Amazon 亚马逊 C SageMaker anvas 的托管政策 - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 亚马逊 C SageMaker anvas 的托管政策

这些 Amazon 托管策略增加了使用 Amazon SageMaker Canvas 所需的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker控制台创建的执行角色使用。

Amazon 托管策略: AmazonSageMakerCanvasFullAccess

此政策授予的权限允许通过和对 Amazon SageMaker Canvas Amazon Web Services Management Console 进行完全访问SDK。该政策还提供对相关服务的精选访问权限 [例如,亚马逊简单存储服务 (Amazon S3) Service、() Amazon Identity and Access Management 、亚马逊虚拟私有云 IAM (亚马逊)、亚马逊弹性容器注册表 (VPC亚马逊)、 CloudWatch 亚马逊日志、A ECR mazon Redshift、Amazon A SageMaker utopilot Amazon Secrets Manager、模型注册表和 SageMaker 亚马逊预测]。

本政策旨在帮助客户尝试并开始使用 SageMaker Canvas 的所有功能。为了实现更精细的控制,我们建议客户在转向生产工作负载时构建自己的范围缩小版本。有关更多信息,请参阅IAM策略类型:如何以及何时使用它们

权限详细信息

此 Amazon 托管策略包括以下权限。

  • sagemaker— 允许委托人在ARN包含 “画布”、“画布” 或 “ SageMaker模型编译-” 的资源上创建和托管模型。此外,用户可以在同一个 Amazon 账户中将他们的 SageMaker Canvas SageMaker 模型注册到 Model Registry。还允许校长创建和管理 SageMaker 训练、转换和 AutoML 作业。

  • application-autoscaling— 允许委托人自动缩放 SageMaker 推理端点。

  • athena— 允许委托人查询来自 Amazon Athena 的数据目录、数据库和表元数据的列表,并访问目录中的表。

  • cloudwatch— 允许委托人创建和管理 Amazon CloudWatch 警报。

  • ec2— 允许委托人创建 Amazon VPC 终端节点。

  • ecr - 允许主体获取有关容器映像的信息。

  • emr-serverless— 允许委托人创建和管理 Amazon EMR 无服务器应用程序和任务运行。还允许委托人标记 SageMaker Canvas 资源。

  • forecast - 允许主体使用 Amazon Forecast。

  • glue— 允许委托人检索 Amazon Glue 目录中的表、数据库和分区。

  • iam— 允许委托人将IAM角色传递给亚马逊 SageMaker、Amazon Forecast 和 Amazon EMR Serverless。还允许委托人创建服务相关角色。

  • kms— 允许委托人读取标有标签的 Amazon KMS Source:SageMakerCanvas密钥。

  • logs - 允许主体发布来自训练作业和端点的日志。

  • quicksight— 允许委托人列出 Amazon 账户中的命名空间。 QuickSight

  • rds— 允许委托人返回有关已配置的 Ama RDS zon 实例的信息。

  • redshift - 允许主体获取任何 Amazon Redshift 集群上的“sagemaker_access*”dbuser 的凭证(如果该用户存在)。

  • redshift-data— 允许委托人使用亚马逊 Redshift 数据在亚马逊 Redshift 上运行查询。API这仅提供对 Redshift 数据APIs本身的访问权限,并不直接提供对您的 Amazon Redshift 集群的访问权限。有关更多信息,请参阅使用亚马逊 Redshift 数据。API

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象。还允许委托人从特定区域中以 “jumpstart-cache-prod-” ARN 开头的 Amazon S3 存储桶中检索对象。

  • secretsmanager - 允许主体存储客户凭证,以便使用 Secrets Manager 连接到 Snowflake 数据库。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerUserDetailsAndPackageOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups", "sagemaker:ListEndpoints" ], "Resource": "*" }, { "Sid": "SageMakerPackageGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource": [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid": "SageMakerTrainingOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:StopAutoMLJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid": "SageMakerHostingOperations", "Effect": "Allow", "Action": [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:InvokeEndpointAsync" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid": "EC2VPCOperation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource": "*" }, { "Sid": "ECROperations", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "ReadSageMakerJumpstartArtifacts", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": "glue:SearchTables", "Resource": [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource": "*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "ForecastOperations", "Effect": "Allow", "Action": [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource": [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "IAMPassOperationForForecast", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "forecast.amazonaws.com" } } }, { "Sid": "AutoscalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "sagemaker", "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount" } } }, { "Sid": "AsyncEndpointOperations", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "sagemaker:DescribeEndpointConfig" ], "Resource": "*" }, { "Sid": "DescribeScalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalingActivities" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "SageMakerCloudWatchUpdate", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:TargetTracking*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "application-autoscaling.amazonaws.com" } } }, { "Sid": "AutoscalingSageMakerEndpointOperation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } } { "Sid": "AthenaOperation", "Action": [ "athena:ListTableMetadata", "athena:ListDataCatalogs", "athena:ListDatabases" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } }, }, { "Sid": "GlueOperation", "Action": [ "glue:GetDatabases", "glue:GetPartitions", "glue:GetTables" ], "Effect": "Allow", "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "QuicksightOperation", "Action": [ "quicksight:ListNamespaces" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowUseOfKeyInAccount", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Source": "SageMakerCanvas", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:StopApplication", "emr-serverless:GetApplication", "emr-serverless:StartApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }

Amazon 托管策略: AmazonSageMakerCanvasDataPrepFullAccess

该政策授予的权限允许完全访问 Amazon SageMaker Canvas 的数据准备功能。该策略还为与数据准备功能集成的服务 [例如,亚马逊简单存储服务 (Amazon S3)、()、亚马逊、亚马逊、亚马逊 Amazon Identity and Access Management 、Amazon Redshift EMR、IAM () 和] 提供了最低权限权限。 EventBridge Amazon Key Management Service Amazon KMS Amazon Secrets Manager

权限详细信息

此 Amazon 托管策略包括以下权限。

  • sagemaker— 允许委托人访问处理作业、训练作业、推理管道、AutoML 作业和功能组。

  • athena— 允许委托人查询来自 Amazon Athena 的数据目录、数据库和表元数据的列表。

  • elasticmapreduce— 允许委托人读取和列出 Amazon EMR 集群。

  • emr-serverless— 允许委托人创建和管理 Amazon EMR 无服务器应用程序和任务运行。还允许委托人标记 SageMaker Canvas 资源。

  • events— 允许委托人为计划任务创建、读取、更新和向 Amazon EventBridge 规则添加目标。

  • glue— 允许委托人从 Amazon Glue 目录中的数据库中获取和搜索表。

  • iam— 允许委托人将IAM角色传递给亚马逊 SageMaker和 Amazon EMR Serverless。 EventBridge还允许委托人创建服务相关角色。

  • kms— 允许委托人检索存储在作业和端点中的 Amazon KMS 别名,并访问关联KMS的密钥。

  • logs - 允许主体发布来自训练作业和端点的日志。

  • redshift— 允许委托人获得访问亚马逊 Redshift 数据库的证书。

  • redshift-data— 允许委托人运行、取消、描述、列出和获取 Amazon Redshift 查询的结果。还允许委托人列出 Amazon Redshift 架构和表。

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象;或者标有 “”、不区分大小写的对象。SageMaker

  • secretsmanager— 允许委托人使用 Secrets Manager 存储和检索客户数据库凭证。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerListFeatureGroupOperation", "Effect": "Allow", "Action": "sagemaker:ListFeatureGroups", "Resource": "*" }, { "Sid": "SageMakerFeatureGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateFeatureGroup", "sagemaker:DescribeFeatureGroup" ], "Resource": "arn:aws:sagemaker:*:*:feature-group/*" }, { "Sid": "SageMakerProcessingJobOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateProcessingJob", "sagemaker:DescribeProcessingJob", "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*" }, { "Sid": "SageMakerProcessingJobListOperation", "Effect": "Allow", "Action": "sagemaker:ListProcessingJobs", "Resource": "*" }, { "Sid": "SageMakerPipelineOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribePipeline", "sagemaker:CreatePipeline", "sagemaker:UpdatePipeline", "sagemaker:DeletePipeline", "sagemaker:StartPipelineExecution", "sagemaker:ListPipelineExecutionSteps", "sagemaker:DescribePipelineExecution" ], "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*" }, { "Sid": "KMSListOperations", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" }, { "Sid": "KMSOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "IAMListOperations", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "events.amazonaws.com" ] } } }, { "Sid": "EventBridgePutOperation", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeOperations", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutTargets" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeTagBasedOperations", "Effect": "Allow", "Action": [ "events:TagResource" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true", "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeListTagOperation", "Effect": "Allow", "Action": "events:ListTagsForResource", "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:SearchTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "EMROperations", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups" ], "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*" }, { "Sid": "EMRListOperation", "Effect": "Allow", "Action": "elasticmapreduce:ListClusters", "Resource": "*" }, { "Sid": "AthenaListDataCatalogOperation", "Effect": "Allow", "Action": "athena:ListDataCatalogs", "Resource": "*" }, { "Sid": "AthenaQueryExecutionOperations", "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": "arn:aws:athena:*:*:workgroup/*" }, { "Sid": "AthenaDataCatalogOperations", "Effect": "Allow", "Action": [ "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "arn:aws:athena:*:*:datacatalog/*" }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult" ], "Resource": "*" }, { "Sid": "RedshiftArnBasedOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": "arn:aws:redshift:*:*:cluster:*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*", "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*" }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:GetApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }

Amazon 托管策略: AmazonSageMakerCanvasDirectDeployAccess

该政策授予 Amazon SageMaker Canvas 创建和管理亚马逊 SageMaker终端节点所需的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • sagemaker— 允许委托人创建和管理ARN资源名称以 “Canvas” 或 “canvas” 开头的 SageMaker端点。

  • cloudwatch— 允许委托人检索 Amazon CloudWatch 指标数据。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerEndpointPerms", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:DeleteEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:Canvas*", "arn:aws:sagemaker:*:*:canvas*" ] }, { "Sid": "ReadCWInvocationMetrics", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] }

Amazon 托管策略: AmazonSageMakerCanvasAIServicesAccess

该政策授予亚马逊 SageMaker Canvas 使用亚马逊 Textract、Amazon Rekognition、Amazon Comprehend 和亚马逊 Bedrock 的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • textract - 允许主体使用 Amazon Textract 检测图像中的文档、费用和身份。

  • rekognition - 允许主体使用 Amazon Rekognition 检测图像中的标签和文本。

  • comprehend— 允许委托人使用 Amazon Comprehend 来检测文本文档中的情绪和主导语言,以及姓名和个人身份PII信息 () 实体。

  • bedrock - 允许主体使用 Amazon Bedrock 列出和调用基础模型。

  • iam— 允许委托人将IAM角色传递给 Amazon Bedrock。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Textract", "Effect": "Allow", "Action": [ "textract:AnalyzeDocument", "textract:AnalyzeExpense", "textract:AnalyzeID", "textract:StartDocumentAnalysis", "textract:StartExpenseAnalysis", "textract:GetDocumentAnalysis", "textract:GetExpenseAnalysis" ], "Resource": "*" }, { "Sid": "Rekognition", "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectText" ], "Resource": "*" }, { "Sid": "Comprehend", "Effect": "Allow", "Action": [ "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectEntities", "comprehend:BatchDetectSentiment", "comprehend:DetectPiiEntities", "comprehend:DetectEntities", "comprehend:DetectSentiment", "comprehend:DetectDominantLanguage" ], "Resource": "*" }, { "Sid": "Bedrock", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:ListFoundationModels", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "CreateBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob", "bedrock:CreateProvisionedModelThroughput", "bedrock:TagResource" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "SageMaker", "Canvas" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:RequestTag/Canvas": "true", "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "GetStopAndDeleteBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:GetCustomModel", "bedrock:GetProvisionedModelThroughput", "bedrock:StopModelCustomizationJob", "bedrock:DeleteProvisionedModelThroughput" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "FoundationModelPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*" ] }, { "Sid": "BedrockFineTuningPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } } ] }

Amazon 托管策略: AmazonSageMakerCanvasBedrockAccess

该政策授予将 Amazon C SageMaker anvas 与 Amazon Bedrock 配合使用通常所需的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • s3— 允许委托人从 “Sagemaker-*/Canvas” 目录中的 Amazon S3 存储桶中添加和检索对象。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3CanvasAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/Canvas/*" ] }, { "Sid": "S3BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }

Amazon 托管策略: AmazonSageMakerCanvasForecastAccess

该政策授予将亚马逊 Canvas 与 Amazon For SageMaker ecast 配合使用通常所需的权限。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称以“sagemaker-”开头的对象。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/canvas" ] } { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }

Amazon 托管策略: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy

该政策向亚马逊EMR无服务器授予权限,允许亚马逊C SageMaker anvas用于处理大型数据的 Amazon 服务,例如Amazon S3。

权限详细信息

此 Amazon 托管策略包括以下权限。

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “” SageMaker 或 “sagemaker” 的对象;或者标有 SageMaker “”,不区分大小写的对象。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }

亚马逊 SageMaker 更新了亚马逊 SageMaker Canvas 托管政策

查看自该服务开始跟踪这些更改以来对 SageMaker Canvas Amazon 托管策略的更新的详细信息。

Policy 版本 更改 Date

AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新

4

IAMPassOperationForEMRServerless权限添加资源。

2024年8月16日

AmazonSageMakerCanvasFullAccess – 对现有策略的更新

11

IAMPassOperationForEMRServerless权限添加资源。

2024 年 8 月 15 日

AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy:新策略

1

初始策略

2024 年 7 月 26 日

AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新

3

添加emr-serverless:CreateApplicationemr-serverless:ListApplicationsemr-serverless:UpdateApplicationemr-serverless:GetApplicationemr-serverless:StartJobRunemr-serverless:ListJobRunsemr-serverless:GetJobRunemr-serverless:CancelJobRun、和emr-serverless:TagResource权限。

2024 年 7 月 18 日

AmazonSageMakerCanvasFullAccess -更新现有政策

10

添加application-autoscaling:DescribeScalingActivitiesiam:PassRolekms:DescribeKey、和quicksight:ListNamespaces权限。

添加sagemaker:CreateTrainingJobsagemaker:CreateTransformJobsagemaker:DescribeTrainingJobsagemaker:DescribeTransformJobsagemaker:StopAutoMLJobsagemaker:StopTrainingJob、和sagemaker:StopTransformJob权限。

添加 athena:ListTableMetadataathena:ListDataCatalogsathena:ListDatabases 权限。

添加 glue:GetDatabasesglue:GetPartitionsglue:GetTables 权限。

添加emr-serverless:CreateApplicationemr-serverless:ListApplicationsemr-serverless:UpdateApplicationemr-serverless:StopApplicationemr-serverless:GetApplicationemr-serverless:StartApplication、、emr-serverless:StartJobRunemr-serverless:ListJobRunsemr-serverless:GetJobRunemr-serverless:CancelJobRun、和emr-serverless:TagResource权限。

2024 年 7 月 9 日

AmazonSageMakerCanvasBedrockAccess:新策略

1

初始策略

2024 年 2 月 2 日

AmazonSageMakerCanvasFullAccess -更新现有政策

9

添加 sagemaker:ListEndpoints 权限

2024 年 1 月 24 日

AmazonSageMakerCanvasFullAccess -更新现有政策

8

添加sagemaker:UpdateEndpointWeightsAndCapacitiessagemaker:DescribeEndpointConfigsagemaker:InvokeEndpointAsyncathena:ListDataCatalogsathena:GetQueryExecutionathena:GetQueryResultsathena:StartQueryExecution、、athena:StopQueryExecutionathena:ListDatabasescloudwatch:DescribeAlarmscloudwatch:PutMetricAlarmcloudwatch:DeleteAlarms、和iam:CreateServiceLinkedRole权限。

2023 年 12 月 8 日

AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新

2

小更新,用于强制执行先前策略(版本 1)的意图;未添加或删除任何权限。

2023 年 12 月 7 日

AmazonSageMakerCanvasAIServicesAccess – 对现有策略的更新

3

添加bedrock:InvokeModelWithResponseStreambedrock:GetModelCustomizationJobbedrock:StopModelCustomizationJobbedrock:GetCustomModelbedrock:GetProvisionedModelThroughput、、bedrock:DeleteProvisionedModelThroughputbedrock:TagResourcebedrock:CreateModelCustomizationJobbedrock:CreateProvisionedModelThroughput、和iam:PassRole权限。

2023 年 11 月 29 日

AmazonSageMakerCanvasDataPrepFullAccess -新政策

1

初始策略

2023 年 10 月 26 日

AmazonSageMakerCanvasDirectDeployAccess:新策略

1

初始策略

2023 年 10 月 6 日

AmazonSageMakerCanvasFullAccess -更新现有政策

7

添加 sagemaker:DeleteEndpointConfigsagemaker:DeleteModelsagemaker:InvokeEndpoint 权限。还要为特定区域的 JumpStart资源添加s3:GetObject权限。

2023 年 9 月 29 日

AmazonSageMakerCanvasAIServicesAccess – 对现有策略的更新

2

添加 bedrock:InvokeModelbedrock:ListFoundationModels 权限。

2023 年 9 月 29 日

AmazonSageMakerCanvasFullAccess -更新现有政策

6

添加 rds:DescribeDBInstances 权限

2023 年 8 月 29 日

AmazonSageMakerCanvasFullAccess -更新现有政策

5

添加 application-autoscaling:PutScalingPolicyapplication-autoscaling:RegisterScalableTarget 权限。

2023 年 7 月 24 日

AmazonSageMakerCanvasFullAccess -更新现有政策

4

添加 sagemaker:CreateModelPackagesagemaker:CreateModelPackageGroupsagemaker:DescribeModelPackagesagemaker:DescribeModelPackageGroupsagemaker:ListModelPackagessagemaker:ListModelPackageGroups 权限。

2023 年 5 月 4 日

AmazonSageMakerCanvasFullAccess -更新现有政策

3

添加 sagemaker:CreateAutoMLJobV2sagemaker:DescribeAutoMLJobV2glue:SearchTables 权限。

2023 年 3 月 24 日

AmazonSageMakerCanvasAIServicesAccess-新政策

1

初始策略

2023 年 3 月 23 日

AmazonSageMakerCanvasFullAccess -更新现有政策

2

添加 forecast:DeleteResourceTree 权限

2022 年 12 月 6 日

AmazonSageMakerCanvasFullAccess -新政策

1

初始策略

2022 年 9 月 8 日

AmazonSageMakerCanvasForecastAccess:新策略

1

初始策略

2022 年 8 月 24 日