Amazon 亚马逊 C SageMaker anvas 的托管政策 - Amazon SageMaker
AmazonSageMakerCanvasFullAccessAmazonSageMakerCanvasDataPrepFullAccessAmazonSageMakerCanvasDirectDeployAccessAmazonSageMakerCanvasAI ServicesAccessAmazonSageMakerCanvasBedrockAccessAmazonSageMakerCanvasForecastAccessSageMaker 画布政策更新
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 亚马逊 C SageMaker anvas 的托管政策

这些 Amazon 托管策略增加了使用 Amazon SageMaker Canvas 所需的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker控制台创建的执行角色使用。

Amazon 托管策略: AmazonSageMakerCanvasFullAccess

此政策授予的权限允许通过 Amazon Web Services Management Console 和软件开发工具包完全访问 Amazon SageMaker Canvas。该政策还提供对相关服务的精选访问权限 [例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊虚拟私有云 (亚马逊 VPC) Amazon Identity and Access Management 、亚马逊弹性容器注册表 (Amazon ECR) Container Registry、亚马逊日志、亚马逊 Redshift、 CloudWatch Amazon Autop SageMaker ilo Amazon Secrets Manager t SageMaker 、模型注册表和亚马逊预测]。

本政策旨在帮助客户尝试并开始使用 SageMaker Canvas 的所有功能。为了实现更精细的控制,我们建议客户在转向生产工作负载时构建自己的范围缩小版本。有关更多信息,请参阅 IAM 策略类型:如何以及何时使用它们

权限详细信息

此 Amazon 托管策略包括以下权限。

  • sagemaker— 允许委托人在 ARN 包含 “画布”、“画布” 或 “ SageMaker模型编译-” 的资源上创建和托管模型。此外,用户可以在同一个 Amazon 账户中将他们的 SageMaker Canvas SageMaker 模型注册到 Model Registry。还允许校长创建和管理 SageMaker 训练、转换和 AutoML 作业。

  • application-autoscaling— 允许委托人自动缩放 SageMaker 推理端点。

  • athena— 允许委托人查询来自 Amazon Athena 的数据目录、数据库和表元数据的列表,并访问目录中的表。

  • cloudwatch— 允许委托人创建和管理 Amazon CloudWatch 警报。

  • ec2 - 允许主体创建 Amazon VPC 端点。

  • ecr - 允许主体获取有关容器映像的信息。

  • emr-serverless— 允许委托人创建和管理 Amazon EMR 无服务器应用程序和任务运行。还允许委托人标记 SageMaker Canvas 资源。

  • forecast - 允许主体使用 Amazon Forecast。

  • glue— 允许委托人检索 Amazon Glue 目录中的表、数据库和分区。

  • iam— 允许委托人将 IAM 角色传递给亚马逊 SageMaker、Amazon Forecast 和 Amazon EMR Serverless。还允许委托人创建服务相关角色。

  • kms— 允许委托人读取标有标签的 Amazon KMS Source:SageMakerCanvas密钥。

  • logs - 允许主体发布来自训练作业和端点的日志。

  • quicksight— 允许委托人列出 Amazon 账户中的命名空间。 QuickSight

  • rds - 允许主体返回有关预置 Amazon RDS 实例的信息。

  • redshift - 允许主体获取任何 Amazon Redshift 集群上的“sagemaker_access*”dbuser 的凭证(如果该用户存在)。

  • redshift-data - 允许主体使用 Amazon Redshift 数据 API 在 Amazon Redshift 上运行查询。这仅提供对 Redshift 数据 API 本身的访问权限,并不直接提供对您的 Amazon Redshift 集群的访问权限。有关更多信息,请参阅使用 Amazon Redshift 数据 API

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象。还允许委托人从特定区域的 ARN 以 “jumpstart-cache-prod-” 开头的 Amazon S3 存储桶中检索对象。

  • secretsmanager - 允许主体存储客户凭证,以便使用 Secrets Manager 连接到 Snowflake 数据库。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SageMakerUserDetailsAndPackageOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribeDomain",
                "sagemaker:DescribeUserProfile",
                "sagemaker:ListTags",
                "sagemaker:ListModelPackages",
                "sagemaker:ListModelPackageGroups",
                "sagemaker:ListEndpoints"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SageMakerPackageGroupOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateModelPackageGroup",
                "sagemaker:CreateModelPackage",
                "sagemaker:DescribeModelPackageGroup",
                "sagemaker:DescribeModelPackage"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:model-package/*",
                "arn:aws:sagemaker:*:*:model-package-group/*"
            ]
        },
        {
            "Sid": "SageMakerTrainingOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateCompilationJob",
                "sagemaker:CreateEndpoint",
                "sagemaker:CreateEndpointConfig",
                "sagemaker:CreateModel",
                "sagemaker:CreateProcessingJob",
                "sagemaker:CreateAutoMLJob",
                "sagemaker:CreateAutoMLJobV2",
                "sagemaker:CreateTrainingJob",
                "sagemaker:CreateTransformJob",
                "sagemaker:DeleteEndpoint",
                "sagemaker:DescribeCompilationJob",
                "sagemaker:DescribeEndpoint",
                "sagemaker:DescribeEndpointConfig",
                "sagemaker:DescribeModel",
                "sagemaker:DescribeProcessingJob",
                "sagemaker:DescribeAutoMLJob",
                "sagemaker:DescribeAutoMLJobV2",
                "sagemaker:DescribeTrainingJob",
                "sagemaker:DescribeTransformJob",
                "sagemaker:ListCandidatesForAutoMLJob",
                "sagemaker:StopAutoMLJob",
                "sagemaker:StopTrainingJob",
                "sagemaker:StopTransformJob",
                "sagemaker:AddTags",
                "sagemaker:DeleteApp"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:*Canvas*",
                "arn:aws:sagemaker:*:*:*canvas*",
                "arn:aws:sagemaker:*:*:*model-compilation-*"
            ]
        },
        {
            "Sid": "SageMakerHostingOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DeleteEndpointConfig",
                "sagemaker:DeleteModel",
                "sagemaker:InvokeEndpoint",
                "sagemaker:UpdateEndpointWeightsAndCapacities",
                "sagemaker:InvokeEndpointAsync"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:*Canvas*",
                "arn:aws:sagemaker:*:*:*canvas*"
            ]
        },
        {
            "Sid": "EC2VPCOperation",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECROperations",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMGetOperations",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Sid": "IAMPassOperation",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "sagemaker.amazonaws.com"
                }
            }
        },
        {
            "Sid": "LoggingOperation",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
        },
        {
            "Sid": "S3Operations",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:CreateBucket",
                "s3:GetBucketCors",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Sid": "ReadSageMakerJumpstartArtifacts",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*",
                "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*",
                "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*"
            ]
        },
        {
            "Sid": "S3ListOperations",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "GlueOperations",
            "Effect": "Allow",
            "Action": "glue:SearchTables",
            "Resource": [
                "arn:aws:glue:*:*:table/*/*",
                "arn:aws:glue:*:*:database/*",
                "arn:aws:glue:*:*:catalog"
            ]
        },
        {
            "Sid": "SecretsManagerARNBasedOperation",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutResourcePolicy"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
            ]
        },
        {
            "Sid": "SecretManagerTagBasedOperation",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "secretsmanager:ResourceTag/SageMaker": "true"
                }
            }
        },
        {
            "Sid": "RedshiftOperations",
            "Effect": "Allow",
            "Action": [
                "redshift-data:ExecuteStatement",
                "redshift-data:DescribeStatement",
                "redshift-data:CancelStatement",
                "redshift-data:GetStatementResult",
                "redshift-data:ListSchemas",
                "redshift-data:ListTables",
                "redshift-data:DescribeTable"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RedshiftGetCredentialsOperation",
            "Effect": "Allow",
            "Action": [
                "redshift:GetClusterCredentials"
            ],
            "Resource": [
                "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
                "arn:aws:redshift:*:*:dbname:*"
            ]
        },
        {
            "Sid": "ForecastOperations",
            "Effect": "Allow",
            "Action": [
                "forecast:CreateExplainabilityExport",
                "forecast:CreateExplainability",
                "forecast:CreateForecastEndpoint",
                "forecast:CreateAutoPredictor",
                "forecast:CreateDatasetImportJob",
                "forecast:CreateDatasetGroup",
                "forecast:CreateDataset",
                "forecast:CreateForecast",
                "forecast:CreateForecastExportJob",
                "forecast:CreatePredictorBacktestExportJob",
                "forecast:CreatePredictor",
                "forecast:DescribeExplainabilityExport",
                "forecast:DescribeExplainability",
                "forecast:DescribeAutoPredictor",
                "forecast:DescribeForecastEndpoint",
                "forecast:DescribeDatasetImportJob",
                "forecast:DescribeDataset",
                "forecast:DescribeForecast",
                "forecast:DescribeForecastExportJob",
                "forecast:DescribePredictorBacktestExportJob",
                "forecast:GetAccuracyMetrics",
                "forecast:InvokeForecastEndpoint",
                "forecast:GetRecentForecastContext",
                "forecast:DescribePredictor",
                "forecast:TagResource",
                "forecast:DeleteResourceTree"
            ],
            "Resource": [
                "arn:aws:forecast:*:*:*Canvas*"
            ]
        },
        {
            "Sid": "RDSOperation",
            "Effect": "Allow",
            "Action": "rds:DescribeDBInstances",
            "Resource": "*"
        },
        {
            "Sid": "IAMPassOperationForForecast",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "forecast.amazonaws.com"
                }
            }
        },
        {
            "Sid": "AutoscalingOperations",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget"
            ],
            "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*",
            "Condition": {
                "StringEquals": {
                    "application-autoscaling:service-namespace": "sagemaker",
                    "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount"
                }
            }
        },
        {
            "Sid": "AsyncEndpointOperations",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DescribeAlarms",
                "sagemaker:DescribeEndpointConfig"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DescribeScalingOperations",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:DescribeScalingActivities"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "SageMakerCloudWatchUpdate",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DeleteAlarms"
            ],
            "Resource": [
                "arn:aws:cloudwatch:*:*:alarm:TargetTracking*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:CalledViaLast": "application-autoscaling.amazonaws.com"
                }
            }
        },
        {
            "Sid": "AutoscalingSageMakerEndpointOperation",
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
                }
            }
        }
        {
            "Sid": "AthenaOperation",
            "Action": [
                "athena:ListTableMetadata",
                "athena:ListDataCatalogs",
                "athena:ListDatabases"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            },
        },
        {
            "Sid": "GlueOperation",
            "Action": [
                "glue:GetDatabases",
                "glue:GetPartitions",
                "glue:GetTables"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:glue:*:*:table/*",
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "QuicksightOperation",
            "Action": [
                "quicksight:ListNamespaces"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "AllowUseOfKeyInAccount",
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Source": "SageMakerCanvas",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessCreateApplicationOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:CreateApplication",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessListApplicationOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:ListApplications",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessApplicationOperations",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:UpdateApplication",
                "emr-serverless:StopApplication",
                "emr-serverless:GetApplication",
                "emr-serverless:StartApplication"
            ],
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessStartJobRunOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:StartJobRun",
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessListJobRunOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:ListJobRuns",
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessJobRunOperations",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:GetJobRun",
                "emr-serverless:CancelJobRun"
            ],
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessTagResourceOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:TagResource",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "IAMPassOperationForEMRServerless",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "emr-serverless.amazonaws.com",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        }
    ]
}
显示更多显示更少

Amazon 托管策略: AmazonSageMakerCanvasDataPrepFullAccess

该政策授予的权限允许完全访问 Amazon SageMaker Canvas 的数据准备功能。该政策还为与数据准备功能集成的服务(例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊 EMR、 EventBridge亚马逊 Amazon Identity and Access Management 、Amazon Redshift、() 和] 提供了最低权限权限。 Amazon Key Management Service Amazon KMS Amazon Secrets Manager

权限详细信息

此 Amazon 托管策略包括以下权限。

  • sagemaker— 允许委托人访问处理作业、训练作业、推理管道、AutoML 作业和功能组。

  • athena— 允许委托人查询来自 Amazon Athena 的数据目录、数据库和表元数据的列表。

  • elasticmapreduce— 允许委托人读取和列出 Amazon EMR 集群。

  • events— 允许委托人为计划任务创建、读取、更新和向 Amazon EventBridge 规则添加目标。

  • glue— 允许委托人从 Amazon Glue 目录中的数据库中获取和搜索表。

  • iam— 允许委托人将 IAM 角色传递给 Amazon SageMaker 和。 EventBridge

  • kms— 允许委托人检索存储在作业和终端节点中的 Amazon KMS 别名,并访问关联的 KMS 密钥。

  • logs - 允许主体发布来自训练作业和端点的日志。

  • redshift— 允许委托人获得访问亚马逊 Redshift 数据库的证书。

  • redshift-data— 允许委托人运行、取消、描述、列出和获取 Amazon Redshift 查询的结果。还允许委托人列出 Amazon Redshift 架构和表。

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象;或者标有 “”、不区分大小写的对象。SageMaker

  • secretsmanager— 允许委托人使用 Secrets Manager 存储和检索客户数据库凭证。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SageMakerListFeatureGroupOperation",
            "Effect": "Allow",
            "Action": "sagemaker:ListFeatureGroups",
            "Resource": "*"
        },
        {
            "Sid": "SageMakerFeatureGroupOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateFeatureGroup",
                "sagemaker:DescribeFeatureGroup"
            ],
            "Resource": "arn:aws:sagemaker:*:*:feature-group/*"
        },
        {
            "Sid": "SageMakerProcessingJobOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateProcessingJob",
                "sagemaker:DescribeProcessingJob",
                "sagemaker:AddTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
        },
        {
            "Sid": "SageMakerProcessingJobListOperation",
            "Effect": "Allow",
            "Action": "sagemaker:ListProcessingJobs",
            "Resource": "*"
        },
        {
            "Sid": "SageMakerPipelineOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribePipeline",
                "sagemaker:CreatePipeline",
                "sagemaker:UpdatePipeline",
                "sagemaker:DeletePipeline",
                "sagemaker:StartPipelineExecution",
                "sagemaker:ListPipelineExecutionSteps",
                "sagemaker:DescribePipelineExecution"
            ],
            "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
        },
        {
            "Sid": "KMSListOperations",
            "Effect": "Allow",
            "Action": "kms:ListAliases",
            "Resource": "*"
        },
        {
            "Sid": "KMSOperations",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "arn:aws:kms:*:*:key/*"
        },
        {
            "Sid": "S3Operations",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketCors",
                "s3:GetBucketLocation",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "S3GetObjectOperation",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
                },
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "S3ListOperations",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMListOperations",
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "*"
        },
        {
            "Sid": "IAMGetOperations",
            "Effect": "Allow",
            "Action": "iam:GetRole",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Sid": "IAMPassOperation",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "sagemaker.amazonaws.com",
                        "events.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "EventBridgePutOperation",
            "Effect": "Allow",
            "Action": [
                "events:PutRule"
            ],
            "Resource": "arn:aws:events:*:*:rule/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true"
                }
            }
        },
        {
            "Sid": "EventBridgeOperations",
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule",
                "events:PutTargets"
            ],
            "Resource": "arn:aws:events:*:*:rule/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
                }
            }
        },
        {
            "Sid": "EventBridgeTagBasedOperations",
            "Effect": "Allow",
            "Action": [
                "events:TagResource"
            ],
            "Resource": "arn:aws:events:*:*:rule/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true",
                    "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
                }
            }
        },
        {
            "Sid": "EventBridgeListTagOperation",
            "Effect": "Allow",
            "Action": "events:ListTagsForResource",
            "Resource": "*"
        },
        {
            "Sid": "GlueOperations",
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables",
                "glue:SearchTables"
            ],
            "Resource": [
                "arn:aws:glue:*:*:table/*",
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/*"
            ]
        },
        {
            "Sid": "EMROperations",
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:ListInstanceGroups"
            ],
            "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*"
        },
        {
            "Sid": "EMRListOperation",
            "Effect": "Allow",
            "Action": "elasticmapreduce:ListClusters",
            "Resource": "*"
        },
        {
            "Sid": "AthenaListDataCatalogOperation",
            "Effect": "Allow",
            "Action": "athena:ListDataCatalogs",
            "Resource": "*"
        },
        {
            "Sid": "AthenaQueryExecutionOperations",
            "Effect": "Allow",
            "Action": [
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution"
            ],
            "Resource": "arn:aws:athena:*:*:workgroup/*"
        },
        {
            "Sid": "AthenaDataCatalogOperations",
            "Effect": "Allow",
            "Action": [
                "athena:ListDatabases",
                "athena:ListTableMetadata"
            ],
            "Resource": "arn:aws:athena:*:*:datacatalog/*"
        },
        {
            "Sid": "RedshiftOperations",
            "Effect": "Allow",
            "Action": [
                "redshift-data:DescribeStatement",
                "redshift-data:CancelStatement",
                "redshift-data:GetStatementResult"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RedshiftArnBasedOperations",
            "Effect": "Allow",
            "Action": [
                "redshift-data:ExecuteStatement",
                "redshift-data:ListSchemas",
                "redshift-data:ListTables"
            ],
            "Resource": "arn:aws:redshift:*:*:cluster:*"
        },
        {
            "Sid": "RedshiftGetCredentialsOperation",
            "Effect": "Allow",
            "Action": "redshift:GetClusterCredentials",
            "Resource": [
                "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
                "arn:aws:redshift:*:*:dbname:*"
            ]
        },
        {
            "Sid": "SecretsManagerARNBasedOperation",
            "Effect": "Allow",
            "Action": "secretsmanager:CreateSecret",
            "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
        },
        {
            "Sid": "SecretManagerTagBasedOperation",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/SageMaker": "true",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "RDSOperation",
            "Effect": "Allow",
            "Action": "rds:DescribeDBInstances",
            "Resource": "*"
        },
        {
            "Sid": "LoggingOperation",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
        }
    ]
}
显示更多显示更少

Amazon 托管策略: AmazonSageMakerCanvasDirectDeployAccess

该政策授予 Amazon SageMaker Canvas 创建和管理亚马逊 SageMaker终端节点所需的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • sagemaker— 允许委托人使用以 “画布” 或 “画布” 开头的 ARN 资源名称创建和管理 SageMaker端点。

  • cloudwatch— 允许委托人检索 Amazon CloudWatch 指标数据。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SageMakerEndpointPerms",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateEndpoint",
                "sagemaker:CreateEndpointConfig",
                "sagemaker:DeleteEndpoint",
                "sagemaker:DescribeEndpoint",
                "sagemaker:DescribeEndpointConfig",
                "sagemaker:InvokeEndpoint",
                "sagemaker:UpdateEndpoint"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:Canvas*",
                "arn:aws:sagemaker:*:*:canvas*"
            ]
        },
        {
            "Sid": "ReadCWInvocationMetrics",
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        }
    ]
}

Amazon 托管策略: AmazonSageMakerCanvasAI ServicesAccess

该政策授予亚马逊 SageMaker Canvas 使用亚马逊 Textract、Amazon Rekognition、Amazon Comprehend 和亚马逊 Bedrock 的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • textract - 允许主体使用 Amazon Textract 检测图像中的文档、费用和身份。

  • rekognition - 允许主体使用 Amazon Rekognition 检测图像中的标签和文本。

  • comprehend - 允许主体使用 Amazon Comprehend 检测文本文档中的情绪和主要语言,以及姓名和个人身份信息 (PII) 实体。

  • bedrock - 允许主体使用 Amazon Bedrock 列出和调用基础模型。

  • iam— 允许委托人将 IAM 角色传递给 Amazon Bedrock。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Textract",
            "Effect": "Allow",
            "Action": [
                "textract:AnalyzeDocument",
                "textract:AnalyzeExpense",
                "textract:AnalyzeID",
                "textract:StartDocumentAnalysis",
                "textract:StartExpenseAnalysis",
                "textract:GetDocumentAnalysis",
                "textract:GetExpenseAnalysis"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Rekognition",
            "Effect": "Allow",
            "Action": [
                "rekognition:DetectLabels",
                "rekognition:DetectText"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Comprehend",
            "Effect": "Allow",
            "Action": [
                "comprehend:BatchDetectDominantLanguage",
                "comprehend:BatchDetectEntities",
                "comprehend:BatchDetectSentiment",
                "comprehend:DetectPiiEntities",
                "comprehend:DetectEntities",
                "comprehend:DetectSentiment",
                "comprehend:DetectDominantLanguage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Bedrock",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:ListFoundationModels",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateBedrockResourcesPermission",
            "Effect": "Allow",
            "Action": [
                "bedrock:CreateModelCustomizationJob",
                "bedrock:CreateProvisionedModelThroughput",
                "bedrock:TagResource"
            ],
            "Resource": [
                "arn:aws:bedrock:*:*:model-customization-job/*",
                "arn:aws:bedrock:*:*:custom-model/*",
                "arn:aws:bedrock:*:*:provisioned-model/*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "SageMaker",
                        "Canvas"
                    ]
                },
                "StringEquals": {
                    "aws:RequestTag/SageMaker": "true",
                    "aws:RequestTag/Canvas": "true",
                    "aws:ResourceTag/SageMaker": "true",
                    "aws:ResourceTag/Canvas": "true"
                }
            }
        },
        {
            "Sid": "GetStopAndDeleteBedrockResourcesPermission",
            "Effect": "Allow",
            "Action": [
                "bedrock:GetModelCustomizationJob",
                "bedrock:GetCustomModel",
                "bedrock:GetProvisionedModelThroughput",
                "bedrock:StopModelCustomizationJob",
                "bedrock:DeleteProvisionedModelThroughput"
            ],
            "Resource": [
                "arn:aws:bedrock:*:*:model-customization-job/*",
                "arn:aws:bedrock:*:*:custom-model/*",
                "arn:aws:bedrock:*:*:provisioned-model/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/SageMaker": "true",
                    "aws:ResourceTag/Canvas": "true"
                }
            }
        },
        {
            "Sid": "FoundationModelPermission",
            "Effect": "Allow",
            "Action": [
                "bedrock:CreateModelCustomizationJob"
            ],
            "Resource": [
                "arn:aws:bedrock:*::foundation-model/*"
            ]
        },
        {
            "Sid": "BedrockFineTuningPassRole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "bedrock.amazonaws.com"
                }
            }
        }
    ]
}

Amazon 托管策略: AmazonSageMakerCanvasBedrockAccess

该政策授予将 Amazon C SageMaker anvas 与 Amazon Bedrock 配合使用通常所需的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • s3— 允许委托人从 “Sagemaker-*/Canvas” 目录中的 Amazon S3 存储桶中添加和检索对象。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3CanvasAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*/Canvas",
                "arn:aws:s3:::sagemaker-*/Canvas/*"
            ]
        },
        {
            "Sid": "S3BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*"
            ]
        }
    ]
}

Amazon 托管策略: AmazonSageMakerCanvasForecastAccess

该政策授予将亚马逊 Canvas 与 Amazon For SageMaker ecast 配合使用通常所需的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称以“sagemaker-”开头的对象。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*/Canvas",
                "arn:aws:s3:::sagemaker-*/canvas"
            ]
        }
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*"
            ]
        }
    ]
}

亚马逊 SageMaker 更新了亚马逊 SageMaker Canvas 托管政策

查看自该服务开始跟踪这些更改以来对 SageMaker Canvas Amazon 托管策略的更新的详细信息。

Policy 版本 更改 Date

AmazonSageMakerCanvasFullAccess – 对现有策略的更新

10

添加application-autoscaling:DescribeScalingActivitiesiam:PassRolekms:DescribeKey、和quicksight:ListNamespaces权限。

添加sagemaker:CreateTrainingJobsagemaker:CreateTransformJobsagemaker:DescribeTrainingJobsagemaker:DescribeTransformJobsagemaker:StopAutoMLJobsagemaker:StopTrainingJob、和sagemaker:StopTransformJob权限。

添加 athena:ListTableMetadataathena:ListDataCatalogsathena:ListDatabases 权限。

添加 glue:GetDatabasesglue:GetPartitionsglue:GetTables 权限。

添加emr-serverless:CreateApplicationemr-serverless:ListApplicationsemr-serverless:UpdateApplicationemr-serverless:StopApplicationemr-serverless:GetApplicationemr-serverless:StartApplication、、emr-serverless:StartJobRunemr-serverless:ListJobRunsemr-serverless:GetJobRunemr-serverless:CancelJobRun、和emr-serverless:TagResource权限。

 2024 年 7 月 9 日

AmazonSageMakerCanvasBedrockAccess:新策略

1

初始策略

 2024 年 2 月 2 日

AmazonSageMakerCanvasFullAccess -更新现有政策

9

添加 sagemaker:ListEndpoints 权限

 2024 年 1 月 24 日

AmazonSageMakerCanvasFullAccess -更新现有政策

8

添加sagemaker:UpdateEndpointWeightsAndCapacitiessagemaker:DescribeEndpointConfigsagemaker:InvokeEndpointAsyncathena:ListDataCatalogsathena:GetQueryExecutionathena:GetQueryResultsathena:StartQueryExecution、、athena:StopQueryExecutionathena:ListDatabasescloudwatch:DescribeAlarmscloudwatch:PutMetricAlarmcloudwatch:DeleteAlarms、和iam:CreateServiceLinkedRole权限。

 2023 年 12 月 8 日

AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新

2

小更新,用于强制执行先前策略(版本 1)的意图;未添加或删除任何权限。

 2023 年 12 月 7 日

AmazonSageMakerCanvasAI ServicesAccess – 对现有策略的更新

3

添加bedrock:InvokeModelWithResponseStreambedrock:GetModelCustomizationJobbedrock:StopModelCustomizationJobbedrock:GetCustomModelbedrock:GetProvisionedModelThroughput、、bedrock:DeleteProvisionedModelThroughputbedrock:TagResourcebedrock:CreateModelCustomizationJobbedrock:CreateProvisionedModelThroughput、和iam:PassRole权限。

 2023 年 11 月 29 日

AmazonSageMakerCanvasDataPrepFullAccess -新政策

1

初始策略

 2023 年 10 月 26 日

AmazonSageMakerCanvasDirectDeployAccess:新策略

1

初始策略

 2023 年 10 月 6 日

AmazonSageMakerCanvasFullAccess -更新现有政策

7

添加 sagemaker:DeleteEndpointConfigsagemaker:DeleteModelsagemaker:InvokeEndpoint 权限。还要为特定区域的 JumpStart资源添加s3:GetObject权限。

 2023 年 9 月 29 日

AmazonSageMakerCanvasAI ServicesAccess -更新现有政策

2

添加 bedrock:InvokeModelbedrock:ListFoundationModels 权限。

 2023 年 9 月 29 日

AmazonSageMakerCanvasFullAccess -更新现有政策

6

添加 rds:DescribeDBInstances 权限

 2023 年 8 月 29 日

AmazonSageMakerCanvasFullAccess -更新现有政策

5

添加 application-autoscaling:PutScalingPolicyapplication-autoscaling:RegisterScalableTarget 权限。

 2023 年 7 月 24 日

AmazonSageMakerCanvasFullAccess -更新现有政策

4

添加 sagemaker:CreateModelPackagesagemaker:CreateModelPackageGroupsagemaker:DescribeModelPackagesagemaker:DescribeModelPackageGroupsagemaker:ListModelPackagessagemaker:ListModelPackageGroups 权限。

 2023 年 5 月 4 日

AmazonSageMakerCanvasFullAccess -更新现有政策

3

添加 sagemaker:CreateAutoMLJobV2sagemaker:DescribeAutoMLJobV2glue:SearchTables 权限。

 2023 年 3 月 24 日

AmazonSageMakerCanvasAI ServicesAccess -新政策

1

初始策略

 2023 年 3 月 23 日

AmazonSageMakerCanvasFullAccess -更新现有政策

2

添加 forecast:DeleteResourceTree 权限

 2022 年 12 月 6 日

AmazonSageMakerCanvasFullAccess -新政策

1

初始策略

 2022 年 9 月 8 日

AmazonSageMakerCanvasForecastAccess:新策略

1

初始策略

 2022 年 8 月 24 日