Amazon SageMaker adds permissions boundaries for SCP compliance

Amazon Web Services has enhanced SageMaker Unified Studio with support for custom IAM permissions boundaries, enabling organizations with strict Service Control Policy (SCP) requirements to adopt the platform without compromising their security frameworks. The update addresses a compliance gap that previously prevented enterprises from using SageMaker Unified Studio when their SCPs mandated permissions boundaries on all IAM roles. When users create projects in SageMaker Unified Studio, the platform automatically provisions three IAM roles: a project user role, an Amazon Bedrock service role, and a Bedrock Lambda execution role. Administrators can now specify a permissions boundary in the Tooling blueprint configuration, which is automatically applied to all three roles during creation. This ensures SCP compliance from the outset while allowing project provisioning to proceed without manual administrator intervention. The permissions boundaries also provide ongoing security control by limiting what the provisioned roles can execute, maintaining administrative oversight even as new projects are created across the organization. The feature is configured at the blueprint level, meaning the permissions boundary policy applies automatically to every new project, streamlining compliance across large-scale deployments. The capability is now available in all AWS regions where SageMaker Unified Studio operates.