适用于 Amazon SageMaker Ground Truth 的 Amazon 托管式策略 - Amazon SageMaker
AmazonSageMakerGroundTruthExecutionGroundTruthSyntheticConsoleFullAccessGroundTruthSyntheticConsoleReadOnlyAccessSageMaker Ground Truth 策略更新
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

适用于 Amazon SageMaker Ground Truth 的 Amazon 托管式策略

这些 Amazon 托管式策略添加了使用 SageMaker Ground Truth 所需的权限。这些策略可在您的 Amazon 账户中提供,并由从 SageMaker 控制台创建的执行角色使用。

Amazon 托管式策略:AmazonSageMakerGroundTruthExecution

此 Amazon 托管式策略授予使用 SageMaker Ground Truth 时通常所需的权限。

权限详细信息

此策略包含以下权限。

  • lambda - 允许主体调用名称包含“sagemaker”(不区分大小写)、“GtRecipe”或“LabelingFunction”的 Lambda 函数。

  • s3 - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于那些名称(不区分大小写)包含“groundtruth”或“sagemaker”或标有“SageMaker”的对象。

  • cloudwatch - 允许主体发布 CloudWatch 指标。

  • logs - 允许主体创建和访问日志流,并发布日志事件。

  • sqs - 允许主体创建 Amazon SQS 队列以及发送和接收 Amazon SQS 消息。这些权限仅限于名称包含“GroundTruth”的队列。

  • sns 允许主体订阅名称包含“groundtruth”或“sagemaker”的 Amazon SNS 主题(不区分大小写)并向其发布消息。

  • ec2 - 允许主体创建、描述和删除 VPC 端点服务名称包含“sagemaker-task-resources”或“labeling”的 Amazon VPC 端点。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CustomLabelingJobs",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:*GtRecipe*",
                "arn:aws:lambda:*:*:function:*LabelingFunction*",
                "arn:aws:lambda:*:*:function:*SageMaker*",
                "arn:aws:lambda:*:*:function:*sagemaker*",
                "arn:aws:lambda:*:*:function:*Sagemaker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::*GroundTruth*",
                "arn:aws:s3:::*Groundtruth*",
                "arn:aws:s3:::*groundtruth*",
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatch",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Sid": "StreamingQueue",
            "Effect": "Allow",
            "Action": [
                "sqs:CreateQueue",
                "sqs:DeleteMessage",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:SetQueueAttributes"
            ],
            "Resource": "arn:aws:sqs:*:*:*GroundTruth*"
        },
        {
            "Sid": "StreamingTopicSubscribe",
            "Effect": "Allow",
            "Action": "sns:Subscribe",
            "Resource": [
                "arn:aws:sns:*:*:*GroundTruth*",
                "arn:aws:sns:*:*:*Groundtruth*",
                "arn:aws:sns:*:*:*groundTruth*",
                "arn:aws:sns:*:*:*groundtruth*",
                "arn:aws:sns:*:*:*SageMaker*",
                "arn:aws:sns:*:*:*Sagemaker*",
                "arn:aws:sns:*:*:*sageMaker*",
                "arn:aws:sns:*:*:*sagemaker*"
            ],
            "Condition": {
                "StringEquals": {
                    "sns:Protocol": "sqs"
                },
                "StringLike": {
                    "sns:Endpoint": "arn:aws:sqs:*:*:*GroundTruth*"
                }
            }
        },
        {
            "Sid": "StreamingTopic",
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": [
                "arn:aws:sns:*:*:*GroundTruth*",
                "arn:aws:sns:*:*:*Groundtruth*",
                "arn:aws:sns:*:*:*groundTruth*",
                "arn:aws:sns:*:*:*groundtruth*",
                "arn:aws:sns:*:*:*SageMaker*",
                "arn:aws:sns:*:*:*Sagemaker*",
                "arn:aws:sns:*:*:*sageMaker*",
                "arn:aws:sns:*:*:*sagemaker*"
            ]
        },
        {
            "Sid": "StreamingTopicUnsubscribe",
            "Effect": "Allow",
            "Action": [
                "sns:Unsubscribe"
            ],
            "Resource": "*"
        },
        {
            "Sid": "WorkforceVPC",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeVpcEndpoints",
                "ec2:DeleteVpcEndpoints"
            ],
            "Resource": "*",
            "Condition": {
                "StringLikeIfExists": {
                    "ec2:VpceServiceName": [
                        "*sagemaker-task-resources*",
                        "aws.sagemaker*labeling*"
                    ]
                }
            }
        }
    ]
}

Amazon 托管式策略:GroundTruthSyntheticConsoleFullAccess

此 Amazon 托管式策略授予使用 SageMaker Ground Truth 合成数据控制台大多数特征所需的权限。此策略可在您的 Amazon 账户中提供。要使用控制台的所有特征,用户必须添加“s3:GetObject”权限,以允许 SageMaker Ground Truth 合成数据控制台显示来自其 S3 存储桶的数据。为此,可以将 AmazonS3ReadOnlyAccess 托管式策略附加到他们的角色中,或者将特定 S3 资源的“s3:GetObject”添加到他们的角色中。

权限详细信息

此策略包含以下权限。

  • s3 - 允许从 Amazon S3 存储桶中检索对象以在控制台中显示数据。

  • sagemaker-groundtruth-synthetic - 允许控制台调用 SageMaker Ground Truth 合成数据 API。


           {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker-groundtruth-synthetic:*",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

Amazon 托管式策略:GroundTruthSyntheticConsoleReadOnlyAccess

此 Amazon 托管式策略授予通过 Amazon Web Services Management Console 访问 SageMaker Ground Truth 合成数据的只读权限。要使用控制台的所有特征,用户必须添加“s3:GetObject”权限,以允许 SageMaker Ground Truth 合成数据控制台显示来自其 S3 存储桶的数据。为此,可以将 AmazonS3ReadOnlyAccess 托管式策略附加到他们的角色中,或者将特定 S3 资源的“s3:GetObject”添加到他们的角色中。

权限详细信息

此策略包含以下权限。

  • s3 - 允许从 Amazon S3 存储桶中检索对象以在控制台中显示数据。

  • sagemaker-groundtruth-synthetic - 允许控制台调用 SageMaker Ground Truth 合成数据 ReadOnly API。


           {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker-groundtruth-synthetic:List*",
                "sagemaker-groundtruth-synthetic:Get*",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

Amazon SageMaker 对 SageMaker Ground Truth 托管式策略的更新

查看有关适用于 Amazon SageMaker Ground Truth 的 Amazon 托管式策略的更新的详细信息(从该服务开始跟踪这些更改开始)。

策略 版本 更改 日期

GroundTruthSyntheticConsoleFullAccess – 新策略

1

初始策略

 2022 年 8 月 25 日

GroundTruthSyntheticConsoleReadOnlyAccess – 新策略

1

初始策略

 2022 年 8 月 25 日

AmazonSageMakerGroundTruthExecution – 对现有策略的更新

3

添加 ec2:CreateVpcEndpointec2:DescribeVpcEndpointsec2:DeleteVpcEndpoints 权限。

 2022 年 4 月 29 日

AmazonSageMakerGroundTruthExecution - 对现有策略的更新

2

删除 sqs:SendMessageBatch 权限。

 2022 年 4 月 11 日

AmazonSageMakerGroundTruthExecution - 新策略

1

初始策略

 2020 年 7 月 20 日