本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon 亚马逊 G SageMaker round Truth 的托管政策
这些 Amazon 托管策略增加了使用 SageMaker AI Ground Truth 所需的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [Amazon 托管策略: AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution)
+ [亚马逊 A SageMaker I 更新了 A SageMaker I Ground Truth 托管政策](#security-iam-awsmanpol-groundtruth-updates)
## Amazon 托管策略: AmazonSageMakerGroundTruthExecution
此 Amazon 托管策略授予使用 SageMaker AI Ground Truth 通常所需的权限。
**权限详细信息**
该策略包含以下权限。
+ `lambda`— 允许委托人调用名称包含 “sagemaker”(不区分大小写)、GtRecipe “” 或 “” 的 Lambda 函数。LabelingFunction
+ `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于那些不区分大小写的名称包含 “groundtruth” 或 “sagemaker”,或者标有 “” 的对象。SageMaker
+ `cloudwatch`— 允许校长发布 CloudWatch 指标。
+ `logs` - 允许主体创建和访问日志流,并发布日志事件。
+ `sqs` - 允许主体创建 Amazon SQS 队列以及发送和接收 Amazon SQS 消息。这些权限仅限于名称包含 “GroundTruth” 的队列。
+ `sns` 允许主体订阅名称包含“groundtruth”或“sagemaker”的 Amazon SNS 主题(不区分大小写)并向其发布消息。
+ `ec2`— 允许委托人创建、描述和删除 VPC 终端节点服务名称包含 “” 或 “标签” 的 Amazon VPC 终端节点。sagemaker-task-resources
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CustomLabelingJobs",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*GtRecipe*",
"arn:aws:lambda:*:*:function:*LabelingFunction*",
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*GroundTruth*",
"arn:aws:s3:::*Groundtruth*",
"arn:aws:s3:::*groundtruth*",
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "StreamingQueue",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:SetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:*GroundTruth*"
},
{
"Sid": "StreamingTopicSubscribe",
"Effect": "Allow",
"Action": "sns:Subscribe",
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
],
"Condition": {
"StringEquals": {
"sns:Protocol": "sqs"
},
"StringLike": {
"sns:Endpoint": "arn:aws:sqs:*:*:*GroundTruth*"
}
}
},
{
"Sid": "StreamingTopic",
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "StreamingTopicUnsubscribe",
"Effect": "Allow",
"Action": [
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "WorkforceVPC",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:VpceServiceName": [
"*sagemaker-task-resources*",
"aws.sagemaker*labeling*"
]
}
}
}
]
}
```
------
## 亚马逊 A SageMaker I 更新了 A SageMaker I Ground Truth 托管政策
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI Ground Truth Amazon 托管政策更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution) – 对现有策略的更新 | 3 | 添加 `ec2:CreateVpcEndpoint`、`ec2:DescribeVpcEndpoints` 和 `ec2:DeleteVpcEndpoints` 权限。 | 2022 年 4 月 29 日 |
| AmazonSageMakerGroundTruthExecution -更新现有政策 | 2 | 删除 `sqs:SendMessageBatch` 权限。 | 2022 年 4 月 11 日 |
| AmazonSageMakerGroundTruthExecution -新政策 | 1 | 初始策略 | 2020 年 7 月 20 日 |