适用于 SageMaker 笔记本的 Amazon 托管式策略
这些 Amazon 托管式策略添加了使用 SageMaker 笔记本所需的权限。这些策略可在您的 Amazon 账户中提供,并由从 SageMaker 控制台创建的执行角色使用。
Amazon 托管式策略:AmazonSageMakerNotebooksServiceRolePolicy
此 Amazon 托管式策略授予使用 Amazon SageMaker 笔记本时通常所需的权限。此策略将添加到您登录 Amazon SageMaker Studio 时创建的 AmazonSageMaker-ExecutionRole 中。有关服务相关角色的更多信息,请参阅服务相关角色。
权限详细信息
此策略包含以下权限。
-
elasticfilesystem- 允许主体创建和删除 Amazon Elastic File System (EFS) 文件系统、接入点和挂载目标。这些仅限于标有 ManagedByAmazonSageMakerResource 键的对象。允许主体描述所有 EFS 文件系统、接入点和挂载目标。允许主体为 EFS 接入点和挂载目标创建或覆盖标签。 -
ec2- 允许主体为 Amazon Elastic Compute Cloud (EC2) 实例创建网络接口和安全组。还允许主体为这些资源创建和覆盖标签。 -
sso- 允许主体向 Amazon IAM Identity Center 添加以及从中删除托管的应用程序实例。 -
sagemaker- 允许主体创建和读取 SageMaker 用户配置文件。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticfilesystem:CreateAccessPoint", "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*", "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DeleteAccessPoint" ], "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Effect": "Allow", "Action": [ "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Effect": "Allow", "Action": "elasticfilesystem:TagResource", "Resource": [ "arn:aws:elasticfilesystem:*:*:access-point/*", "arn:aws:elasticfilesystem:*:*:file-system/*" ], "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Effect": "Allow", "Action": [ "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:GetManagedApplicationInstance" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:CreateUserProfile", "sagemaker:DescribeUserProfile" ], "Resource": "*" } ] }
Amazon SageMaker 对 SageMaker 笔记本托管式策略的更新
查看有关适用于 Amazon SageMaker 的 Amazon 托管式策略的更新的详细信息(从该服务开始跟踪这些更改开始)。
| 策略 | 版本 | 更改 | 日期 |
|---|---|---|---|
7 |
添加了 |
2023 年 3 月 9 日 | |
AmazonSageMakerNotebooksServiceRolePolicy |
6 |
添加了 |
2023 年 1 月 12 日 |
|
SageMaker 开始跟踪其 Amazon 托管式策略的更改。 |
2021 年 6 月 1 日 |