本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # Amazon 亚马逊 C SageMaker anvas 的托管政策 SageMaker 帆布 这些 Amazon 托管策略增加了使用 Amazon SageMaker Canvas 所需的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。 **Topics** + [ ## Amazon 托管策略: AmazonSageMakerCanvasFullAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess) + [ ## Amazon 托管策略: AmazonSageMakerCanvasDataPrepFullAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess) + [ ## Amazon 托管策略: AmazonSageMakerCanvasDirectDeployAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess) + [ ## Amazon 托管策略: AmazonSageMakerCanvasAIServices访问权限 ](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess) + [ ## Amazon 托管策略: AmazonSageMakerCanvasBedrockAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess) + [ ## Amazon 托管策略: AmazonSageMakerCanvasForecastAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) + [ ## Amazon 托管策略: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy) + [ ## Amazon 托管策略: AmazonSageMakerCanvasSMDataScienceAssistantAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) + [ ## 亚马逊 SageMaker AI 更新了亚马逊 SageMaker Canvas 托管政策 ](#security-iam-awsmanpol-canvas-updates) ## Amazon 托管策略: AmazonSageMakerCanvasFullAccess AmazonSageMakerCanvasFullAccess 此政策授予的权限允许通过 Amazon Web Services 管理控制台 和软件开发工具包对 Amazon SageMaker Canvas 进行完全访问。该政策还提供对相关服务的精选访问权限 [例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊虚拟私有云 (亚马逊 VPC) Amazon Identity and Access Management 、亚马逊弹性容器注册表 (Amazon ECR) Container Registry、亚马逊日志、亚马逊 Redshift、 CloudWatch Amazon Autop SageMaker ilo Amazon Secrets Manager t SageMaker 、模型注册表和亚马逊预测]。 本政策旨在帮助客户尝试并开始使用 SageMaker Canvas 的所有功能。为了实现更精细的控制,我们建议客户在转向生产工作负载时构建自己的范围缩小版本。有关更多信息,请参阅 [IAM 策略类型:如何以及何时使用它们](https://www.amazonaws.cn/blogs/security/iam-policy-types-how-and-when-to-use-them/)。 **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `sagemaker`— 允许委托人在 ARN 包含 “画布”、“画布” 或 “模型编译-” 的资源上创建和托管 A SageMaker I 模型。此外,用户可以在同一个 Amazon 账户中将他们的 SageMaker Canvas 模型注册到 SageMaker AI 模型注册中心。还允许校长创建和管理 SageMaker 训练、转换和 AutoML 作业。 + `application-autoscaling`— 允许委托人自动扩展 A SageMaker I 推理端点。 + `athena`:允许主体从 Amazon Athena 查询数据目录、数据库和表元数据列表,并访问目录中的表。 + `cloudwatch`— 允许委托人创建和管理 Amazon CloudWatch 警报。 + `ec2` - 允许主体创建 Amazon VPC 端点。 + `ecr` - 允许主体获取有关容器映像的信息。 + `emr-serverless`:允许主体创建和管理 Amazon EMR Serverless 应用程序和作业运行。还允许委托人标记 SageMaker Canvas 资源。 + `forecast` - 允许主体使用 Amazon Forecast。 + `glue`— 允许委托人检索 Amazon Glue 目录中的表、数据库和分区。 + `iam`— 允许委托人将 IAM 角色传递给 Amazon A SageMaker I、Amazon Forecast 和 Amazon EMR Serverless。还允许主体创建与服务相关联的角色。 + `kms`— 允许委托人读取标有标签的 Amazon KMS `Source:SageMakerCanvas`密钥。 + `logs` - 允许主体发布来自训练作业和端点的日志。 + `quicksight`— 允许委托人列出 Quick 账户中的命名空间。 + `rds` - 允许主体返回有关预置 Amazon RDS 实例的信息。 + `redshift` - 允许主体获取任何 Amazon Redshift 集群上的“sagemaker\$1access\$1”dbuser 的凭证(如果该用户存在)。 + `redshift-data` - 允许主体使用 Amazon Redshift Data API 在 Amazon Redshift 上运行查询。这仅提供对 Redshift 数据 APIs 本身的访问权限,并不直接提供对您的 Amazon Redshift 集群的访问权限。有关更多信息,请参阅[使用 Amazon Redshift Data API](https://docs.amazonaws.cn/redshift/latest/mgmt/data-api.html)。 + `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象。还允许委托人从特定区域的 ARN 以 “jumpstart-cache-prod-” 开头的 Amazon S3 存储桶中检索对象。 + `secretsmanager` - 允许主体存储客户凭证,以便使用 Secrets Manager 连接到 Snowflake 数据库。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerUserDetailsAndPackageOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups", "sagemaker:ListEndpoints" ], "Resource": "*" }, { "Sid": "SageMakerPackageGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource": [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid": "SageMakerTrainingOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:StopAutoMLJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid": "SageMakerHostingOperations", "Effect": "Allow", "Action": [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:InvokeEndpointAsync" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid": "EC2VPCOperation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource": "*" }, { "Sid": "ECROperations", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "ReadSageMakerJumpstartArtifacts", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": "glue:SearchTables", "Resource": [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource": "*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "ForecastOperations", "Effect": "Allow", "Action": [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource": [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "IAMPassOperationForForecast", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "forecast.amazonaws.com" } } }, { "Sid": "AutoscalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "sagemaker", "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount" } } }, { "Sid": "AsyncEndpointOperations", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "sagemaker:DescribeEndpointConfig" ], "Resource": "*" }, { "Sid": "DescribeScalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalingActivities" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "SageMakerCloudWatchUpdate", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:TargetTracking*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "application-autoscaling.amazonaws.com" } } }, { "Sid": "AutoscalingSageMakerEndpointOperation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AthenaOperation", "Action": [ "athena:ListTableMetadata", "athena:ListDataCatalogs", "athena:ListDatabases" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "GlueOperation", "Action": [ "glue:GetDatabases", "glue:GetPartitions", "glue:GetTables" ], "Effect": "Allow", "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "QuicksightOperation", "Action": [ "quicksight:ListNamespaces" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowUseOfKeyInAccount", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Source": "SageMakerCanvas", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:StopApplication", "emr-serverless:GetApplication", "emr-serverless:StartApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ## Amazon 托管策略: AmazonSageMakerCanvasDataPrepFullAccess AmazonSageMakerCanvasDataPrepFullAccess 该政策授予的权限允许完全访问 Amazon SageMaker Canvas 的数据准备功能。该政策还为与数据准备功能集成的服务(例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊 EMR、 EventBridge亚马逊 Amazon Identity and Access Management 、Amazon Redshift、() 和] 提供了最低权限权限。 Amazon Key Management Service Amazon KMS Amazon Secrets Manager **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `sagemaker`:允许主体访问处理作业、训练作业、推理管道、AutoML 作业和特征组。 + `athena`:允许主体从 Amazon Athena 查询数据目录、数据库和表元数据列表。 + `elasticmapreduce`:允许主体读取和列出 Amazon EMR 集群。 + `emr-serverless`:允许主体创建和管理 Amazon EMR Serverless 应用程序和作业运行。还允许委托人标记 SageMaker Canvas 资源。 + `events`— 允许委托人为计划任务创建、读取、更新和向 Amazon EventBridge 规则添加目标。 + `glue`— 允许委托人从 Amazon Glue 目录中的数据库中获取和搜索表。 + `iam`— 允许委托人将 IAM 角色传递给 Amazon A SageMaker I 和 Amazon EMR Serverless。 EventBridge还允许主体创建与服务相关联的角色。 + `kms`— 允许委托人检索存储在作业和终端节点中的 Amazon KMS 别名,并访问关联的 KMS 密钥。 + `logs` - 允许主体发布来自训练作业和端点的日志。 + `redshift`:允许主体获取访问 Amazon Redshift 数据库的凭证。 + `redshift-data`:允许主体运行、取消、描述、列出并获取 Amazon Redshift 查询的结果。还允许主体列出 Amazon Redshift 模式和表。 + `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象;或者标有 “”,不区分大小写的对象。SageMaker + `secretsmanager`:允许主体使用保密管理器存储和检索客户数据库凭证。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerListFeatureGroupOperation", "Effect": "Allow", "Action": "sagemaker:ListFeatureGroups", "Resource": "*" }, { "Sid": "SageMakerFeatureGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateFeatureGroup", "sagemaker:DescribeFeatureGroup" ], "Resource": "arn:aws:sagemaker:*:*:feature-group/*" }, { "Sid": "SageMakerProcessingJobOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateProcessingJob", "sagemaker:DescribeProcessingJob", "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*" }, { "Sid": "SageMakerProcessingJobListOperation", "Effect": "Allow", "Action": "sagemaker:ListProcessingJobs", "Resource": "*" }, { "Sid": "SageMakerPipelineOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribePipeline", "sagemaker:CreatePipeline", "sagemaker:UpdatePipeline", "sagemaker:DeletePipeline", "sagemaker:StartPipelineExecution", "sagemaker:ListPipelineExecutionSteps", "sagemaker:DescribePipelineExecution" ], "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*" }, { "Sid": "KMSListOperations", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" }, { "Sid": "KMSOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "IAMListOperations", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "events.amazonaws.com" ] } } }, { "Sid": "EventBridgePutOperation", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeOperations", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutTargets" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeTagBasedOperations", "Effect": "Allow", "Action": [ "events:TagResource" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true", "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeListTagOperation", "Effect": "Allow", "Action": "events:ListTagsForResource", "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:SearchTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "EMROperations", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups" ], "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*" }, { "Sid": "EMRListOperation", "Effect": "Allow", "Action": "elasticmapreduce:ListClusters", "Resource": "*" }, { "Sid": "AthenaListDataCatalogOperation", "Effect": "Allow", "Action": "athena:ListDataCatalogs", "Resource": "*" }, { "Sid": "AthenaQueryExecutionOperations", "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": "arn:aws:athena:*:*:workgroup/*" }, { "Sid": "AthenaDataCatalogOperations", "Effect": "Allow", "Action": [ "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "arn:aws:athena:*:*:datacatalog/*" }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult" ], "Resource": "*" }, { "Sid": "RedshiftArnBasedOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": "arn:aws:redshift:*:*:cluster:*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*", "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*" }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:GetApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ## Amazon 托管策略: AmazonSageMakerCanvasDirectDeployAccess AmazonSageMakerCanvasDirectDeployAccess 该政策授予 Amazon SageMaker Canvas 创建和管理亚马逊 A SageMaker I 终端节点所需的权限。 **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `sagemaker`— 允许委托人使用以 “Canv SageMaker as” 或 “画布” 开头的 ARN 资源名称创建和管理 AI 端点。 + `cloudwatch`— 允许委托人检索 Amazon CloudWatch 指标数据。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerEndpointPerms", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:DeleteEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:Canvas*", "arn:aws:sagemaker:*:*:canvas*" ] }, { "Sid": "ReadCWInvocationMetrics", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] } ``` ------ ## Amazon 托管策略: AmazonSageMakerCanvasAIServices访问权限 AmazonSageMakerCanvasAIServices访问权限 该政策授予亚马逊 SageMaker Canvas 使用亚马逊 Textract、Amazon Rekognition、Amazon Comprehend 和亚马逊 Bedrock 的权限。 **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `textract` - 允许主体使用 Amazon Textract 检测图像中的文档、费用和身份。 + `rekognition` - 允许主体使用 Amazon Rekognition 检测图像中的标签和文本。 + `comprehend` - 允许主体使用 Amazon Comprehend 检测文本文档中的情绪和主要语言,以及姓名和个人身份信息 (PII) 实体。 + `bedrock` - 允许主体使用 Amazon Bedrock 列出和调用基础模型。 + `iam`:允许主体将 IAM 角色传递给 Amazon Bedrock。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Textract", "Effect": "Allow", "Action": [ "textract:AnalyzeDocument", "textract:AnalyzeExpense", "textract:AnalyzeID", "textract:StartDocumentAnalysis", "textract:StartExpenseAnalysis", "textract:GetDocumentAnalysis", "textract:GetExpenseAnalysis" ], "Resource": "*" }, { "Sid": "Rekognition", "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectText" ], "Resource": "*" }, { "Sid": "Comprehend", "Effect": "Allow", "Action": [ "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectEntities", "comprehend:BatchDetectSentiment", "comprehend:DetectPiiEntities", "comprehend:DetectEntities", "comprehend:DetectSentiment", "comprehend:DetectDominantLanguage" ], "Resource": "*" }, { "Sid": "Bedrock", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:ListFoundationModels", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "CreateBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob", "bedrock:CreateProvisionedModelThroughput", "bedrock:TagResource" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "SageMaker", "Canvas" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:RequestTag/Canvas": "true", "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "GetStopAndDeleteBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:GetCustomModel", "bedrock:GetProvisionedModelThroughput", "bedrock:StopModelCustomizationJob", "bedrock:DeleteProvisionedModelThroughput" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "FoundationModelPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*" ] }, { "Sid": "BedrockFineTuningPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } } ] } ``` ## Amazon 托管策略: AmazonSageMakerCanvasBedrockAccess AmazonSageMakerCanvasBedrockAccess 该政策授予将 Amazon C SageMaker anvas 与 Amazon Bedrock 配合使用通常所需的权限。 **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `s3`:允许主体从“sagemaker-\$1/Canvas”目录下的 Amazon S3 存储桶中添加和获取对象。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "S3CanvasAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/Canvas/*" ] }, { "Sid": "S3BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] } ``` ------ ## Amazon 托管策略: AmazonSageMakerCanvasForecastAccess AmazonSageMakerCanvasForecastAccess 该政策授予将亚马逊 Canvas 与 Amazon For SageMaker ecast 配合使用通常所需的权限。 **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称以“sagemaker-”开头的对象。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/canvas" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] } ``` ------ ## Amazon 托管策略: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy 该政策向亚马逊 EMR Serverless 授予权限,允许其使用诸如 Amazon S3 之类的 Amazon 服务,这些服务由 Amazon SageMaker Canvas 用于处理大型数据。 **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “” SageMaker 或 “sagemaker” 的对象;或者标有 SageMaker “”,不区分大小写的对象。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ ## Amazon 托管策略: AmazonSageMakerCanvasSMDataScienceAssistantAccess AmazonSageMakerCanvasSMDataScienceAssistantAccess 此政策授予 Amazon SageMaker Canvas 中的用户开始与 Amazon Q 开发者对话的权限。此功能需要 Amazon Q Developer 和 SageMaker AI 数据科学助手服务的权限。 **权限详细信息** 此 Amazon 托管策略包括以下权限。 + `q` – 允许主体向 Amazon Q 开发者版发送提示。 + `sagemaker-data-science-assistant`— 允许校长向 SageMaker Canvas 数据科学助手服务发送提示。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerDataScienceAssistantAccess", "Effect": "Allow", "Action": [ "sagemaker-data-science-assistant:SendConversation" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AmazonQDeveloperAccess", "Effect": "Allow", "Action": [ "q:SendMessage", "q:StartConversation" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ ## 亚马逊 SageMaker AI 更新了亚马逊 SageMaker Canvas 托管政策 SageMaker 画布政策更新 查看自该服务开始跟踪这些更改以来对 SageMaker Canvas Amazon 托管策略的更新的详细信息。 | Policy | 版本 | 更改 | 日期 | | --- | --- | --- | --- | | [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) – 对现有策略的更新 | 2 | 添加 `q:StartConversation` 权限 | 2025 年 1 月 14 日 | | [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess):新策略 | 1 | 初始策略 | 2024 年 12 月 4 日 | | [AmazonSageMakerCanvasDataPrepFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess) – 对现有策略的更新 | 4 | 为 `IAMPassOperationForEMRServerless` 权限添加资源。 | 2024 年 8 月 16 日 | | [AmazonSageMakerCanvasFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess) – 对现有策略的更新 | 11 | 为 `IAMPassOperationForEMRServerless` 权限添加资源。 | 2024 年 8 月 15 日 | | [AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy):新策略 | 1 | 初始策略 | 2024 年 7 月 26 日 | | AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新 | 3 | 添加 `emr-serverless:CreateApplication`、`emr-serverless:ListApplications`、`emr-serverless:UpdateApplication`、`emr-serverless:GetApplication`、`emr-serverless:StartJobRun`、`emr-serverless:ListJobRuns`、`emr-serverless:GetJobRun`、`emr-serverless:CancelJobRun` 和 `emr-serverless:TagResource` 权限。 | 2024 年 7 月 18 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 10 | 添加 `application-autoscaling:DescribeScalingActivities` `iam:PassRole`、`kms:DescribeKey` 和 `quicksight:ListNamespaces` 权限。 添加 `sagemaker:CreateTrainingJob`、`sagemaker:CreateTransformJob`、`sagemaker:DescribeTrainingJob`、`sagemaker:DescribeTransformJob`、`sagemaker:StopAutoMLJob`、`sagemaker:StopTrainingJob` 和 `sagemaker:StopTransformJob` 权限。 添加 `athena:ListTableMetadata`、`athena:ListDataCatalogs` 和 `athena:ListDatabases` 权限。 添加 `glue:GetDatabases`、`glue:GetPartitions` 和 `glue:GetTables` 权限。 添加 `emr-serverless:CreateApplication`、`emr-serverless:ListApplications`、`emr-serverless:UpdateApplication`、`emr-serverless:StopApplication`、`emr-serverless:GetApplication`、`emr-serverless:StartApplication`、`emr-serverless:StartJobRun`、`emr-serverless:ListJobRuns`、`emr-serverless:GetJobRun`、`emr-serverless:CancelJobRun` 和 `emr-serverless:TagResource` 权限。 | 2024 年 7 月 9 日 | | [AmazonSageMakerCanvasBedrockAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess):新策略 | 1 | 初始策略 | 2024 年 2 月 2 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 9 | 添加 `sagemaker:ListEndpoints` 权限 | 2024 年 1 月 24 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 8 | 添加 `sagemaker:UpdateEndpointWeightsAndCapacities`、`sagemaker:DescribeEndpointConfig`、`sagemaker:InvokeEndpointAsync`、`athena:ListDataCatalogs`、`athena:GetQueryExecution`、`athena:GetQueryResults`、`athena:StartQueryExecution`、`athena:StopQueryExecution`、`athena:ListDatabases`、`cloudwatch:DescribeAlarms`、`cloudwatch:PutMetricAlarm`、`cloudwatch:DeleteAlarms` 和 `iam:CreateServiceLinkedRole` 权限。 | 2023 年 12 月 8 日 | | AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新 | 2 | 小幅更新,以执行先前策略第 1 版的意图;未添加或删除任何权限。 | 2023 年 12 月 7 日 | | [AmazonSageMakerCanvasAIServices访问权限](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess) – 对现有策略的更新 | 3 | 添加 `bedrock:InvokeModelWithResponseStream`、`bedrock:GetModelCustomizationJob`、`bedrock:StopModelCustomizationJob`、`bedrock:GetCustomModel`、`bedrock:GetProvisionedModelThroughput`、`bedrock:DeleteProvisionedModelThroughput`、`bedrock:TagResource`、`bedrock:CreateModelCustomizationJob`、`bedrock:CreateProvisionedModelThroughput` 和 `iam:PassRole` 权限。 | 2023 年 11 月 29 日 | | AmazonSageMakerCanvasDataPrepFullAccess -新政策 | 1 | 初始策略 | 2023 年 10 月 26 日 | | [AmazonSageMakerCanvasDirectDeployAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess):新策略 | 1 | 初始策略 | 2023 年 10 月 6 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 7 | 添加 `sagemaker:DeleteEndpointConfig`、`sagemaker:DeleteModel` 和 `sagemaker:InvokeEndpoint` 权限。还要为特定区域的 JumpStart资源添加`s3:GetObject`权限。 | 2023 年 9 月 29 日 | | AmazonSageMakerCanvasAIServices访问权限-更新现有策略 | 2 | 添加 `bedrock:InvokeModel` 和 `bedrock:ListFoundationModels` 权限。 | 2023 年 9 月 29 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 6 | 添加 `rds:DescribeDBInstances` 权限 | 2023 年 8 月 29 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 5 | 添加 `application-autoscaling:PutScalingPolicy` 和 `application-autoscaling:RegisterScalableTarget` 权限。 | 2023 年 7 月 24 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 4 | 添加 `sagemaker:CreateModelPackage`、`sagemaker:CreateModelPackageGroup`、`sagemaker:DescribeModelPackage`、`sagemaker:DescribeModelPackageGroup`、`sagemaker:ListModelPackages` 和 `sagemaker:ListModelPackageGroups` 权限。 | 2023 年 5 月 4 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 3 | 添加 `sagemaker:CreateAutoMLJobV2`、`sagemaker:DescribeAutoMLJobV2` 和 `glue:SearchTables` 权限。 | 2023 年 3 月 24 日 | | AmazonSageMakerCanvasAIServices访问权限-新政策 | 1 | 初始策略 | 2023 年 3 月 23 日 | | AmazonSageMakerCanvasFullAccess -更新现有政策 | 2 | 添加 `forecast:DeleteResourceTree` 权限 | 2022 年 12 月 6 日 | | AmazonSageMakerCanvasFullAccess -新政策 | 1 | 初始策略 | 2022 年 9 月 8 日 | | [AmazonSageMakerCanvasForecastAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess):新策略 | 1 | 初始策略 | 2022 年 8 月 24 日 |