# Amazon Managed Policies for SageMaker Pipelines
<a name="security-iam-awsmanpol-pipelines"></a>

These Amazon managed policies add permissions required to use SageMaker Pipelines. The policies are available in your Amazon account and are used by execution roles created from the SageMaker AI console.

**Topics**
+ [Amazon managed policy: AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations)
+ [Amazon SageMaker AI updates to SageMaker AI Pipelines managed policies](#security-iam-awsmanpol-pipelines-updates)

## Amazon managed policy: AmazonSageMakerPipelinesIntegrations
<a name="security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations"></a>

This Amazon managed policy grants permissions commonly needed to use Callback steps and Lambda steps in SageMaker Pipelines. The policy is added to the `AmazonSageMaker-ExecutionRole` that is created when you onboard to Amazon SageMaker Studio Classic. The policy can be attached to any role used for authoring or executing a pipeline.

This policy grants appropriate Amazon Lambda, Amazon Simple Queue Service (Amazon SQS), Amazon EventBridge, and IAM permissions needed when building pipelines that invoke Lambda functions or include callback steps, which can be used for manual approval steps or running custom workloads.

The Amazon SQS permissions allow you to create the Amazon SQS queue needed for receiving callback messages, and also to send messages to that queue.

The Lambda permissions allow you to create, read, update, and delete the Lambda functions used in the pipeline steps, and also to invoke those Lambda functions.

This policy grants the Amazon EMR permissions needed to run a pipelines Amazon EMR step.

**Permissions details**

This policy includes the following permissions.
+ `elasticmapreduce` – Read, add, and cancel steps in a running Amazon EMR cluster. Read, create, and terminate a new Amazon EMR cluster.
+ `events` – Read, create, update, and add targets to an EventBridge rule named `SageMakerPipelineExecutionEMRStepStatusUpdateRule` and `SageMakerPipelineExecutionEMRClusterStatusUpdateRule`.
+ `iam` – Pass an IAM role to the Amazon Lambda service, Amazon EMR and Amazon EC2.
+ `lambda` – Create, read, update, delete, and invoke Lambda functions. These permissions are limited to functions whose name includes "sagemaker".
+ `sqs` – Create an Amazon SQS queue; send an Amazon SQS message. These permissions are limited to queues whose name includes "sagemaker".

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:InvokeFunction",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "arn:aws-cn:lambda:*:*:function:*sagemaker*",
                "arn:aws-cn:lambda:*:*:function:*sageMaker*",
                "arn:aws-cn:lambda:*:*:function:*SageMaker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:CreateQueue",
                "sqs:SendMessage"
            ],
            "Resource": [
                "arn:aws-cn:sqs:*:*:*sagemaker*",
                "arn:aws-cn:sqs:*:*:*sageMaker*",
                "arn:aws-cn:sqs:*:*:*SageMaker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws-cn:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "lambda.amazonaws.com",
                        "elasticmapreduce.amazonaws.com",
                        "ec2.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule",
                "events:PutRule",
                "events:PutTargets"
            ],
            "Resource": [
                "arn:aws-cn:events:*:*:rule/SageMakerPipelineExecutionEMRStepStatusUpdateRule",
                "arn:aws-cn:events:*:*:rule/SageMakerPipelineExecutionEMRClusterStatusUpdateRule"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:AddJobFlowSteps",
                "elasticmapreduce:CancelSteps",
                "elasticmapreduce:DescribeStep",
                "elasticmapreduce:RunJobFlow",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:TerminateJobFlows",
                "elasticmapreduce:ListSteps"
            ],
            "Resource": [
                "arn:aws-cn:elasticmapreduce:*:*:cluster/*"
            ]
        }
    ]
}
```

------

## Amazon SageMaker AI updates to SageMaker AI Pipelines managed policies
<a name="security-iam-awsmanpol-pipelines-updates"></a>

View details about updates to Amazon managed policies for Amazon SageMaker AI since this service began tracking these changes.


| Policy | Version | Change | Date | 
| --- | --- | --- | --- | 
|  [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) - Update to an existing policy  | 3 |   Added permissions for `elasticmapreduce:RunJobFlows`, `elasticmapreduce:TerminateJobFlows`, `elasticmapreduce:ListSteps`, and `elasticmapreduce:DescribeCluster`.  | February 17, 2023 | 
|  [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) - Update to an existing policy  | 2 |  Added permissions for `lambda:GetFunction`, `events:DescribeRule`, `events:PutRule`, `events:PutTargets`, `elasticmapreduce:AddJobFlowSteps`, `elasticmapreduce:CancelSteps`, and `elasticmapreduce:DescribeStep`.  | April 20, 2022 | 
| AmazonSageMakerPipelinesIntegrations - New policy | 1 |  Initial policy  | July 30, 2021 |