Amazon managed policies for Amazon SageMaker Cluster - Amazon SageMaker
AmazonSageMakerClusterInstanceRolePolicySageMaker Cluster policy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon SageMaker Cluster

These Amazon managed policies add permissions required to use SageMaker Cluster. The policies are available in your Amazon account and are used by execution roles created from the SageMaker console.

Amazon managed policy: AmazonSageMakerClusterInstanceRolePolicy

This policy grants permissions commonly needed to use Amazon SageMaker Cluster.

Permissions details

This Amazon managed policy includes the following permissions.

  • cloudwatch – Allows principals to post Amazon CloudWatch metrics.

  • logs – Allows principals to publish CloudWatch log streams.

  • s3 – Allows principals to list and retrieve lifecycle script files from an Amazon S3 bucket in your account. These buckets are limited to those whose name starts with "sagemaker-".

  • ssmmessages – Allows principals to open a connection to Amazon Systems Manager.

{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Sid" : "CloudwatchLogStreamPublishPermissions",
      "Effect" : "Allow",
      "Action" : [
        "logs:PutLogEvents",
        "logs:CreateLogStream",
        "logs:DescribeLogStreams"
      ],
      "Resource" : [
        "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*"
      ]
    },
    {
      "Sid" : "CloudwatchLogGroupCreationPermissions",
      "Effect" : "Allow",
      "Action" : [
        "logs:CreateLogGroup"
      ],
      "Resource" : [
        "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*"
      ]
    },
    {
      "Sid" : "CloudwatchPutMetricDataAccess",
      "Effect" : "Allow",
      "Action" : [
        "cloudwatch:PutMetricData"
      ],
      "Resource" : [
        "*"
      ],
      "Condition" : {
        "StringEquals" : {
          "cloudwatch:namespace" : "/aws/sagemaker/Clusters"
        }
      }
    },
    {
      "Sid" : "DataRetrievalFromS3BucketPermissions",
      "Effect" : "Allow",
      "Action" : [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource" : [
        "arn:aws:s3:::sagemaker-*"
      ],
      "Condition" : {
        "StringEquals" : {
          "aws:ResourceAccount" : "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid" : "SSMConnectivityPermissions",
      "Effect" : "Allow",
      "Action" : [
        "ssmmessages:CreateControlChannel",
        "ssmmessages:CreateDataChannel",
        "ssmmessages:OpenControlChannel",
        "ssmmessages:OpenDataChannel"
      ],
      "Resource" : "*"
    }
  ]
}

Amazon SageMaker updates to Amazon SageMaker Cluster managed policies

View details about updates to Amazon managed policies for SageMaker Cluster since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker Document history page.

Policy Version Change Date

AmazonSageMakerClusterInstanceRolePolicy - New policy

1

Initial policy

 November 29, 2023