本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon 亚马逊 C SageMaker anvas 的托管政策
这些 Amazon 托管策略增加了使用 Amazon SageMaker Canvas 所需的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker控制台创建的执行角色使用。
主题
- Amazon 托管策略: AmazonSageMakerCanvasFullAccess
- Amazon 托管策略: AmazonSageMakerCanvasDataPrepFullAccess
- Amazon 托管策略: AmazonSageMakerCanvasDirectDeployAccess
- Amazon 托管策略: AmazonSageMakerCanvasAI ServicesAccess
- Amazon 托管策略: AmazonSageMakerCanvasBedrockAccess
- Amazon 托管策略: AmazonSageMakerCanvasForecastAccess
- 亚马逊 SageMaker 更新了亚马逊 SageMaker Canvas 托管政策
Amazon 托管策略: AmazonSageMakerCanvasFullAccess
此政策授予的权限允许通过 Amazon Web Services Management Console 和软件开发工具包对 Amazon SageMaker Canvas 进行完全访问。该政策还提供对相关服务的精选访问权限 [例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊虚拟私有云 (亚马逊 VPC) Amazon Identity and Access Management 、亚马逊弹性容器注册表 (Amazon ECR) Container Registry、亚马逊日志、亚马逊 Redshift、 CloudWatch Amazon Autop SageMaker ilo Amazon Secrets Manager t SageMaker 、模型注册表和亚马逊预测]。
本政策旨在帮助客户尝试并开始使用 SageMaker Canvas 的所有功能。为了实现更精细的控制,我们建议客户在转向生产工作负载时构建自己的范围缩小版本。有关更多信息,请参阅 IAM 策略类型:如何以及何时使用它们
权限详细信息
此 Amazon 托管策略包括以下权限。
-
sagemaker— 允许委托人在 ARN 包含 “画布”、“画布” 或 “ SageMaker模型编译-” 的资源上创建和托管模型。此外,用户可以在同一个 Amazon 账户中将他们的 SageMaker Canvas SageMaker 模型注册到 Model Registry。 -
ec2- 允许主体创建 Amazon VPC 端点。 -
ecr- 允许主体获取有关容器映像的信息。 -
glue- 允许主体检索目录中的表。 -
iam— 允许委托人将 IAM 角色传递给亚马逊 SageMaker和 Amazon Forecast。还允许委托人创建服务相关角色。 -
logs- 允许主体发布来自训练作业和端点的日志。 -
s3- 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象。还允许主体从特定区域内的 ARN 以“jumpstart-cache-prod-”开头的 Amazon S3 存储桶中检索对象。 -
secretsmanager- 允许主体存储客户凭证,以便使用 Secrets Manager 连接到 Snowflake 数据库。 -
redshift- 允许主体获取任何 Amazon Redshift 集群上的“sagemaker_access*”dbuser 的凭证(如果该用户存在)。 -
redshift-data- 允许主体使用 Amazon Redshift 数据 API 在 Amazon Redshift 上运行查询。这仅提供对 Redshift 数据 API 本身的访问权限,并不直接提供对您的 Amazon Redshift 集群的访问权限。有关更多信息,请参阅使用 Amazon Redshift 数据 API。 -
forecast- 允许主体使用 Amazon Forecast。 -
application-autoscaling— 允许委托人自动缩放 SageMaker 推理端点。 -
rds- 允许主体返回有关预置 Amazon RDS 实例的信息。 -
cloudwatch— 允许委托人创建和管理 Amazon CloudWatch 警报。 -
athena— 允许委托人创建、读取和管理 Amazon Athena 查询、目录和执行。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerUserDetailsAndPackageOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups", "sagemaker:ListEndpoints" ], "Resource": "*" }, { "Sid": "SageMakerPackageGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource": [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid": "SageMakerTrainingOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid": "SageMakerHostingOperations", "Effect": "Allow", "Action": [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:InvokeEndpointAsync" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid": "EC2VPCOperation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource": "*" }, { "Sid": "ECROperations", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "ReadSageMakerJumpstartArtifacts", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": "glue:SearchTables", "Resource": [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource": "*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "ForecastOperations", "Effect": "Allow", "Action": [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource": [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "IAMPassOperationForForecast", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "forecast.amazonaws.com" } } }, { "Sid": "AutoscalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "sagemaker", "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount" } } }, { "Sid": "AsyncEndpointOperations", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "sagemaker:DescribeEndpointConfig" ], "Resource": "*" }, { "Sid": "SageMakerCloudWatchUpdate", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:TargetTracking*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "application-autoscaling.amazonaws.com" } } }, { "Sid": "AutoscalingSageMakerEndpointOperation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } } ] }
Amazon 托管策略: AmazonSageMakerCanvasDataPrepFullAccess
该政策授予的权限允许完全访问 Amazon SageMaker Canvas 的数据准备功能。该政策还为与数据准备功能集成的服务(例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊 EMR、 EventBridge亚马逊 Amazon Identity and Access Management 、Amazon Redshift、() 和] 提供了最低权限权限。 Amazon Key Management Service Amazon KMS Amazon Secrets Manager
权限详细信息
此 Amazon 托管策略包括以下权限。
-
sagemaker— 允许委托人访问处理作业、训练作业、推理管道、AutoML 作业和功能组。 -
athena— 允许委托人查询来自 Amazon Athena 的数据目录、数据库和表元数据的列表。 -
elasticmapreduce— 允许委托人读取和列出 Amazon EMR 集群。 -
events— 允许委托人为计划任务创建、读取、更新和向 Amazon EventBridge 规则添加目标。 -
glue— 允许委托人从 Amazon Glue 目录中的数据库中获取和搜索表。 -
iam— 允许委托人将 IAM 角色传递给 Amazon SageMaker 和。 EventBridge -
kms— 允许委托人检索存储在作业和终端节点中的 Amazon KMS 别名,并访问关联的 KMS 密钥。 -
logs- 允许主体发布来自训练作业和端点的日志。 -
redshift— 允许委托人获得访问亚马逊 Redshift 数据库的证书。 -
redshift-data— 允许委托人运行、取消、描述、列出和获取 Amazon Redshift 查询的结果。还允许委托人列出 Amazon Redshift 架构和表。 -
s3- 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象;或者标有 “”、不区分大小写的对象。SageMaker -
secretsmanager— 允许委托人使用 Secrets Manager 存储和检索客户数据库凭证。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerListFeatureGroupOperation", "Effect": "Allow", "Action": "sagemaker:ListFeatureGroups", "Resource": "*" }, { "Sid": "SageMakerFeatureGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateFeatureGroup", "sagemaker:DescribeFeatureGroup" ], "Resource": "arn:aws:sagemaker:*:*:feature-group/*" }, { "Sid": "SageMakerProcessingJobOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateProcessingJob", "sagemaker:DescribeProcessingJob", "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*" }, { "Sid": "SageMakerProcessingJobListOperation", "Effect": "Allow", "Action": "sagemaker:ListProcessingJobs", "Resource": "*" }, { "Sid": "SageMakerPipelineOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribePipeline", "sagemaker:CreatePipeline", "sagemaker:UpdatePipeline", "sagemaker:DeletePipeline", "sagemaker:StartPipelineExecution", "sagemaker:ListPipelineExecutionSteps", "sagemaker:DescribePipelineExecution" ], "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*" }, { "Sid": "KMSListOperations", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" }, { "Sid": "KMSOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "IAMListOperations", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "events.amazonaws.com" ] } } }, { "Sid": "EventBridgePutOperation", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeOperations", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutTargets" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeTagBasedOperations", "Effect": "Allow", "Action": [ "events:TagResource" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true", "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeListTagOperation", "Effect": "Allow", "Action": "events:ListTagsForResource", "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:SearchTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "EMROperations", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups" ], "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*" }, { "Sid": "EMRListOperation", "Effect": "Allow", "Action": "elasticmapreduce:ListClusters", "Resource": "*" }, { "Sid": "AthenaListDataCatalogOperation", "Effect": "Allow", "Action": "athena:ListDataCatalogs", "Resource": "*" }, { "Sid": "AthenaQueryExecutionOperations", "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": "arn:aws:athena:*:*:workgroup/*" }, { "Sid": "AthenaDataCatalogOperations", "Effect": "Allow", "Action": [ "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "arn:aws:athena:*:*:datacatalog/*" }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult" ], "Resource": "*" }, { "Sid": "RedshiftArnBasedOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": "arn:aws:redshift:*:*:cluster:*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*", "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*" } ] }
Amazon 托管策略: AmazonSageMakerCanvasDirectDeployAccess
该政策授予 Amazon SageMaker Canvas 创建和管理亚马逊 SageMaker终端节点所需的权限。
权限详细信息
此 Amazon 托管策略包括以下权限。
-
sagemaker— 允许委托人使用以 “画布” 或 “画布” 开头的 ARN 资源名称创建和管理 SageMaker端点。 -
cloudwatch— 允许委托人检索 Amazon CloudWatch 指标数据。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerEndpointPerms", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:DeleteEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:Canvas*", "arn:aws:sagemaker:*:*:canvas*" ] }, { "Sid": "ReadCWInvocationMetrics", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] }
Amazon 托管策略: AmazonSageMakerCanvasAI ServicesAccess
该政策授予亚马逊 SageMaker Canvas 使用亚马逊 Textract、Amazon Rekognition、Amazon Comprehend 和亚马逊 Bedrock 的权限。
权限详细信息
此 Amazon 托管策略包括以下权限。
-
textract- 允许主体使用 Amazon Textract 检测图像中的文档、费用和身份。 -
rekognition- 允许主体使用 Amazon Rekognition 检测图像中的标签和文本。 -
comprehend- 允许主体使用 Amazon Comprehend 检测文本文档中的情绪和主要语言,以及姓名和个人身份信息 (PII) 实体。 -
bedrock- 允许主体使用 Amazon Bedrock 列出和调用基础模型。 -
iam— 允许委托人将 IAM 角色传递给 Amazon Bedrock。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Textract", "Effect": "Allow", "Action": [ "textract:AnalyzeDocument", "textract:AnalyzeExpense", "textract:AnalyzeID", "textract:StartDocumentAnalysis", "textract:StartExpenseAnalysis", "textract:GetDocumentAnalysis", "textract:GetExpenseAnalysis" ], "Resource": "*" }, { "Sid": "Rekognition", "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectText" ], "Resource": "*" }, { "Sid": "Comprehend", "Effect": "Allow", "Action": [ "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectEntities", "comprehend:BatchDetectSentiment", "comprehend:DetectPiiEntities", "comprehend:DetectEntities", "comprehend:DetectSentiment", "comprehend:DetectDominantLanguage" ], "Resource": "*" }, { "Sid": "Bedrock", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:ListFoundationModels", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "CreateBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob", "bedrock:CreateProvisionedModelThroughput", "bedrock:TagResource" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "SageMaker", "Canvas" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:RequestTag/Canvas": "true", "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "GetStopAndDeleteBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:GetCustomModel", "bedrock:GetProvisionedModelThroughput", "bedrock:StopModelCustomizationJob", "bedrock:DeleteProvisionedModelThroughput" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "FoundationModelPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*" ] }, { "Sid": "BedrockFineTuningPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } } ] }
Amazon 托管策略: AmazonSageMakerCanvasBedrockAccess
该政策授予将 Amazon C SageMaker anvas 与 Amazon Bedrock 配合使用通常所需的权限。
权限详细信息
此 Amazon 托管策略包括以下权限。
-
s3— 允许委托人从 “Sagemaker-*/Canvas” 目录中的 Amazon S3 存储桶中添加和检索对象。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3CanvasAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/Canvas/*" ] }, { "Sid": "S3BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }
Amazon 托管策略: AmazonSageMakerCanvasForecastAccess
该政策授予将亚马逊 Canvas 与 Amazon For SageMaker ecast 配合使用通常所需的权限。
权限详细信息
此 Amazon 托管策略包括以下权限。
-
s3- 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称以“sagemaker-”开头的对象。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/canvas" ] } { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }
亚马逊 SageMaker 更新了亚马逊 SageMaker Canvas 托管政策
查看自该服务开始跟踪这些更改以来对 SageMaker Canvas Amazon 托管策略的更新的详细信息。
| Policy | 版本 | 更改 | Date |
|---|---|---|---|
1 |
初始策略 |
2024 年 2 月 2 日 | |
|
AmazonSageMakerCanvasFullAccess – 对现有策略的更新 |
9 |
添加 |
2024 年 1 月 24 日 |
AmazonSageMakerCanvasFullAccess -更新现有政策 |
8 |
添加 |
2023 年 12 月 8 日 |
|
AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新 |
2 |
小更新,用于强制执行先前策略(版本 1)的意图;未添加或删除任何权限。 |
2023 年 12 月 7 日 |
|
AmazonSageMakerCanvasAI ServicesAccess – 对现有策略的更新 |
3 |
添加 |
2023 年 11 月 29 日 |
|
AmazonSageMakerCanvasDataPrepFullAccess -新政策 |
1 |
初始策略 |
2023 年 10 月 26 日 |
1 |
初始策略 |
2023 年 10 月 6 日 | |
AmazonSageMakerCanvasFullAccess -更新现有政策 |
7 |
添加 |
2023 年 9 月 29 日 |
|
AmazonSageMakerCanvasAI ServicesAccess -更新现有政策 |
2 |
添加 |
2023 年 9 月 29 日 |
AmazonSageMakerCanvasFullAccess -更新现有政策 |
6 |
添加 |
2023 年 8 月 29 日 |
AmazonSageMakerCanvasFullAccess -更新现有政策 |
5 |
添加 |
2023 年 7 月 24 日 |
AmazonSageMakerCanvasFullAccess -更新现有政策 |
4 |
添加 |
2023 年 5 月 4 日 |
AmazonSageMakerCanvasFullAccess -更新现有政策 |
3 |
添加 |
2023 年 3 月 24 日 |
|
AmazonSageMakerCanvasAI ServicesAccess -新政策 |
1 |
初始策略 |
2023 年 3 月 23 日 |
AmazonSageMakerCanvasFullAccess -更新现有政策 |
2 |
添加 |
2022 年 12 月 6 日 |
AmazonSageMakerCanvasFullAccess -新政策 |
1 |
初始策略 |
2022 年 9 月 8 日 |
1 |
初始策略 |
2022 年 8 月 24 日 |