# AWS managed policies for Amazon SageMaker Unified Studio
<a name="security-iam-awsmanpol"></a>

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.

**Topics**
+ [

# AWS policy: SageMakerStudioFullAccess
](security-iam-awsmanpol-SageMakerStudioFullAccess.md)
+ [

# AWS policy: SageMakerStudioProjectUserRolePermissionsBoundary
](security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.md)
+ [

# AWS policy: SageMakerStudioDomainExecutionRolePolicy
](security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy.md)
+ [

# AWS policy: SageMakerStudioProjectUserRolePolicy
](security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy.md)
+ [

# AWS policy: SageMakerStudioProjectRoleMachineLearningPolicy
](security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy.md)
+ [

# AWS policy: SageMakerStudioDomainServiceRolePolicy
](security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy.md)
+ [

# AWS policy: SageMakerStudioProjectProvisioningRolePolicy
](security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md)
+ [

# AWS policy: AmazonDataZoneBedrockModelManagementPolicy
](security-iam-awsmanpol-AmazonDataZoneBedrockModelManagementPolicy.md)
+ [

# AWS policy: SageMakerStudioQueryExecutionRolePolicy
](security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md)
+ [

# AWS policy: SageMakerStudioEMRServiceRolePolicy
](security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy.md)
+ [

# AWS policy: AmazonDataZoneBedrockModelConsumptionPolicy
](security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy.md)
+ [

# AWS policy: SageMakerStudioEMRInstanceRolePolicy
](security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockAgentServiceRolePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockAgentServiceRolePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockChatAgentUserRolePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockChatAgentUserRolePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockPromptUserRolePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockPromptUserRolePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockFlowServiceRolePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockFlowServiceRolePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockEvaluationJobServiceRolePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy.md)
+ [

# AWS policy: SageMakerStudioBedrockFunctionExecutionRolePolicy
](security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy.md)
+ [

# AWS policy: SageMakerStudioUserIAMConsolePolicy
](security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.md)
+ [

# AWS policy: SageMakerStudioUserIAMDefaultExecutionPolicy
](security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy.md)
+ [

# AWS policy: SageMakerStudioUserIAMPermissiveExecutionPolicy
](security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy.md)
+ [

# AWS policy: SageMakerStudioAdminIAMConsolePolicy
](security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy.md)
+ [

# AWS policy: SageMakerStudioAdminIAMDefaultExecutionPolicy
](security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy.md)
+ [

# AWS policy: SageMakerStudioAdminIAMPermissiveExecutionPolicy
](security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy.md)
+ [

# AWS policy: SageMakerStudioAdminProjectUserRolePolicy
](security-iam-awsmanpol-SageMakerStudioAdminProjectUserRolePolicy.md)
+ [

# Amazon SageMaker Unified Studio updates to AWS managed policies
](security-iam-awsmanpol-updates.md)

# AWS policy: SageMakerStudioFullAccess
<a name="security-iam-awsmanpol-SageMakerStudioFullAccess"></a>

This policy provides full access to Amazon SageMaker Unified Studio via the Amazon SageMaker management console.

To view the permissions for this policy, see [SageMakerStudioFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioFullAccess.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioProjectUserRolePermissionsBoundary
<a name="security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary"></a>

Amazon SageMaker Unified Studio creates IAM roles for Projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the boundary of their permissions.

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Amazon SageMaker Unified Studio permissions boundary policies on your own. Amazon SageMaker Unified Studio permissions boundary policies should only be attached to Amazon SageMaker Unified Studio managed roles. 

When you create a project via the Amazon SageMaker Unified Studio, it applies this permissions boundary to the IAM roles that are provisioned during project creation. The permissions boundary limits the scope of the roles that Amazon SageMaker Unified Studio creates and any roles that you add.

Amazon SageMaker Unified Studio uses the SageMakerStudioProjectUserRolePermissionsBoundary managed policy to limit the provisioned IAM principal to which it is attached. The principals might take the form of the user roles that Amazon SageMaker Unified Studiocan assume on behalf of interactive enterprise users or analytic services (AWS Glue, for example), and then conduct actions to process data such as reading and writing from Amazon S3 or running AWS Glue crawler.

The SageMakerStudioProjectUserRolePermissionsBoundary policy grants read and write access for Amazon SageMaker Unified Studioto services such as Amazon SageMaker, AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, Amazon Athena, Amazon Q, Amazon EMR. The policy also gives read and write permissions to some infrastructure resources that are required to use these services such as network interfaces, AWS KMS keys, AWS CodeCommit, and AWS Secrets Manager.

**Note**  
You can't create new projects with AWS CodeCommit. Existing projects that were created using CodeCommit will continue to work.
+ Amazon SageMaker permissions are required for users to use the Amazon SageMaker Domain and Spaces provisioned by default by the Tooling blueprint.
+ AWS Glue permissions are required for users to use the default AWS Glue Connection and create AWS Glue Sessions.
+ Amazon S3 permissions are required for users to access the project's Amazon S3 bucket.
+ AWS Lake Formation permissions are required for users to access underlying data in Amazon S3.
+ Amazon Redshift permissions are required for users to perform SQL queries against Amazon Redshift, and to allow access to the project's Amazon Redshift clusters.
+ Amazon Athena permissions are required for users to use the provisioned Amazon Athena workgroup and to perform SQL queries.
+ Amazon Q permissions are required for users to interact with Amazon Q within Amazon SageMaker Unified Studio.
+ Amazon EMR permissions are required for users to create and access EMR clusters. AWS KMS permissions are required to use CMK in the various services integrated with Amazon SageMaker Unified Studio.
+ AWS CodeCommit permissions are required for users to use the default Git repository, and perform operations such as committing changes.
+ AWS Secrets Manager permissions are required for accessing the secret for various services, such as Amazon Redshift, AWS Glue federated data connections, and Amazon Bedrock.
+ Amazon Bedrock permissions are required to allow users access to Amazon Bedrock IDE, a development experience in Amazon SageMaker Unified Studio that lets you easily discover Amazon Bedrock models and build generative AI apps that use Amazon Bedrock models and features.

To view the permissions for this policy, see [SageMakerStudioProjectUserRolePermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioProjectUserRolePermissionsBoundary.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioDomainExecutionRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy"></a>

Default policy for the SageMakerUnifiedStudioDomainExecutionRole service role. This role is used by Amazon SageMaker Unified Studio to catalog, discover, govern, share, and analyze data in the Amazon SageMaker Unified Studio domain.

This role provides access to all Amazon SageMaker Unified Studio APIs that are required for Amazon SageMaker Unified Studio use, as well as RAM permissions to support usage of associated accounts in a Amazon SageMaker Unified Studio domain. It also provides access to services used outside of a project scope, including AWS CodeConnections, Amazon Q, AWS Systems Manager, and Amazon Bedrock.

To view the permissions for this policy, see [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioDomainExecutionRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioProjectUserRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy"></a>

Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions.

This is the main policy for the SageMakerUnifiedStudioProjectRole role. The SageMakerStudioProjectUserRolePolicy policy is created as part of the Tooling environment blueprint. This policy grants read and write access for Amazon SageMaker Unified Studio users to services such as Amazon SageMaker, AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, Amazon Athena, Amazon Q, Amazon EMR. The policy also gives read and write permissions to some infrastructure resources that are required to use these services such as network interfaces, AWS KMS keys, AWS CodeCommit, and AWS Secrets Manager. 

An administrator can disable certain permissions in this policy by tagging the role to which the policy is attached to. The tag EnableGlueSparkWorkloads=false disables all Glue Spark workloads related permissions. The tag EnableGenAIStudio=false disables all Generative AI Studio related permissions. 

**Note**  
You can't create new projects with AWS CodeCommit. Existing projects that were created using CodeCommit will continue to work.
+ Amazon SageMaker permissions are required for users to use the Amazon SageMaker Domain and Spaces provisioned by default by the Tooling blueprint.
+ AWS Glue permissions are required for users to use the default AWS Glue Connection and create AWS Glue Sessions.
+ Amazon S3 permissions are required for users to access the project's Amazon S3 bucket.
+ AWS Lake Formation permissions are required for users to access underlying data in Amazon S3.
+ Amazon Redshift permissions are required for users to perform SQL queries against Amazon Redshift, and to allow access to the project's Amazon Redshift clusters.
+ Amazon Athena permissions are required for users to use the provisioned Amazon Athena workgroup and to perform SQL queries.
+ Amazon Q permissions are required for users to interact with Amazon Q within Amazon SageMaker Unified Studio.
+ Amazon EMR permissions are required for users to create and access Amazon EMR clusters.
+ AWS CodeCommit permissions are required for users to use the default Git repository, and perform operations such as committing changes.
+ AWS Secrets Manager permissions are required for accessing the secret for various services, such as Amazon Redshift, AWS Glue federated data connections, and Amazon Bedrock.
+ Amazon Bedrock permissions are required to allow users access to Amazon Bedrock IDE, a development experience in Amazon SageMaker Unified Studio that lets you easily discover Amazon Bedrock models and build generative AI apps that use Amazon Bedrock models and features.
+ AWS KMS permissions are required to support customer managed keys. Resources provisioned by Amazon SageMaker Unified Studio can be encrypted with your customer managed key.

To view the permissions for this policy, see [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioProjectUserRolePolicy.html) in the *AWS Managed Policy Reference*.

**Note**  
Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, AI, and ML actions. You can attach the SageMakerStudioProjectUserRolePolicy managed policy as your user role policy or you can create and attach your own user role policy. Using your own policy provides more granular control over permissions but requires knowledge of IAM policy configuration. The IAM policy must include all necessary permissions required for the service to function properly.

# AWS policy: SageMakerStudioProjectRoleMachineLearningPolicy
<a name="security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy"></a>

Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to Amazon SageMaker.

This is the SageMaker policy for the SageMakerUnifiedStudioProjectRole role. This policy grants read and write access for Amazon SageMaker Unified Studio users to services such as Amazon SageMaker, Amazon CloudWatch, and AWS Resource Groups. The policy also gives read and write permissions to some infrastructure resources that are required to use these services such as network interfaces and AWS KMS keys.

An administrator can disable certain permissions in this policy by tagging the role to which the policy is attached to. The tag EnableSageMakerMLWorkloads=false disables all SageMaker ML workloads related permissions.

To view the permissions for this policy, see [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioProjectRoleMachineLearningPolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioDomainServiceRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy"></a>

This is the default policy for the SageMakerUnifiedStudioDomainServiceRole service role. This policy is used by Amazon SageMaker Unified Studio to access the SSM parameters in the user’s account. Those parameters are set by the administrator in the Amazon SageMaker Unified Studio project profiles. This policy also has permissions to AWS KMS for encrypted SSM parameters. The KMS key must be tagged with EnableKeyForAmazonDataZone to allow decrypting the SSM parameters.

To view the permissions for this policy, see [SageMakerStudioDomainServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioDomainServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioProjectProvisioningRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy"></a>

Amazon SageMaker Unified Studio uses this policy to provision and manage resources in your account.

This is the default policy for the AmazonSageMakerProvisioning-<domainAccountId> service role. This role is used by Amazon SageMaker Unified Studio to manage resources in your account created as part of projects lifecycle. This role provides access to manage resources for all services used in Amazon SageMaker Unified Studio, including Amazon SageMaker, AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, Amazon Athena, Amazon Q, Amazon EMR, Amazon Bedrock, AWS CodeCommit, and AWS IAM.

**Note**  
You can't create new projects with AWS CodeCommit. Existing projects that were created using CodeCommit will continue to work.
+ Amazon SageMaker permissions are required to manage the SageMaker Domain and Spaces provisioned by default by the Tooling blueprint.
+ AWS Glue permissions are required to manage AWS Glue Connections, AWS Glue Catalog, and AWS Glue Databases.
+ Amazon S3 permissions are required to access S3 objects to provision Amazon Bedrock resources, federated AWS Glue connection, and to create the staging bucket for Amazon Redshift.
+ AWS Lake Formation permissions are required to manage grants on AWS Glue Data Catalog.
+ Amazon Redshift permissions are required to provision Amazon Redshift Serverless workgroup and namespace.
+ Amazon Athena permissions are required to provision Amazon Athena workgroup and Amazon Athena data catalog for federated connection.
+ Amazon EMR permissions are required to provision Amazon EMR on EC2 clusters.
+ AWS KMS permissions are required to use CMK in the various services integrated with Amazon SageMaker Unified Studio.
+ AWS CodeCommit permissions are required to provision the default Git repository.
+ AWS Secrets Manager permissions are required to provision the secret for various services, such as Amazon Redshift, AWS Glue federated data connections, and Amazon Bedrock.
+ AWS IAM permissions are required to provision the roles that will be used by users of Amazon SageMaker Unified Studio.
+ Amazon Bedrock permissions are required to provision Amazon Bedrock IDE related resources to enable discovery of Amazon Bedrock models and build generative AI apps that use Amazon Bedrock models and features.

To view the permissions for this policy, see [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioProjectProvisioningRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: AmazonDataZoneBedrockModelManagementPolicy
<a name="security-iam-awsmanpol-AmazonDataZoneBedrockModelManagementPolicy"></a>

Provides permissions to manage Amazon Bedrock model access, including creating, tagging and deleting application inference profiles.

To view the permissions for this policy, see [AmazonDataZoneBedrockModelManagementPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneBedrockModelManagementPolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioQueryExecutionRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy"></a>

This is the default policy for the SageMakerQueryExecutionRole role. This policy provides permissions to run query executions on federated connections.

To view the permissions for this policy, see [SageMakerStudioQueryExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioQueryExecutionRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioEMRServiceRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy"></a>

Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to EMR.

To view the permissions for this policy, see [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioEMRServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: AmazonDataZoneBedrockModelConsumptionPolicy
<a name="security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy"></a>

Provides permissions to consume Amazon Bedrock models, including invoking Amazon Bedrock application inference profile created for particular Amazon DataZone domain.

To view the permissions for this policy, see [AmazonDataZoneBedrockModelConsumptionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneBedrockModelConsumptionPolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioEMRInstanceRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy"></a>

Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to EMR.

To view the permissions for this policy, see [SageMakerStudioEMRInstanceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioEMRInstanceRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockAgentServiceRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockAgentServiceRolePolicy"></a>

This policy allows Amazon Bedrock Agents to access Amazon Bedrock models and other resources attached to an agent in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE agent service role. This role is part of the AmazonBedrockChatAgent environment blueprint.

This policy grants the Amazon Bedrock service access to resources attached to a Amazon Bedrock IDE chat agent app, including Amazon Bedrock models, guardrails, knowledge bases; AWS Lambda functions; Amazon S3 objects; and an AWS KMS key.
+ Amazon Bedrock permissions are required for Amazon Bedrock agents to invoke Amazon Bedrock models enabled at the project level. This policy also grants access to Amazon Bedrock resources managed within Amazon SageMaker Unified Studio.
+ AWS Lambda permissions are required for Amazon Bedrock agents to run functions attached to an Amazon Bedrock IDE chat agent app.
+ Amazon S3 permissions are required for Amazon Bedrock agents to access the project's Amazon S3 bucket.
+ AWS KMS permissions are required to access Amazon Bedrock and Amazon S3 data encrypted with a customer managed key.

This policy allows the Amazon Bedrock service to access specific resources tagged with the same project ID as the service role. This tag restriction effectively only permits access to resources in the same project. By default, project users are not allowed to change service role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockAgentServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockAgentServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockChatAgentUserRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockChatAgentUserRolePolicy"></a>

This policy provides access to an Amazon Bedrock chat agent app's configuration and Amazon Bedrock agent in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE chat agent user role. This role is part of the AmazonBedrockChatAgent environment blueprint.

This policy grants users access to a shared Amazon Bedrock IDE chat agent app, including the permission to invoke an Amazon Bedrock agent, get its configuration from Amazon S3, and use an AWS KMS key.
+ Amazon Bedrock permissions are required for app users to read and invoke an Amazon Bedrock agent.
+ Amazon S3 permissions are required for app users to read an object in the project's Amazon S3 bucket.
+ AWS KMS permissions are required to access Amazon Bedrock and Amazon S3 data encrypted with a customer managed key.

This policy allows users to access individually shared Amazon Bedrock IDE chat agent apps. By default, domain users and project users are not allowed to change user role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockChatAgentUserRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockChatAgentUserRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockPromptUserRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockPromptUserRolePolicy"></a>

This policy provides access to an Amazon Bedrock prompt and its configuration in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE prompt user role. This role is part of the AmazonBedrockPrompt environment blueprint.

This policy grants users access to a shared Amazon Bedrock IDE prompt, including the Amazon Bedrock prompt, its configuration in Amazon S3, and an AWS KMS key.
+ Amazon Bedrock permissions are required for prompt users to read Amazon Bedrock prompts.
+ Amazon S3 permissions are required for prompt users to read an object in the project's Amazon S3 bucket.
+ AWS KMS permissions are required to access Amazon Bedrock and Amazon S3 data encrypted with a customer managed key.

This policy allows users to access individually shared Amazon Bedrock IDE prompts. By default, domain users and project users are not allowed to change user role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockPromptUserRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockPromptUserRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockFlowServiceRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockFlowServiceRolePolicy"></a>

This policy allows Amazon Bedrock Flows to access Amazon Bedrock models and other resources attached to a flow in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE prompt flow service role. This role is part of the AmazonBedrockFlow environment blueprint.

This policy grants the Amazon Bedrock service access to resources attached to a Amazon Bedrock IDE flow app, including Amazon Bedrock models, guardrails, knowledge bases, prompts; AWS Lambda functions; and an AWS KMS key.
+ Amazon Bedrock permissions are required for Amazon Bedrock prompt flows to invoke Amazon Bedrock models enabled at the project level. This policy also grants access to Amazon Bedrock resources managed within Amazon SageMaker Unified Studio.
+ AWS Lambda permissions are required for Amazon Bedrock prompt flows to run functions attached to an Amazon Bedrock IDE flow app.
+ AWS KMS permissions are required to access Amazon Bedrock and Amazon S3 data encrypted with a customer managed key.

This policy allows the Amazon Bedrock service to access specific resources tagged with the same project ID as the service role. This tag restriction effectively only permits access to resources in the same project. By default, project users are not allowed to change service role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockFlowServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockFlowServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockEvaluationJobServiceRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy"></a>

This policy allows Amazon Bedrock to access Amazon Bedrock models and datasets for evaluation jobs in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE evaluation job service role. This role is part of the AmazonBedrockEvaluation environment blueprint.

This policy grants the Amazon Bedrock service access to resources for an Amazon Bedrock model evaluation job, including Amazon Bedrock models, Amazon S3 objects, and an AWS KMS key.
+ Amazon Bedrock permissions are required for Amazon Bedrock evaluation jobs to invoke Amazon Bedrock models enabled at the project level. This policy also grants access to Amazon Bedrock resources managed within Amazon SageMaker Unified Studio.
+ Amazon S3 permissions are required for Amazon Bedrock evaluation jobs to access the project's Amazon S3 bucket.
+ AWS KMS permissions are required to access Amazon S3 data encrypted with a customer managed key.

This policy allows the Amazon Bedrock service to access specific resources tagged with the same project ID as the service role. This tag restriction effectively only permits access to resources in the same project. By default, project users are not allowed to change service role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockEvaluationJobServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockEvaluationJobServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy"></a>

This policy provides access to configure vector stores and Amazon Bedrock knowledge bases in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE knowledge base custom resource service role. This role is part of the AmazonBedrockKnowledgeBase environment blueprint.

This policy grants AWS Lambda-backed CloudFormation custom resources access to Amazon Bedrock IDE knowledge bases and their Amazon OpenSearch Serverless collections.
+ Amazon Bedrock permissions are required for the custom resource to start and query Amazon Bedrock knowledge base ingestion jobs.
+ Amazon OpenSearch Serverless permissions for the custom resource to prepare Amazon OpenSearch Serverless collections for use with Amazon Bedrock knowledge bases.

This policy allows the Amazon Bedrock service to access specific resources tagged with the same project ID as the service role. This tag restriction effectively only permits access to resources in the same project. By default, project users are not allowed to change service role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy"></a>

This policy allows Amazon Bedrock Knowledge Bases to access Amazon Bedrock models and data sources in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE knowledge base service role. This role is part of the AmazonBedrockKnowledgeBase environment blueprint.

This policy grants the Amazon Bedrock service access to resources attached to Amazon Bedrock IDE knowledge bases, including Amazon Bedrock models, Amazon OpenSearch Serverless collections, Amazon S3 objects, and an AWS KMS key.
+ Amazon Bedrock permissions are required for Amazon Bedrock knowledge bases to invoke Amazon Bedrock models enabled at the project level and generate queries.
+ AWS SQL Workbench permissions are required to generate SQL recommendations for querying structured data sources.
+ Amazon OpenSearch Serverless permissions are required for Amazon Bedrock knowledge bases to access the vector search collections that store knowledge base embeddings.
+ Amazon S3 permissions are required for Amazon Bedrock agents to access the project's Amazon S3 bucket.
+ AWS KMS permissions are required to access Amazon Bedrock and Amazon S3 data encrypted with a customer managed key.

This policy allows the Amazon Bedrock service to access specific resources tagged with the same project ID as the service role. This tag restriction effectively only permits access to resources in the same project. By default, project users are not allowed to change service role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioBedrockFunctionExecutionRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy"></a>

This policy allows AWS Lambda to access an Amazon Bedrock function component's configuration in Amazon SageMaker Unified Studio.

This is the main policy for the Amazon Bedrock IDE function execution role. This role is part of the AmazonBedrockFunction environment blueprint.

This policy grants the AWS Lambda service access to an Amazon Bedrock IDE function’s configuration, including AWS Secrets Manager secrets and an AWS KMS key.
+ AWS Secrets Manager permissions are required for AWS Lambda to access the Amazon Bedrock IDE function’s API keys while fulfilling API requests.
+ AWS KMS permissions are required to access AWS Secrets Manager secrets encrypted with a customer managed key.

This policy allows the AWS Lambda service to access specific resources tagged with the same project ID as the service role. This tag restriction effectively only permits access to resources in the same project. By default, project users are not allowed to change service role tags.

To view the permissions for this policy, see [SageMakerStudioBedrockFunctionExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioBedrockFunctionExecutionRolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioUserIAMConsolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy"></a>

This policy provides individual setup privileges for Amazon SageMaker Unified Studio using the AWS Management Console and SDK. It grants permissions for launching Amazon SageMaker Unified Studio.
+ Amazon DataZone permissions are required to allow principals access to Amazon DataZone actions to create a project, and to log in to Amazon SageMaker Unified Studio.
+ AWS Identity and Access Management permissions are required to allow principals to list and get IAM roles, get IAM users.

To view the permissions for this policy, see [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioUserIAMConsolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioUserIAMDefaultExecutionPolicy
<a name="security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy"></a>

This is the default execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants access to users to access resources. This does not grant access to data resources.
+ Amazon DataZone permissions are required to access DataZone resources such as Project and Asset.
+ AWS Identity and Access Management permissions are required to list IAM roles, create service-linked roles, and pass roles when provisioning resources.
+ AWS STS permissions are required to assume other roles for accessing resources in cross-account.
+ Amazon S3 permissions are required to list S3 buckets and allow cross-account object read.
+ AWS Lake Formation permissions are required to describe AWS Lake Formation resources.
+ Amazon Redshift Query Editor permissions are required to interact with the query editor in Amazon SageMaker Unified Studio.
+ Amazon Redshift Data API API permissions are required to run SQL statements using the Data API.
+ Amazon Redshift Serverless permissions are required for discovery of Redshift Serverless.
+ Amazon Redshift permissions are required for discovery of Redshift clusters.
+ Amazon Bedrock permissions are required to interact with Bedrock APIs in Amazon SageMaker Unified Studio.
+ Amazon EventBridge Scheduler permissions are required to interact with one-click scheduling in Amazon SageMaker Unified Studio.
+ Amazon DynamoDB permissions are required to enable federated connections to external data.
+ Amazon Athena permissions are required to interact with Query Editor in Amazon SageMaker Unified Studio.
+ AWS Secrets Manager permissions are required to access secrets for connections.
+ Amazon CodeWhisperer permissions are required to generate code recommendation.
+ Amazon ECR permissions are required to run SageMaker training jobs.
+ Amazon MWAA permissions are required to manage and schedule workflows.
+ AWS KMS permissions are required to support customer managed key. Resources provisioned by Amazon SageMaker Unified Studio can be encrypted with your customer managed key.

To view the permissions for this policy, see [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioUserIAMDefaultExecutionPolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioUserIAMPermissiveExecutionPolicy
<a name="security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy"></a>

This is an execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants access to users to access resources in your account, including broad access to data resources. 

This policy provides full access to all APIs and resources for services used in Amazon SageMaker Unified Studio, such as Amazon CloudWatch Logs AWS Glue, Amazon Redshift, Amazon Redshift Data API, Amazon Redshift Serverless, Amazon S3, Amazon Athena, Amazon Bedrock, Amazon CodeWhisperer, Amazon DataZone, Amazon Q, Amazon SageMaker AI, AWS SQL Workbench, Amazon EventBridge Scheduler, and CloudFormation.

Additional access is provided for the following services:
+ Amazon DataZone permissions are required to access Amazon DataZone resources such as Project and Asset.
+ AWS Identity and Access Management permissions are required to list IAM roles, create service-linked roles, and pass roles when provisioning resources.
+ AWS Security Token Service permissions are required to assume other roles for accessing cross-account resources.
+ AWS Systems Manager permissions are required to access parameters for Amazon Q and Amazon SageMaker AI distribution.
+ AWS Lake Formation permissions are required to describe AWS Lake Formation Resources.
+ Amazon DynamoDB permissions are required to enable federated connections to external data.
+ AWS Secrets Manager permissions are required to access secrets for connections.
+ Amazon ECR permissions are required to run Amazon SageMaker AI training jobs.
+ Amazon MWAA permissions are required to manage and schedule workflows.
+ AWS KMS permissions are required to support customer managed key. Resources provisioned by Amazon SageMaker Unified Studio can be encrypted with your customer managed key.

To view the permissions for this policy, see [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioUserIAMPermissiveExecutionPolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioAdminIAMConsolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy"></a>

This policy provides initial administrative and individual setup privileges for Amazon SageMaker Unified Studio via the AWS Management Console and SDK. It grants permissions for launching Amazon SageMaker Unified Studio.
+ Amazon DataZone permissions are required to allow principals full access to all Amazon DataZone actions.
+ AWS Identity and Access Management permissions are required to allow principals to list and get IAM roles, get IAM users and pass roles when creating Amazon DataZone resources.
+ AWS Systems Manager permissions are required to manage parameters to enable Amazon Q.
+ Amazon EC2 permissions are required to describe, create, modify, and delete VPC infrastructure including VPCs, subnets, security groups, internet gateways, NAT gateways, route tables, VPC endpoints, and elastic IP addresses for Amazon SageMaker Unified Studio environments.
+ CloudFormation permissions are required to create and manage infrastructure stacks for Amazon SageMaker Unified Studio deployment.
+ Amazon S3 permissions are required to allow CloudFormation to access template files from S3 buckets, including cross-account scenarios.
+ AWS KMS permissions are required to manage encryption keys, perform encrypt/decrypt operations, and create grants for Amazon DataZone resources.

All EC2 resources must be tagged with `CreatedForUseWithSageMakerUnifiedStudio: true` for creation, modification, and deletion operations to ensure proper resource governance and lifecycle management.

To view the permissions for this policy, see [SageMakerStudioAdminIAMConsolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioAdminIAMConsolePolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioAdminIAMDefaultExecutionPolicy
<a name="security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy"></a>

This is the administrative execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants administrative access to provision, manage, and access resources in your account. This does not grant access to data resources.
+ Amazon DataZone permissions are required to manage Amazon DataZone resources such as Domain and Project.
+ AWS Identity and Access Management permissions are required to list IAM roles, create service-linked roles, and pass roles when provisioning resources.
+ AWS STS permissions are required to assume other roles for accessing resources in cross-account.
+ Amazon Q permissions are required to interact with Amazon Q within Amazon SageMaker Unified Studio.
+ AWS Glue permissions are required to access data in Glue and allow usage of Glue Sessions.
+ AWS Systems Manager permissions are required to manage parameters to enable Q and access SageMaker distribution.
+ Amazon SageMaker AI permissions are required to manage SageMaker Space and allow SageMaker ML workloads.
+ Amazon S3 permissions are required to create S3 buckets, access service CloudFormation templates in S3, and delete S3 bucket policies.
+ CloudFormation permissions are required to manage CloudFormation stack for managing resources of other services.
+ Amazon CloudWatch Logs permissions are required to access logs from workloads in Amazon SageMaker Unified Studio.
+ AWS Lake Formation permissions are required to manage Lake Formation grants to access data.
+ Amazon Redshift Query Editor permissions are required to interact with Query Editor in Amazon SageMaker Unified Studio.
+ Amazon Redshift Data API API permissions are required to run SQL statements using the Data API.
+ Amazon Redshift Serverless permissions are required for discovery of Redshift Serverless.
+ Amazon Redshift permissions are required for discovery of Redshift clusters.
+ Amazon Bedrock permissions are required to interact with Bedrock APIs in Amazon SageMaker Unified Studio.
+ Amazon DynamoDB permissions are required to enable federated connections to external data.
+ AWS Secrets Manager permissions are required to manage secrets for connections.
+ Amazon Athena permissions are required to interact with Query Editor in Amazon SageMaker Unified Studio.
+ Amazon CodeWhisperer permissions are required to generate code recommendations.
+ Amazon EventBridge Scheduler permissions are required to interact with one-click scheduling in Amazon SageMaker Unified Studio.
+ Amazon ECR permissions are required to run SageMaker training jobs.
+ Amazon MWAA permissions are required to manage and schedule workflows.
+ AWS KMS permissions are required to support customer managed key. Resources provisioned by Amazon SageMaker Unified Studio can be encrypted with your customer managed key.

To view the permissions for this policy, see [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioAdminIAMDefaultExecutionPolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioAdminIAMPermissiveExecutionPolicy
<a name="security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy"></a>

This is an administrative execution policy for using IAM roles with Amazon SageMaker Unified Studio. This policy grants administrative access to provision, manage, and access resources in your account. This includes broad access to data resources.

This policy provides full access to all APIs and resources for services used in Amazon SageMaker Unified Studio, such as Amazon CloudWatch Logs AWS Glue, Amazon Redshift, Amazon Redshift Data API, Amazon Redshift Serverless, Amazon S3, Amazon Athena, Amazon Bedrock, Amazon CodeWhisperer, Amazon DataZone, Amazon Q, Amazon SageMaker AI, AWS SQL Workbench, Amazon EventBridge Scheduler, and CloudFormation.

Additional access is provided for the following services:
+ AWS Identity and Access Management permissions are required to list IAM roles, create service-linked roles, and pass roles when provisioning resources.
+ AWS Security Token Service permissions are required to assume other roles for accessing resources in cross-account.
+ AWS Systems Manager permissions are required to manage parameters to enable Amazon Q and access SageMaker distribution.
+ AWS Lake Formation permissions are required to manage AWS Lake Formation grants to access data.
+ Amazon DynamoDB permissions are required to enable federated connections to external data.
+ AWS Secrets Manager permissions are required to manage secrets for connections.
+ Amazon ECR permissions are required to run SageMaker training jobs.
+ Amazon MWAA permissions are required to manage and schedule workflows.
+ AWS KMS permissions are required to support customer managed key. Resources provisioned by Amazon SageMaker Unified Studio can be encrypted with your customer managed key.

To view the permissions for this policy, see [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioAdminIAMPermissiveExecutionPolicy.html) in the *AWS Managed Policy Reference*.

# AWS policy: SageMakerStudioAdminProjectUserRolePolicy
<a name="security-iam-awsmanpol-SageMakerStudioAdminProjectUserRolePolicy"></a>

This IAM policy grants an IAM role full access to AWS Glue Data Catalog (metadata) and Amazon S3 (actual data) for data lake operations, with access scoped by account, and role tags. You can attach SageMakerStudioAdminProjectUserRolePolicy to your users, groups, and roles.

To view the permissions for this policy, see [SageMakerStudioAdminProjectUserRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SageMakerStudioAdminProjectUserRolePolicy.html) in the *AWS Managed Policy Reference*.

# Amazon SageMaker Unified Studio updates to AWS managed policies
<a name="security-iam-awsmanpol-updates"></a>

 

View details about updates to AWS managed policies for Amazon SageMaker Unified Studio since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon SageMaker Unified Studio Document history page.

 


| Change | Description | Date | 
| --- | --- | --- | 
|  Policy update - [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy)  |  Policy updates to SageMakerStudioUserIAMConsolePolicy - adding permissions for `datazone:GetConnection` and `datazone:ListConnections` to support IAM role federation in Local IDE.  | 03/31/2026 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to SageMakerStudioProjectUserRolePolicy - adding AWS Glue permissions scoped to S3 Tables catalog resource to support querying S3 Tables from SageMaker Unified Studio IdC domains.  | 03/24/2026 | 
|  Policy update - [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding cloudwatch:GetMetricData, SageMaker Feature store, LakeFormation data filter, SSO and Admin UI permission to SageMaker Unified Studio.  | 03/30/2026 | 
|  Policy update - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding cloudwatch:GetMetricData, notebook import and export functionality for permissive users SageMaker Feature store, and LakeFormation data filter for SageMaker Unified Studio. These permissions are applied to default IAM users.  | 03/30/2026 | 
|  Policy update - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adds notebook import and export functionality for permissive users. These permissions are applied to default IAM users when using the permissive role.  | 03/30/2026 | 
|  Policy update - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adds SSO permissions for permissive admin policies. Also adds Admin and LakeFormation data filter permissions to permissive admin roles.  | 03/30/2026 | 
|  Policy update - [SageMakerStudioAdminIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy)  |  Policy updates to SageMakerStudioAdminIAMConsolePolicy - adding sso:DeleteApplication permission to allow deleting DataZone domain integrated with AWS IAM Identity Center. Adding KMS permissions required for IAM Identity Center instances that use customer managed keys for encryption.  | 03/30/2026 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding iam:CreateServiceLinkedRole permission to allow creating the Amazon Athena service-linked role for Athena Spark workgroup provisioning.  | 03/09/2026 | 
|  Policy update - [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy)  |  Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding support for the new API action - `QueryGraph` to enable graph-based entity search capabilities.  | 02/25/2026 | 
|  Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy)  |  Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support SageMaker Notebooks, Data Agent, and Airflow Serverless workflows  | 02/26/2026 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to pass roles to Amazon Athena for Athena Spark workgroup support  | 03/02/2026 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support Airflow Serverless  | 03/02/2026 | 
|  Policy update - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding Amazon S3 Tables permissions to support integration with S3 table buckets IAM mode.  | 02/27/2026 | 
|  Policy update - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding Amazon S3 Tables permissions to support integration with S3 table buckets IAM mode.  | 02/27/2026 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support integration with encrypted Identity Center instances  | 02/05/2026 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support integration with MLflow App to track runs and experiments  | 01/27/2026 | 
|  Policy update - [ SageMakerStudioProjectRoleMachineLearningPolicy ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy)  |  Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support integration with MLflow App to track runs and experiments  | 01/27/2026 | 
|  Policy update - [ SageMakerStudioUserIAMDefaultExecutionPolicy ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions to support integration with MLflow App to track runs and experiments  | 01/27/2026 | 
|  Policy update - [ SageMakerStudioAdminIAMDefaultExecutionPolicy ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions to support integration with MLflow App to track runs and experiments  | 01/27/2026 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support integration with SageMaker Unified Studio MCP.  | 11/21/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to SageMakerStudioProjectUserRolePolicy - fix KMS permissions for integration with Scheduler.  | 11/20/2025 | 
|  Policy update - [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook.  | 11/18/2025 | 
|  Policy update - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook.  | 11/18/2025 | 
|  Policy update - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook.  | 11/18/2025 | 
|  Policy update - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - fix KMS permissions for integration with Workflows, Scheduler, and DataZone Data Notebook.  | 11/18/2025 | 
|  Policy update - [SageMakerStudioAdminIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy)  |  Policy updates to SageMakerStudioAdminIAMConsolePolicy - adding KMS, CloudFormation and EC2 permissions for Amazon SageMaker Unified Studio.  | 11/14/2025 | 
|  Policy update - [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy)  |  Policy updates to SageMakerStudioUserIAMConsolePolicy - removing pass role permissions.  | 11/14/2025 | 
|  Policy update - [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions.  | 11/14/2025 | 
|  Policy update - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions.  | 11/14/2025 | 
|  Policy update - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions.  | 11/14/2025 | 
|  Policy update - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding permissions for new APIs for SageMaker Unified Studio MCP, Airflow Serverless, and Athena sessions. Improve isolation for Glue and Athena sessions by making sure users can only access their own sessions.  | 11/14/2025 | 
|  Policy update - [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.  | 11/11/2025 | 
|  Policy update - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.  | 11/10/2025 | 
|  Policy update - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.  | 11/10/2025 | 
|  Policy update - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding permissions to support integration with multiple services including Amazon EMR Serverless, Amazon Redshift, AWS Secrets Manager, AWS Lake Formation, Amazon SageMaker AI, Amazon S3, AWS CodeConnections, and AWS Glue. Adding KMS permissions to manage resources encrypted with CMK. Adding IAM CreateRole permission to allow creating new execution roles.  | 11/10/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - permissions updates for the following features: EMR on EKS compute capabilities, trusted identity propagation with user background sessions, AWS resource custom tags support, support default AWS Glue catalog encryption, Amazon SageMaker Unified Studio per project S3 bucket.  | 10/31/2025 | 
|  Policy update - [SageMakerStudioEMRContainersSystemNamespaceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRContainersSystemNamespaceRolePolicy)  |  Policy updates to SageMakerStudioEMRContainersSystemNamespaceRolePolicy this revision refactors the scope of STS actions required for the EMR Containers service.  | 10/31/2025 | 
|  New policy - [SageMakerStudioEMRContainersSystemNamespaceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRContainersSystemNamespaceRolePolicy)  |  New policy - SageMakerStudioEMRContainersSystemNamespaceRolePolicy - Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions related to Amazon EMR.   | 10/24/2025 | 
|  Policy update - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding `sagemaker:StartSession` to allow users to connect to a space from the local IDE. Also adding `glue:UntagResource` permission.   | 10/10/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding support for customers who opt-in to the Trusted Identity Propagation (TIP) feature, additional resources and configurations are required which require additional permissions, including LakeFormation IdentityCenterConfiguration resource permissions, AWS Glue IdentityCenterConfiguration resource permissions, EMR SecurityConfiguration `Describe` permission SSO resource permissions.   | 9/26/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to SageMakerStudioProjectUserRolePolicy - restoring table tag visibility in the asset page of Amazon SageMaker Unified Studio for Amazon SageMaker unified domains.  | 9/18/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to SageMakerStudioProjectUserRolePolicy - adding AWS Glue permissions to enable users to delete AWS Glue databases in their Amazon SageMaker Unified Studio projects.  | 9/12/2025 | 
|  Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy)  |  Policy updates to SageMakerStudioProjectRoleMachineLearningPolicy - adding support for the SageMaker:StartSession permission to enable remote connections to Amazon SageMaker spaces.  | 9/08/2025 | 
|  Policy update - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMPermissiveExecutionPolicy - adding iam:CreateServiceLinkedRole permissions for resource management.  | 8/29/2025 | 
|  Policy update - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMPermissiveExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMPermissiveExecutionPolicy - adding iam:CreateServiceLinkedRole permissions for resource management.  | 8/29/2025 | 
|  Policy update - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioUserIAMDefaultExecutionPolicy - adding iam:CreateServiceLinkedRole permissions for resource management.  | 8/29/2025 | 
|  Policy update - [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  Policy updates to SageMakerStudioAdminIAMDefaultExecutionPolicy - adding permissions iam:CreateServiceLinkedRole and s3:DeleteBucketPolicy for resource management.  | 8/29/2025 | 
|  Policy update - [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy)  |  Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding support for the new API actions - AssociateGovernedTerms and DisassociateGovernedTerms for the asset classification using restricted glossary terms feature in the catalog where users can associate or disassociate restricted glossary terms to an asset.  | 8/20/2025 | 
|  New policy - [SageMakerStudioUserIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  This is an execution policy for using IAM roles with Amazon SageMaker Unified Studio. It grants access to users to access resources, including broad access to data resources.  | 8/20/2025 | 
|  New policy - [SageMakerStudioAdminIAMPermissiveExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  This is an administrative execution policy for using IAM roles with Amazon SageMaker Unified Studio. It grants administrative access to provision, manage and access resources, including broad access to data resources.  | 8/20/2025 | 
|  New policy - [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  This is an execution policy for using IAM roles with Amazon SageMaker Unified Studio. It grants access to users to access resources, excluding access to data resources.  | 8/20/2025 | 
|  New policy - [SageMakerStudioAdminIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMDefaultExecutionPolicy)  |  This is an administrative execution policy for using IAM roles with Amazon SageMaker Unified Studio. It grants administrative access to provision, manage and access resources in your account, excluding access to data resources.  | 8/20/2025 | 
|  New policy - [SageMakerStudioAdminIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminIAMConsolePolicy)  |  This policy provides administrative and individual setup privileges for Amazon SageMaker Unified Studio using the AWS Management Console and SDK. It grants permissions for launching Amazon SageMaker Unified Studio.  | 8/20/2025 | 
|  New policy - [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy)  |  This policy provides individual setup privileges for Amazon SageMaker Unified Studio using the AWS Management Console and SDK. It grants permissions for launching Amazon SageMaker Unified Studio.  | 8/20/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions to untag Amazon Athena, AWS CodeCommit, logs, scheduler, and Amazon EC2 resources. Also adding permissions to update Amazon Athena workgroups and delete the IAM role policy for Amazon SageMaker Unified Studio projects.  | 8/15/2025 | 
|  Policy update - [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy)  |  Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding support for the new API actions - AssociateGovernedTerms and DisassociateGovernedTerms for the asset classification via restricted glossary terms feature in the catalog where users can associate or disassociate restricted glossary terms to an asset.  | 8/11/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - adding permissions to support Amazon SageMaker Unified Studio seamlessly for customers with Data Catalog Encryption. Also adding `STS:SetContext` permission to support trusted identity propagation for external computes. Also updaing CloudWatch log groups to be more specific.  | 7/30/2025 | 
|  Policy update - [SageMakerStudioFullAccess](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioFullAccess)  |  Policy update - generalizing the scope for SecretsManager `create` and `tag` permissions for new domains that will have the format of `dzd-` instead of `dzd_..`. Also adding permissions to allow users to use custom blueprint templates from Amazon S3 as well as upload their own template files to Amazon S3.  | 7/23/2025 | 
|  Policy update - [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy)  |  Policy update - removing unwanted KMS permissions for EMR cluster AtRestEncryption in the Amazon SageMaker Unified Studio EmrOnEc2 blueprint and adding permissions for EMR clsuter to encrypt customer data using customer managed KMS for logs pushed to Amazon S3 bucket in Amazon SageMaker Unified Studio when using EmrOnEc2 blueprint with customer managed encryption.  | 7/23/2025 | 
|  Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy)  |  Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permissions to support cross-account Amazon S3 asset subscription fulfillment using Amazon S3 access grants.  | 7/23/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions to create and manage Amazon S3 table buckets and also adding permissions to automate S3 table analytics integration flow within Amazon SageMaker Unified Studio. Also adding permissions to read templates from users' S3 buckets and permissions to validate the template using AWS Cloud Formation. Also adding permissions to get and create an S3 access grant instance in the project account to support managing subscriptions for S3 asset types. Also adding `neptune-graph:*` and `s3vectors:*` permissions to support Knowledge Base vector store management of two new vector store services in Amazon SageMaker Unified Studio: S3Vectors vector buckets and Neptune Analytics graphs. Also adding permissions to allow cross-account project access for encrypted domains. And adding support for the data onboarding in Amazon SageMaker Unified Studio.  | 7/15/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy update - adding permissions to allow deletion of AWS Glue databases in Amazon Datalake, adding `sqlworkbench` service principals for the `redshift-serverless:GetCredentials` action, adding permissions to fetch jobs based on tags and resources, adding permissions to update Amazon CloudWatch metrics from job runs and read/write job logs, and adding permissions to support Amazon S3 access grants. Also adding permissions to allow cross-account project access for encrypted domains and adding support for `ProjectRole` and `DescribeResource` actions in order to check for the Amazon S3 tables' Lake Formation registration.  | 7/15/2025 | 
|  New policy - [SageMakerStudioAdminProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioAdminProjectUserRolePolicy)  |  New policy - This IAM policy grants an IAM role full access to the AWS Glue Data Catalog (metadata) and Amazon S3 (actual data) for the data lake operations, with access scoped by region, account, and role tags.  | 7/15/2025 | 
|  Policy update - [SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy)  |  Policy updates to the SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy - adding `neptune-graph:*` and `s3vectors:*` permissions to support vector read/write on vector stores for two new vector store services: S3Vectors vector buckets and Neptune Analytics graphs.   | 7/15/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy update - adding permissions to access Amazon Athena default catalog resource.  | 6/25/2025 | 
|  Policy update - [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy)  |  Policy updates to the SageMakerStudioDomainExecutionRolePolicy - adding support for the Amazon Q `GetIdentityMetadata` API action in order to obtain user's Q subscription information to set an appropriate subscription tier badge.   | 6/18/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy )  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - bring back previously removed permission to `ListBucket` to fix issues in AWS Glue sessions and connections.   | 6/13/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - adding permissions to list Amazon Bedrock foundation models. Removing permissions to terminate EMR Cluster, change security group rules, Amazon Athena default catalog permissions, and list S3 buckets permissions at bucket level.  | 6/13/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding the untag role permission to fix project update failure. Also adding permissions to integrate with Amazon QuickSight. Also optimizing to reduce the policy size. And adding permissions to enable automatic sync of repositories.  | 6/04/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - removing RedshiftDbUser format restriction. Adding KMS permissions required by dependent services for Federated Data Connection. Adding permissions to support Amazon QuickSight integration.  | 6/04/2025 | 
|  Policy update - [AmazonDataZoneBedrockModelConsumptionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy)  |  Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding permissions to call the `ListFoundationModels` action. This permission is added to help get model metadata more programmatically when the user is selecting which models to invoke.  | 5/28/2025 | 
|  Policy update - [SageMakerStudioFullAccess](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioFullAccess)  |  Policy updates to the SageMakerStudioFullAccess - adding permissions to support attaching or updating AWS managed permissions in AWS RAM resource shares in the Amazon SageMaker console.  | 5/22/2025 | 
|  Policy update - [AmazonDataZoneBedrockModelConsumptionPolicy ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy)  |  Policy updates to the AmazonDataZoneBedrockModelConsumptionPolicy - adding support for the conversation history feature powered by Amazon Bedrock session management in generative AI playgrounds.  | 5/13/2025 | 
|  Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy)  |  Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - as CodeEditor (VS Code) is introduced into Amazon SageMaker Unified Studio, users need the ability to create/delete CodeEditor space applications in Amazon SageMaker. Currently, only Amazon SageMaker space apps are allowed to be created with the JupyterLab app type. This change extends the current capability of creating/deleting JupyterLab space applications to CodeEditor (VS Code).  | 5/01/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy )  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding IAM permissions for the AmazonSageMakerQueryExecution role to support query execution role creation during enabling of the Tooling blueprint. Adding the DeleteSchedule permission so that when projects are deleted, the Schedule Group can be deleted. EventBridge runs DeleteSchedule automatically on Schedule Groups when it attempts to delete them, regardless of whether the Schedule Group actually has schedules in it. This permission allows for that deleteSchedule call to be made during project deletion.  | 4/28/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - adding permissions for integration with Amazon Bedrock Data Automation. Adding permissions to show Amazon Bedrock agent versions and their details to users. Adding permission to support Trusted Identity Propagation in QEv2. Ensuring project isolation for Amazon Bedrock Inline Agents.  | 4/28/2025 | 
|  Policy update - [SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy)  |  Policy updates to the SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy - adding support for structured data sources in Amazon Bedrock knowledge bases for generative AI app development projects.  | 4/16/2025 | 
|  Policy update - [SageMakerStudioBedrockFlowServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFlowServiceRolePolicy)  |  Policy updates to the SageMakerStudioBedrockFlowServiceRolePolicy - adding support for using Amazon Bedrock agent nodes in Amazon Bedrock flows for generative AI app development projects.  | 4/09/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - preventing sharing provisioned Amazon Redshift-Serverless across all projects. Adding EventBridge Scheduler permissions for users to create schedules in the project schedule group. Adding permissions to handle Amazon SageMaker Studio migration to Amazon SageMaker Unified Studio. Adding support for the Amazon SageMaker App type CodeEditor.  | 4/09/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding `lakeformation:DescribeResource` to improve deregistering of federated connections. Adding EventBridge Scheduler permissions to manage a schedule group for each project. Adding permission to manage Amazon Bedrock resources directly from the Amazon DataZone service. Add support for the Amazon SageMaker App type CodeEditor.  | 4/09/2025 | 
|  Policy update - [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy)  |  Policy updates to the SageMakerStudioDomainExecutionRolePolicy - adding support for the GetUpdateEligibility API required by Amazon SageMaker Unified Studio to fetch update comments and determine project's eligibility for the workflow of updating projects. Also adding support for the existing Amazon DataZone Rule APIs required by Amazon SageMaker Unified Studio to mange and enforce rules.   | 3/25/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - preventing default AWS Glue database from being listed as it causes issues with Spark SQL. Also adding permission to use new project-wide Amazon Bedrock service role for improved scalability.  | 3/21/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permission to describe stack event for better error reporting.  | 3/21/2025 | 
|  Policy update - [SageMakerStudioBedrockFlowServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFlowServiceRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding KMS permissions to decrypt Amazon Bedrock guardrails attached to the Amazon Bedrock flows.  | 3/10/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permission to change trust policy during project update to address confused deputy problem. Also adding permission to attach PartnerApps policy to the user role.  | 3/05/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding support for ProjectUpdate for EMR Serverless blueprint to proactively notify users on invalid updates on EMR Serverless application.  | 3/04/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - renaming Amazon Bedrock tag and adding permission to remove deprecated tag on roles.  | 2/28/2025 | 
|  Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy)  |  Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding support for the MLFlow Tracking Server for Shared VPC, applying visibility condition to Amazon SageMaker Search API.  | 2/28/2025 | 
|  Policy update - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePolicy)  |  Policy updates to the SageMakerStudioProjectUserRolePolicy - changes to support shared VPC by removing ResourceAccount condition on actions dependent on VPC/subnets. Moving permissions from inline to this AWS managed policy for Amazon EMR, EMR-Serverless, and federated connections. Adding support for buckets with public access blocked with permission `s3:GetBucketPublicAccessBlock`. Adding permission to support data lineage in Amazon DataZone. Supporting Amazon LakeFormation ABAC by adding session tag the access role. Supporting users operating on private ECR. Also adding support for managing AWS Glue subscriptions by the user.  | 2/28/2025 | 
|  Policy update - [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy)  |  Policy updates to the SageMakerStudioEMRServiceRolePolicy - adding permissions to allow Amazon EMR to create network interfaces against Shared VPC.  | 2/28/2025 | 
|  New policy - [SageMakerStudioEMRInstanceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRInstanceRolePolicy.html)  |  Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to EMR.  | 2/28/2025 | 
|  New policy - [SageMakerStudioBedrockFunctionExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFunctionExecutionRolePolicy)  |  This policy allows AWS Lambda to access an Amazon Bedrock function component's configuration in Amazon SageMaker Unified Studio.  | 2/25/2025 | 
|  New policy - [SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy)  |  This policy provides access to configure vector stores and Amazon Bedrock knowledge bases in Amazon SageMaker Unified Studio.  | 2/25/2025 | 
|  New policy - [SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy)  |  This policy allows Amazon Bedrock Knowledge Bases to access Amazon Bedrock models and data sources in Amazon SageMaker Unified Studio.  | 2/25/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to the SageMakerStudioProjectProvisioningRolePolicy - adding permissions for batch grants in AWS LakeFormation to give grants to IDC users. Adding various `Update*` permissions to allow managing project resources. Removing `ResourceAccount` condition on resources depending on VPC to allow usage of shared VPC. Using new Amazon Bedrock managed policy name. Adding permissions to clean up Amazon EMR project level resources during project deletion.  | 2/24/2025 | 
|  New policy - [SageMakerStudioBedrockEvaluationJobServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockEvaluationJobServiceRolePolicy)  |  This policy allows Amazon Bedrock to access Amazon Bedrock models and datasets for evaluation jobs in Amazon SageMaker Unified Studio.  | 2/14/2025 | 
|  New policy - [SageMakerStudioBedrockPromptUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockPromptUserRolePolicy)  |  This policy provides access to an Amazon Bedrock prompt and its configuration in Amazon SageMaker Unified Studio.  | 2/14/2025 | 
|  New policy - [SageMakerStudioBedrockFlowServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockFlowServiceRolePolicy)  |  This policy allows Amazon Bedrock Flows to access Amazon Bedrock models and other resources attached to a flow in Amazon SageMaker Unified Studio.  | 2/14/2025 | 
|  New policy - [SageMakerStudioBedrockChatAgentUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockChatAgentUserRolePolicy)  |  This policy provides access to an Amazon Bedrock chat agent app's configuration and Amazon Bedrock agent in Amazon SageMaker Unified Studio.  | 2/14/2025 | 
|  New policy - [SageMakerStudioBedrockAgentServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioBedrockAgentServiceRolePolicy)  |  This policy allows Amazon Bedrock Agents to access Amazon Bedrock models and other resources attached to an agent in Amazon SageMaker Unified Studio.  | 2/14/2025 | 
|  Policy update - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectRoleMachineLearningPolicy)  |  Policy updates to the SageMakerStudioProjectRoleMachineLearningPolicy - adding permission for `DescribeAutoMLJobV2`, moving multiple Amazon SageMaker `List` operations to tag based authorization, adding CMK permissions for JupyterLab, add Amazon SageMaker `ListModelPackages` and `CreateModel` permissions for cross-account use case.  | 2/14/2025 | 
|  New Policy - [SageMakerStudioEMRServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioEMRServiceRolePolicy)  |  New policy SageMakerStudioEMRServiceRolePolicy - Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, artificial intelligence, and machine learning actions and uses this policy when creating these roles to define the permissions related to Amazon EMR.  | 1/31/2025 | 
|  New Policy - [SageMakerStudioQueryExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy)  |  New policy SageMakerStudioQueryExecutionRolePolicy - this is the default policy for the SageMakerQueryExecutionRole role. This policy provides permissions to run query executions on federated connections.   | 1/31/2025 | 
|  Policy update - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to manage IAM roles with only AWS managed policies attached to them and no permissions boundary. Also adding permissions to update the AWS Lambda function for Amazon Athena federated connections.  | 1/31/2025 | 
|  Policy update - [SageMakerStudioFullAccess](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioFullAccess)  |  Policy updates to SageMakerStudioFullAccess - updating the CodeConnections tagging permissions to support tagging for CodeConnections host resources in the Amazon SageMaker console.   | 1/24/2025 | 
|  Policy update - [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy.html)  |  Policy updates to SageMakerStudioDomainExecutionRolePolicy - adding support for the AWS CodeConnections APIs in order to make the Copy button available for self-managed Git providers.  | 1/24/2025 | 
|  Policy updates to [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.html)  |  Policy updates to SageMakerStudioProjectProvisioningRolePolicy - adding permissions to support CMK in CodeCommit, AWS Glue Catalog, and Amazon Redshift Serverless.  | 12/18/2024 | 
|  Policy updates to [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneProjectRolePolicy.html).  |  Policy updates to SageMakerStudioProjectUserRolePolicy - adding permissions to support CMK in CodeCommit, and AWS Glue Catalog.  | 12/18/2024 | 
|  Policy updates to [SageMakerStudioProjectUserRolePermissionsBoundary](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.html)  |  Policy updates to SageMakerStudioProjectUserRolePermissionsBoundary - adding permissions to support CMK in CodeCommit, AWS Glue Catalog, Amazon Redshift Serverless, and EMR on EC2.  | 12/18/2024 | 
|  New policy - [SageMakerStudioFullAccess](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioFullAccess.html)  |  Adding a new managed policy - this policy provides full access to Amazon SageMaker Unified Studio via the Amazon SageMaker management console.  | 12/02/2024 | 
|  New policy - [SageMakerStudioProjectUserRolePermissionsBoundary](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectUserRolePermissionsBoundary.html)  |  Adding a new managed policy - SageMakerStudioProjectUserRolePermissionsBoundary. Amazon SageMaker Unified Studio creates IAM roles for Projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the boundary of their permissions.  | 12/02/2024 | 
|  New policy - [SageMakerStudioProjectProvisioningRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.html)  |  Adding a new managed policy - SageMakerStudioProjectProvisioningRolePolicy. Amazon SageMaker Unified Studio uses this policy to provision and manage resources in your account.  | 12/02/2024 | 
|  New policy - [SageMakerStudioDomainExecutionRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy.html)  |  Adding a new managed policy - SageMakerStudioDomainExecutionRolePolicy - Default policy for the SageMakerUnifiedStudioDomainExecutionRole service role. This role is used by Amazon SageMaker Unified Studio to catalog, discover, govern, share, and analyze data in the Amazon SageMaker Unified Studio domain.  | 12/02/2024 | 
|  New policy - [SageMakerStudioDomainServiceRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy.html)  |  Adding a new managed policy - SageMakerStudioDomainServiceRolePolic. This is the default policy for the SageMakerUnifiedStudioDomainServiceRole service role. This policy is used by Amazon SageMaker Unified Studio to access the SSM parameters in the user’s account. Those parameters are set by the administrator in the Amazon SageMaker Unified Studio project profiles. This policy also has permissions to AWS KMS for encrypted SSM parameters. The KMS key must be tagged with EnableKeyForAmazonDataZone to allow decrypting the SSM parameters.  | 12/02/2024 | 
|  New policy - [SageMakerStudioProjectUserRolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneProjectRolePolicy.html)  |  Adding a new managed policy - SageMakerStudioProjectUserRolePolicy. Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions.  | 12/02/2024 | 
|  New policy - [SageMakerStudioProjectRoleMachineLearningPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneSageMakerProjectRolePolicy.html)  |  Adding a new managed policy - SageMakerStudioProjectRoleMachineLearningPolicy. Amazon SageMaker Unified Studio creates IAM roles for projects users to perform data analytics, artificial intelligence, and machine learning actions, and uses this policy when creating these roles to define the permissions.  | 12/02/2024 | 
|  New policy - [AmazonDataZoneBedrockModelManagementPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelManagementPolicy.html)  |  Adding a new managed policy - AmazonDataZoneBedrockModelManagementPolicy - that provides permissions to manage Amazon Bedrock model access, including creating, tagging and deleting application inference profiles.  | 12/02/2024 | 
|  New policy - [AmazonDataZoneBedrockModelConsumptionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy.html)  |  Adding a new managed policy - AmazonDataZoneBedrockModelConsumptionPolicy - that provides permissions to consume Amazon Bedrock models, including invoking Amazon Bedrock application inference profile created for particular Amazon DataZone domain.  | 12/02/2024 | 
|  Amazon SageMaker Unified Studio started tracking changes  |  Amazon SageMaker Unified Studio started tracking changes for its AWS managed policies.  | December 2nd, 2024 |