feat(aws): add iam_user_access_not_stale_to_sagemaker security check

[HugoPBrito]

Context

Stale SageMaker permissions widen the blast radius of a credential compromise. An attacker who gains access to an IAM user with unused SageMaker permissions can access ML training data, models, endpoints, and notebooks — all without triggering expected usage patterns. This check helps enforce least privilege by detecting IAM users that hold SageMaker permissions but have not actually used the service recently.

Description

This check evaluates each IAM user that has SageMaker service permissions by inspecting IAM Access Advisor (service last accessed) data for the sagemaker namespace. A user passes if they have accessed SageMaker within the configured threshold (default 90 days). A user fails if their last SageMaker access exceeds the threshold or if they have never accessed the service. The recommended remediation is to review the Access Advisor tab and remove or scope down any SageMaker policies that are no longer actively used.

Steps to review

1. Review the check implementation at prowler/providers/aws/services/iam/iam_user_access_not_stale_to_sagemaker/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/aws/ to ensure the check is correctly mapped to relevant requirements
4. Run the check tests: poetry run pytest tests/providers/aws/services/iam/iam_user_access_not_stale_to_sagemaker/ -v
5. Run the check against a real environment (if possible):

   prowler aws --check iam_user_access_not_stale_to_sagemaker

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• iam_user_access_not_stale_to_sagemaker (aws): c5_aws, csa_ccm_4.0_aws, ens_rd2022_aws, fedramp_20x_ksi_low_aws, fedramp_low_revision_4_aws, fedramp_moderate_revision_4_aws, iso27001_2013_aws, iso27001_2022_aws, mitre_attack_aws, nis2_aws, nist_800_171_revision_2_aws, nist_800_53_revision_4_aws, nist_800_53_revision_5_aws, nist_csf_1.1_aws, nist_csf_2.0_aws, pci_3.2.1_aws, secnumcloud_3.2_aws

Use the no-compliance-check label to skip this check.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.44%. Comparing base (7c6d658) to head (376710d).
⚠️ Report is 2 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (7c6d658) and HEAD (376710d). Click for more details.

HEAD has 3 uploads less than BASE

Flag	BASE (7c6d658)	HEAD (376710d)
prowler-py3.11-kubernetes	1	0
prowler-py3.12-kubernetes	1	0
prowler-py3.10-kubernetes	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #11000       +/-   ##
===========================================
- Coverage   59.14%   20.44%   -38.71%     
===========================================
  Files           8      852      +844     
  Lines         399    24723    +24324     
===========================================
+ Hits          236     5054     +4818     
- Misses        163    19669    +19506     

Flag	Coverage Δ
prowler-py3.10-aws	20.44% <100.00%> (?)
prowler-py3.10-kubernetes	?
prowler-py3.11-aws	20.44% <100.00%> (?)
prowler-py3.11-kubernetes	?
prowler-py3.12-aws	20.44% <100.00%> (?)
prowler-py3.12-kubernetes	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	20.44% <100.00%> (-38.71%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:388023c
Last scan: 2026-05-05 10:09:38 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy