Amazon Managed Policies for SageMaker Notebooks
These Amazon managed policies add permissions required to use SageMaker Notebooks. The policies are available in your Amazon account and are used by execution roles created from the SageMaker console.
Topics
Amazon managed policy: AmazonSageMakerNotebooksServiceRolePolicy
This Amazon managed policy grants permissions commonly needed to use Amazon SageMaker Notebooks.
The policy is added to the AmazonSageMaker-ExecutionRole that is created when
you onboard to Amazon SageMaker Studio Classic. For more information on service-linked roles, see
Service-Linked Roles.
Permissions details
This policy includes the following permissions.
-
elasticfilesystem– Allows principals to create and delete Amazon Elastic File System (EFS) file systems, access points, and mount targets. These are limited to those tagged with the key ManagedByAmazonSageMakerResource. Allows principals to describe all EFS file systems, access points, and mount targets. Allows principals to create or overwrite tags for EFS access points and mount targets. -
ec2– Allows principals to create network interfaces and security groups for Amazon Elastic Compute Cloud (EC2) instances. Also allows principals to create and overwrite tags for these resources. -
sso– Allows principals to add and delete managed application instances to Amazon IAM Identity Center. -
sagemaker– Allows principals to create and read SageMaker user profiles. Also allows principals to create, read and delete SageMaker spaces. Allows principals to add and list tags.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEFSAccessPointCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateAccessPoint", "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*", "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSAccessPointDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:DeleteAccessPoint" ], "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSMountWithDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSDescribe", "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Sid": "AllowEFSTagging", "Effect": "Allow", "Action": "elasticfilesystem:TagResource", "Resource": [ "arn:aws:elasticfilesystem:*:*:access-point/*", "arn:aws:elasticfilesystem:*:*:file-system/*" ], "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEC2Tagging", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid": "AllowEC2Operations", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*" }, { "Sid": "AllowEC2AuthZ", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowIdcOperations", "Effect": "Allow", "Action": [ "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:GetManagedApplicationInstance" ], "Resource": "*" }, { "Sid": "AllowSagemakerProfileCreation", "Effect": "Allow", "Action": [ "sagemaker:CreateUserProfile", "sagemaker:DescribeUserProfile" ], "Resource": "*" }, { "Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:DescribeSpace", "sagemaker:DeleteSpace", "sagemaker:ListTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*" }, { "Sid": "AllowSagemakerAddTagsForAppManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*", "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } } ] }
Amazon SageMaker updates to SageMaker Notebooks managed policies
View details about updates to Amazon managed policies for Amazon SageMaker since this service began tracking these changes.
| Policy | Version | Change | Date |
|---|---|---|---|
|
AmazonSageMakerNotebooksServiceRolePolicy - Update to an existing policy |
8 |
Add |
May 22, 2024 |
AmazonSageMakerNotebooksServiceRolePolicy - Update to an existing policy |
7 |
Add |
March 9, 2023 |
AmazonSageMakerNotebooksServiceRolePolicy - Update to an existing policy |
6 |
Add |
January 12, 2023 |
|
SageMaker started tracking changes for its Amazon managed policies. |
June 1, 2021 |