bedrock function component's configuration in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 25, 2025 | | [Policy update - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions for batch grants in AWS LakeFormation to give grants to IDC users. Adding various `Update*` permissions to allow managing project resources. Removing `ResourceAccount` condition on resources depending on VPC to allow usage of shared VPC. Using new Amazon Bedrock managed policy name. Adding permissions to clean up Amazon EMR project level resources during project deletion. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 24, 2025 | | [Policy update - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permission for `DescribeAutoMLJobV2`, moving multiple Amazon SageMaker `List` operations to tag based authorization, adding CMK permissions for JupyterLab, add Amazon SageMaker `ListModelPackages` and `CreateModel` permissions for cross-account use case. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 14, 2025 | | [New policy - SageMakerStudioBedrockPromptUserRolePolicy](#doc-history) | This policy provides access to an Amazon Bedrock prompt and its configuration in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 14, 2025 | | [New policy - SageMakerStudioBedrockFlowServiceRolePolicy](#doc-history) | This policy allows Amazon Bedrock Flows to access Amazon Bedrock models and other resources attached to a flow in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 14, 2025 | | [New policy - SageMakerStudioBedrockEvaluationJobServiceRolePolicy](#doc-history) | This policy allows Amazon Bedrock to access Amazon Bedrock models and datasets for evaluation jobs in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 14, 2025 | | [New policy - SageMakerStudioBedrockChatAgentUserRolePolicy](#doc-history) | This policy provides access to an Amazon Bedrock chat agent app's configuration and Amazon Bedrock agent in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 14, 2025 | | [New policy - SageMakerStudioBedrockAgentServiceRolePolicy](#doc-history) | This policy allows Amazon Bedrock Agents to access Amazon Bedrock models and other resources attached to an agent in Amazon SageMaker Unified Studio. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | February 14, 2025 | | [Policy updates to SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to manage IAM roles with only AWS managed policies attached to them and no permissions boundary. Also adding permissions to update the AWS Lambda function for Amazon Athena federated connections.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 31, 2025 | | [New policy SageMakerStudioQueryExecutionRolePolicy](#doc-history) | New policy SageMakerStudioQueryExecutionRolePolicy - this is the default policy for the SageMakerQueryExecutionRole role. This policy provides permissions to run query executions on federated connections. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 31, 2025 | | [New policy SageMakerStudioEMRServiceRolePolicy](#doc-history) | New policy SageMakerStudioEMRServiceRolePolicy - Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to Amazon EMR. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 31, 2025 | | [Policy update to SageMakerStudioFullAccess](#doc-history) | Policy updates to SageMakerStudioFullAccess - updating the CodeConnections tagging permissions to support tagging for CodeConnections host resources in the Amazon SageMaker console. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 24, 2025 | | [Policy update to SageMakerStudioDomainExecutionRolePolicy](#doc-history) | Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding support for the AWS CodeConnections APIs in order to make the Copy button available for self-managed Git providers. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | January 24, 2025 | | [Policy updates to SageMakerStudioProjectProvisioningRolePolicy, SageMakerStudioProjectUserRolePolicy, and SageMakerStudioProjectUserRolePermissionsBoundary](#doc-history) | Policy updates to SageMakerStudioProjectProvisioningRolePolicy (adding permissions to support CMK in CodeCommit, AWS Glue Catalog, and Amazon Redshift Serverless), SageMakerStudioProjectUserRolePolicy (adding permissions to support CMK in CodeCommit, and AWS Glue Catalog), and SageMakerStudioProjectUserRolePermissionsBoundary (adding permissions to support CMK in CodeCommit, AWS Glue Catalog, Amazon Redshift Serverless, and EMR on EC2.) For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 18, 2024 | | [New policy - SageMakerStudioProjectUserRolePolicy](#doc-history) | Adding a new managed policy - SageMakerStudioProjectUserRolePolicy. Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions. This is the main policy for the SageMakerUnifiedStudioProjectRole role. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - SageMakerStudioProjectUserRolePermissionsBoundary](#doc-history) | Adding a new managed policy - SageMakerStudioProjectUserRolePermissionsBoundary. Amazon SageMaker Unified Studio creates IAM roles for Projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the boundary of their permissions. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - SageMakerStudioProjectRoleMachineLearningPolicy](#doc-history) | Adding a new managed policy - SageMakerStudioProjectRoleMachineLearningPolicy. Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to Amazon SageMaker. This is the SageMaker policy for the SageMakerUnifiedStudioProjectRole role. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - SageMakerStudioProjectProvisioningRolePolicy](#doc-history) | Adding a new managed policy - SageMakerStudioProjectProvisioningRolePolicy. Amazon SageMaker Unified Studio uses this policy to provision and manage resources in your account.For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - SageMakerStudioFullAccess](#doc-history) | Adding a new managed policy - SageMakerStudioFullAccess. This policy provides full access to Amazon SageMaker Unified Studio via the Amazon SageMaker management console. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - SageMakerStudioDomainServiceRolePolicy](#doc-history) | Adding a new managed policy - SageMakerStudioDomainServiceRolePolicy. This is the default policy for the SageMakerUnifiedStudioDomainServiceRole service role. This policy is used by Amazon SageMaker Unified Studio to access the SSM parameters in the user’s account. Those parameters are set by the administrator in the Amazon SageMaker Unified Studio project profiles. This policy also has permissions to AWS KMS for encrypted SSM parameters. The KMS key must be tagged with EnableKeyForAmazonDataZone to allow decrypting the SSM parameters. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - SageMakerStudioDomainExecutionRolePolicy](#doc-history) | Adding a new managed policy - SageMakerStudioDomainExecutionRolePolicy - default policy for the SageMakerUnifiedStudioDomainExecutionRole service role. This role is used by Amazon SageMaker Unified Studio to catalog, discover, govern, share, and analyze data in the Amazon SageMaker Unified Studio domain. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - AmazonDataZoneBedrockModelManagementPolicy](#doc-history) | Adding a new managed policy - AmazonDataZoneBedrockModelManagementPolicy - that provides permissions to manage Amazon Bedrock model access, including creating, tagging and deleting application inference profiles. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [New policy - AmazonDataZoneBedrockModelConsumptionPolicy](#doc-history) | Adding a new managed policy - AmazonDataZoneBedrockModelConsumptionPolicy - that provides permissions to consume Amazon Bedrock models, including invoking Amazon Bedrock application inference profile created for particular Amazon DataZone domain. For more information, see [Amazon SageMaker Unified Studio updates to AWS managed policies](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol.html). | December 2, 2024 | | [Initial release](#doc-history) | Initial release of the Amazon SageMaker Unified Studio Administrator Guide | December 2, 2024 |