Posted On: Sep 8, 2022
Amazon SageMaker Studio is a fully integrated development environment (IDE) for machine learning that enables data scientists and developers to perform every step of the machine learning workflow, from preparing data to building, training, tuning, and deploying models. SageMaker Studio is integrated with AWS CloudTrail to enable administrators to monitor and audit user activity and API calls from Studio notebooks, SageMaker Data Wrangler and SageMaker Canvas. Starting today, you can configure SageMaker Studio to also record the user identity (specifically, user profile name) in CloudTrail events thereby enabling administrators to attribute those events to specific users, thus improving their organization's security and governance posture.
Administrators can audit user activity and API calls from Studio notebooks, SageMaker Data Wrangler and SageMaker Canvas through events logged in AWS CloudTrail. However, until today, those log records only identified events by the IAM role used by the user. This level of logging is sufficient to associate a CloudTrail event with a user when each user is assigned a unique IAM role. For data science teams where several users require similar data and resource access permissions, administrators frequently configure a single IAM role to be shared among those users. In such cases, administrators didn’t have the ability to attribute CloudTrail events to a specific user thus creating a gap in their auditing of user activity. Starting today, you can configure SageMaker Studio to automatically record the Studio user profile name as the Source Identity in CloudTrail events generated as a result of user activity and API calls from Studio notebooks, Data Wrangler and SageMaker Canvas. With this feature, administrators now have the ability to attribute Studio user actions to specific users even when users share the same IAM role.
This feature is generally available in the following AWS Regions: US East (Ohio), US East (N. Virginia), US West (N.California), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (Stockholm), Europe (Milan), Europe (Paris) and Europe (London), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Hong Kong), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Osaka), South America (São Paulo), Middle East (Bahrain) and Africa (Cape Town). To learn more, see Monitoring user resource access from Amazon SageMaker Studio in the SageMaker developer guide.