适用于 Amazon SageMaker Canvas 的 Amazon 托管式策略
这些 Amazon 托管式策略添加了使用 Amazon SageMaker Canvas 所需的权限。这些策略可在您的 Amazon 账户中提供,并由从 SageMaker 控制台创建的执行角色使用。
主题
Amazon 托管式策略:AmazonSageMakerCanvasFullAccess
此策略授予的权限允许通过 Amazon Web Services Management Console 和 SDK 完全访问 Amazon SageMaker Canvas。此策略还提供对相关服务 [例如,Amazon Simple Storage Service (Amazon S3)、Amazon Identity and Access Management (IAM)、Amazon Virtual Private Cloud (Amazon VPC)、Amazon Elastic Container Registry (Amazon ECR)、Amazon CloudWatch Logs、Amazon Redshift、Amazon Secrets Manager、Amazon SageMaker Autopilot、SageMaker 模型注册表和 Amazon Forecast] 的部分访问权限。
此策略旨在帮助客户尝试并开始使用 SageMaker Canvas 的所有功能。为了实现更精细的控制,我们建议客户在转向生产工作负载时构建自己的范围缩小版本。有关更多信息,请参阅 IAM 策略类型:如何以及何时使用它们
权限详细信息
此 Amazon 托管式策略包含以下权限。
-
sagemaker- 允许主体在 ARN 包含“Canvas”、“canvas”或“model-compilation-”的资源上创建和托管 SageMaker 模型。此外,用户可以在同一个 Amazon 账户中将他们的 SageMaker Canvas 模型注册到 SageMaker 模型注册表。 -
ec2- 允许主体创建 Amazon VPC 端点。 -
ecr- 允许主体获取有关容器映像的信息。 -
glue- 允许主体检索目录中的表。 -
iam- 允许主体将 IAM 角色传递给 Amazon SageMaker 和 Amazon Forecast。 -
logs- 允许主体发布来自训练作业和端点的日志。 -
s3- 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含“SageMaker”、“Sagemaker”或“sagemaker”的对象。还允许主体从特定区域内的 ARN 以“jumpstart-cache-prod-”开头的 Amazon S3 存储桶中检索对象。 -
secretsmanager- 允许主体存储客户凭证,以便使用 Secrets Manager 连接到 Snowflake 数据库。 -
redshift- 允许主体获取任何 Amazon Redshift 集群上的“sagemaker_access*”dbuser 的凭证(如果该用户存在)。 -
redshift-data- 允许主体使用 Amazon Redshift 数据 API 在 Amazon Redshift 上运行查询。这仅提供对 Redshift 数据 API 本身的访问权限,并不直接提供对您的 Amazon Redshift 集群的访问权限。有关更多信息,请参阅使用 Amazon Redshift 数据 API。 -
forecast- 允许主体使用 Amazon Forecast。 -
application-autoscaling- 允许主体自动缩放 SageMaker 推理端点。 -
rds- 允许主体返回有关预置 Amazon RDS 实例的信息。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerUserDetailsAndPackageOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups" ], "Resource": "*" }, { "Sid": "SageMakerPackageGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource": [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid": "SageMakerTrainingOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid": "SageMakerHostingOperations", "Effect": "Allow", "Action": [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid": "EC2VPCOperation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource": "*" }, { "Sid": "ECROperations", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "ReadSageMakerJumpstartArtifacts", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": "glue:SearchTables", "Resource": [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource": "*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "ForecastOperations", "Effect": "Allow", "Action": [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource": [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "IAMPassOperationForForecast", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "forecast.amazonaws.com" } } }, { "Sid": "AutoscalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "sagemaker", "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount" } } } ] }
Amazon 托管式策略:AmazonSageMakerCanvasDirectDeployAccess
此策略授予 Amazon SageMaker Canvas 创建和管理 Amazon SageMaker 端点所需的权限。
权限详细信息
此 Amazon 托管式策略包含以下权限。
-
sagemaker- 允许主体使用以“Canvas”或“canvas”开头的 ARN 资源名称创建和管理 SageMaker 端点。 -
cloudwatch- 允许主体检索 Amazon CloudWatch 指标数据。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerEndpointPerms", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:DeleteEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:Canvas*", "arn:aws:sagemaker:*:*:canvas*" ] }, { "Sid": "ReadCWInvocationMetrics", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] }
Amazon 托管式策略:AmazonSageMakerCanvasForecastAccess
此策略授予将 Amazon SageMaker Canvas 与 Amazon Forecast 一起使用时通常所需的权限。
权限详细信息
此 Amazon 托管式策略包含以下权限。
-
s3- 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称以“sagemaker-”开头的对象。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/canvas" ] } { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }
Amazon 托管式策略:AmazonSageMakerCanvasAIServicesAccess
此策略授予 Amazon SageMaker Canvas 使用 Amazon Textract、Amazon Rekognition 和 Amazon Comprehend 的权限。
权限详细信息
此 Amazon 托管式策略包含以下权限。
-
textract- 允许主体使用 Amazon Textract 检测图像中的文档、费用和身份。 -
rekognition- 允许主体使用 Amazon Rekognition 检测图像中的标签和文本。 -
comprehend- 允许主体使用 Amazon Comprehend 检测文本文档中的情绪和主要语言,以及姓名和个人身份信息 (PII) 实体。 -
bedrock- 允许主体使用 Amazon Bedrock 列出和调用基础模型。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "textract:AnalyzeDocument", "textract:AnalyzeExpense", "textract:AnalyzeID", "textract:StartDocumentAnalysis", "textract:StartExpenseAnalysis", "textract:GetDocumentAnalysis", "textract:GetExpenseAnalysis" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectText" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectEntities", "comprehend:BatchDetectSentiment", "comprehend:DetectPiiEntities", "comprehend:DetectEntities", "comprehend:DetectSentiment", "comprehend:DetectDominantLanguage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:ListFoundationModels" ], "Resource": "*" } ] }
Amazon SageMaker 对 Amazon SageMaker Canvas 托管式策略的更新
查看有关适用于 SageMaker Canvas 的 Amazon 托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。
| 策略 | 版本 | 更改 | 日期 |
|---|---|---|---|
1 |
初始策略 |
2023 年 10 月 6 日 | |
|
AmazonSageMakerCanvasFullAccess – 对现有策略的更新 |
7 |
添加 |
2023 年 9 月 29 日 |
|
AmazonSageMakerCanvasAIServicesAccess – 对现有策略的更新 |
2 |
添加 |
2023 年 9 月 29 日 |
AmazonSageMakerCanvasFullAccess - 对现有策略的更新 |
6 |
添加 |
2023 年 8 月 29 日 |
AmazonSageMakerCanvasFullAccess - 对现有策略的更新 |
5 |
添加 |
2023 年 7 月 24 日 |
AmazonSageMakerCanvasFullAccess - 对现有策略的更新 |
4 |
添加 |
2023 年 5 月 4 日 |
|
AmazonSageMakerCanvasFullAccess - 对现有策略的更新 |
3 |
添加 |
2023 年 3 月 24 日 |
|
AmazonSageMakerCanvasAIServicesAccess - 新策略 |
1 |
初始策略 |
2023 年 3 月 23 日 |
AmazonSageMakerCanvasFullAccess - 对现有策略的更新 |
2 |
添加 |
2022 年 12 月 6 日 |
AmazonSageMakerCanvasFullAccess - 新策略 |
1 |
初始策略 |
2022 年 9 月 8 日 |
1 |
初始策略 |
2022 年 8 月 24 日 |