# Complete Amazon SageMaker AI prerequisites
<a name="gs-set-up"></a>

Before you can set up Amazon SageMaker AI, you must complete the following prerequisites. 
+ **Required**: You will need to create an Amazon Web Services (Amazon) account to get access to all of the Amazon services and resources for the account.
+ **Highly recommended**: We highly recommend that you create an administrative user to manage Amazon resources for the account, to adhere to the [Security best practices in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html). It is assumed that you have an administrative user for many of the administrative tasks throughout the SageMaker AI developer guide.
+ **Optional**: Configure the Amazon Command Line Interface (Amazon CLI) if you intend to manage your Amazon services and resources for the account using the Amazon CLI.

**Topics**
+ [Sign up for an Amazon Web Services account](#sign-up-for-aws)
+ [Secure IAM users](#secure-an-admin)
+ [(Optional) Configure the Amazon CLI](#gs-cli-prereq)

## Sign up for an Amazon Web Services account
<a name="sign-up-for-aws"></a>

If you do not have an Amazon Web Services account, use the following procedure to create one.

**To sign up for Amazon Web Services**

1. Open [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choose **Sign Up**.

1. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choosing **My Account**.

## Secure IAM users
<a name="secure-an-admin"></a>

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see [Enable a virtual MFA device for an IAM user (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user) in the *IAM User Guide*.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the *IAM User Guide*: 
+ [Creating an IAM user in your Amazon Web Services account](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_create.html)
+ [Access management for Amazon resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html)
+ [Example IAM identity-based policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_examples.html)

When you create an administrative user to set up SageMaker AI, the administrative user should include specific permissions to create SageMaker AI resources. To view the permissions, expand the following administrator permissions section.

## Administrator permissions
<a name="gs-admin-permissions"></a>

When you create your administrative user using the preceding instructions, your administrative user should already include the permissions contained in the [AmazonSageMakerFullAccess](https://console.amazonaws.cn/iam/home?#/policies/arn:aws:iam::aws:policy/AmazonSageMakerFullAccess) policy, as well as the following permissions. These policies are needed to create a SageMaker AI domain among other tasks.

If you intend to create your own custom policy, these permissions are required to create a domain and get set up with SageMaker AI. For information about adding policies, see [Adding and removing IAM identity permissions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *Amazon Identity and Access Management User Guide*.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:*"
            ],
            "Resource": [
                "arn:aws-cn:sagemaker:*:*:domain/*",
                "arn:aws-cn:sagemaker:*:*:user-profile/*",
                "arn:aws-cn:sagemaker:*:*:app/*",
                "arn:aws-cn:sagemaker:*:*:flow-definition/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "servicecatalog:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
```

------

**Optional**: If you intend to manage your Amazon services and resources for the account using the Amazon CLI, proceed to the following instructions ([(Optional) Configure the Amazon CLI](#gs-cli-prereq)).

**After you have completed your prerequisites**, continue on to the setup instructions. You can continue on to your setup instructions by choosing one of the following options.
+ **[Use quick setup](onboard-quick-start.md)**: Fastest setup for individual users with default settings.
+ **[Use custom setup](onboard-custom.md)**: Advanced setup for enterprise Machine Learning (ML) administrators. Ideal option for ML administrators setting up SageMaker AI for many users or an organization.

## (Optional) Configure the Amazon CLI
<a name="gs-cli-prereq"></a>

To manage your domain and other Amazon services and resources using the Amazon CLI, complete the setup in [Set up the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-getting-started.html) in the *Amazon Command Line Interface User Guide for Version 2*.

**After you have completed your prerequisites**, continue on to the setup instructions. You can continue on to your setup instructions by choosing one of the following options.
+ **[Use quick setup](onboard-quick-start.md)**: Fastest setup for individual users with default settings.
+ **[Use custom setup](onboard-custom.md)**: Advanced setup for enterprise Machine Learning (ML) administrators. Ideal option for ML administrators setting up SageMaker AI for many users or an organization.