Amazon managed policy: AmazonSageMakerHyperPodObservabilityAdminAccess

This policy provides administrative privileges required for setting up Amazon SageMaker HyperPod observability. It enables access to Amazon Managed Prometheus, Amazon Managed Grafana and Amazon Elastic Kubernetes Service add-ons. The policy also includes broad access to Grafana HTTP APIs through ServiceAccountTokens across all Amazon Managed Grafana workspaces in your account.

The following is the policy JSON.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "PrometheusCreateAccess",
			"Effect": "Allow",
			"Action": [
				"aps:CreateWorkspace"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:RequestTag/SageMaker": "true"
				}
			}
		},
		{
			"Sid": "PrometheusTagsAccess",
			"Effect": "Allow",
			"Action": "aps:TagResource",
			"Resource": [
				"arn:aws:aps:*:*:/workspaces",
				"arn:aws:aps:*:*:rulegroupsnamespace/*/HyperPodObservabilityNamespace"
			],
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": [
						"SageMaker"
					]
				},
				"StringEquals": {
					"aws:RequestTag/SageMaker": "true",
					"aws:ResourceTag/SageMaker": "true"
				}
			}
		},
		{
			"Sid": "PrometheusDescribeAccess",
			"Effect": "Allow",
			"Action": [
				"aps:DescribeWorkspace"
			],
			"Resource": "arn:aws:aps:*:*:workspace/*"
		},
		{
			"Sid": "PrometheusListAccess",
			"Effect": "Allow",
			"Action": [
				"aps:ListWorkspaces"
			],
			"Resource": "*"
		},
		{
			"Sid": "PrometheusAlertsRuleGroupAccess",
			"Effect": "Allow",
			"Action": [
				"aps:CreateAlertManagerDefinition",
				"aps:DescribeAlertManagerDefinition",
				"aps:DescribeRuleGroupsNamespace",
				"aps:ListRuleGroupsNamespaces"
			],
			"Resource": [
				"arn:aws:aps:*:*:workspace/*",
				"arn:aws:aps:*:*:rulegroupsnamespace/*/HyperPodObservabilityNamespace"
			]
		},
		{
			"Sid": "PrometheusCreateRuleGroupAccess",
			"Effect": "Allow",
			"Action": "aps:CreateRuleGroupsNamespace",
			"Resource": "arn:aws:aps:*:*:rulegroupsnamespace/*/HyperPodObservabilityNamespace",
			"Condition": {
				"StringEquals": {
					"aws:RequestTag/SageMaker": "true",
					"aws:ResourceTag/SageMaker": "true"
				}
			}
		},
		{
			"Sid": "GrafanaCreateWorkspaceAccess",
			"Effect": "Allow",
			"Action": [
				"grafana:CreateWorkspace"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:RequestTag/SageMaker": "true"
				}
			}
		},
		{
			"Sid": "GrafanaTagsAccess",
			"Effect": "Allow",
			"Action": "grafana:TagResource",
			"Resource": "arn:aws:grafana:*:*:/workspaces",
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": [
						"SageMaker"
					]
				},
				"StringEquals": {
					"aws:RequestTag/SageMaker": "true",
					"aws:ResourceTag/SageMaker": "true"
				}
			}
		},
		{
			"Sid": "GrafanaListAccess",
			"Effect": "Allow",
			"Action": [
				"grafana:ListWorkspaces"
			],
			"Resource": "*"
		},
		{
			"Sid": "GrafanaServiceAccountAccess",
			"Effect": "Allow",
			"Action": [
				"grafana:DescribeWorkspace",
				"grafana:CreateWorkspaceApiKey",
				"grafana:CreateWorkspaceServiceAccount",
				"grafana:CreateWorkspaceServiceAccountToken",
				"grafana:ListWorkspaceServiceAccounts",
				"grafana:ListWorkspaceServiceAccountTokens",
				"grafana:DeleteWorkspaceServiceAccountToken"
			],
			"Resource": "arn:aws:grafana:*:*:/workspaces/*"
		},
		{
			"Sid": "IAMGrafanaPassRoleAccess",
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": "arn:aws:iam::*:role/AmazonSageMakerHyperPodObservabilityGrafanaAccess-*",
			"Condition": {
				"StringLike": {
					"iam:PassedToService": [
						"grafana.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "IAMEKSPassRoleAccess",
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": "arn:aws:iam::*:role/AmazonSageMakerHyperPodObservabilityAddonAccess-*",
			"Condition": {
				"StringLike": {
					"iam:PassedToService": [
						"pods.eks.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "IAMGetRoleAccess",
			"Effect": "Allow",
			"Action": "iam:GetRole",
			"Resource": [
				"arn:aws:iam::*:role/AmazonSageMakerHyperPodObservabilityAddonAccess-*"
			]
		},
		{
			"Sid": "HyperPodClusterAccess",
			"Effect": "Allow",
			"Action": [
				"sagemaker:ListClusters",
				"sagemaker:DescribeCluster"
			],
			"Resource": "*"
		},
		{
			"Sid": "EKSAddonAccess",
			"Effect": "Allow",
			"Action": [
				"eks:DeleteAddon",
				"eks:UpdateAddon",
				"eks:DescribeAddon"
			],
			"Resource": "arn:aws:eks:*:*:addon/*/amazon-sagemaker-hyperpod-observability/*"
		},
		{
			"Sid": "EKSAddonDescribeAccess",
			"Effect": "Allow",
			"Action": [
				"eks:DescribeAddonConfiguration",
				"eks:DescribeAddonVersions"
			],
			"Resource": "*"
		},
		{
			"Sid": "EKSAddonDescribePodIdentityAccess",
			"Effect": "Allow",
			"Action": "eks:DescribePodIdentityAssociation",
			"Resource": "arn:aws:eks:*:*:podidentityassociation/*/*"
		},
		{
			"Sid": "EKSListDescribeAccess",
			"Effect": "Allow",
			"Action": [
				"eks:ListAddons",
				"eks:DescribeCluster"
			],
			"Resource": "arn:aws:eks:*:*:cluster/*"
		},
		{
			"Sid": "EKSCreateAccess",
			"Effect": "Allow",
			"Action": [
				"eks:CreateAddon",
				"eks:CreatePodIdentityAssociation"
			],
			"Resource": "arn:aws:eks:*:*:cluster/*",
			"Condition": {
				"StringEquals": {
					"aws:RequestTag/SageMaker": "true"
				}
			}
		},
		{
			"Sid": "EKSTagsAccess",
			"Effect": "Allow",
			"Action": "eks:TagResource",
			"Resource": [
				"arn:aws:eks:*:*:cluster/*",
				"arn:aws:eks:*:*:addon/*/*/*",
				"arn:aws:eks:*:*:podidentityassociation/*/*"
			],
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": [
						"SageMaker"
					]
				},
				"StringEquals": {
					"aws:RequestTag/SageMaker": "true",
					"aws:ResourceTag/SageMaker": "true"
				}
			}
		},
		{
			"Sid": "SSOAccess",
			"Effect": "Allow",
			"Action": [
				"sso:DescribeRegisteredRegions",
				"sso:CreateManagedApplicationInstance"
			],
			"Resource": "*"
		}
	]
}