Multi-Model Endpoint Security
Models and data in a multi-model endpoint are co-located on instance storage volume and in
container memory. All instances for Amazon SageMaker endpoints run on a single tenant container that
you own. Only your models can run on your multi-model endpoint. It's your responsibility to
manage the mapping of requests to models and to provide access for users to the correct target
models. SageMaker uses IAM roles
By default, an IAM principal with InvokeEndpoint
permissions on a multi-model endpoint can invoke any
model at the address of the S3 prefix defined in the CreateModel
operation, provided that the IAM Execution Role defined
in operation has permissions to download the model. If you need to restrict InvokeEndpoint
access to a limited set of models in S3, you can do one
of the following:
-
Restrict
InvokeEndpont
calls to specific models hosted at the endpoint by using thesagemaker:TargetModel
IAM condition key. For example, the following policy allowsInvokeEndpont
requests only when the value of theTargetModel
field matches one of the specified regular expressions:{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sagemaker:InvokeEndpoint" ], "Effect": "Allow", "Resource": "arn:aws:sagemaker:
region
:account-id
:endpoint/endpoint_name
", "Condition": { // TargetModel provided must be from this set of values "StringLike": { "sagemaker:TargetModel": ["company_a/*", "common/*"] } } } ] }For information about SageMaker condition keys, see Condition Keys for Amazon SageMaker in the Amazon Identity and Access Management User Guide.
-
Create multi-model endpoints with more restrictive S3 prefixes.
For more information about how SageMaker uses roles to manage access to endpoints and perform operations on your behalf, see SageMaker Roles. Your customers might also have certain data isolation requirements dictated by their own compliance requirements that can be satisfied using IAM identities.