本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon SageMaker 笔记本电脑的托管策略
这些 Amazon 托管策略增加了使用 SageMaker 笔记本所需的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker 控制台创建的执行角色使用。
Amazon 托管策略: AmazonSageMakerNotebooksServiceRolePolicy
该 Amazon 托管政策授予使用亚马逊 SageMaker 笔记本通常所需的权限。该政策将添加到您加入 Amazon SageMaker Studio Classic 时创建的策略中。AmazonSageMaker-ExecutionRole
有关服务相关角色的更多信息,请参阅服务相关角色。
权限详细信息
该策略包含以下权限。
-
elasticfilesystem
- 允许主体创建和删除 Amazon Elastic File System (EFS) 文件系统、接入点和挂载目标。这些仅限于那些标有钥匙的人ManagedByAmazonSageMakerResource。允许主体描述所有 EFS 文件系统、接入点和挂载目标。允许主体为 EFS 接入点和挂载目标创建或覆盖标签。 -
ec2
- 允许主体为 Amazon Elastic Compute Cloud (EC2) 实例创建网络接口和安全组。还允许主体为这些资源创建和覆盖标签。 -
sso
- 允许主体向 Amazon IAM Identity Center添加以及从中删除托管的应用程序实例。 -
sagemaker
— 允许委托人创建和读取 SageMaker用户配置文件。还允许委托人创建、读取和删除 SageMaker 空间。允许委托人添加和列出标签。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEFSAccessPointCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateAccessPoint", "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*", "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSAccessPointDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:DeleteAccessPoint" ], "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSMountWithDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSDescribe", "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Sid": "AllowEFSTagging", "Effect": "Allow", "Action": "elasticfilesystem:TagResource", "Resource": [ "arn:aws:elasticfilesystem:*:*:access-point/*", "arn:aws:elasticfilesystem:*:*:file-system/*" ], "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEC2Tagging", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid": "AllowEC2Operations", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*" }, { "Sid": "AllowEC2AuthZ", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowIdcOperations", "Effect": "Allow", "Action": [ "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:GetManagedApplicationInstance" ], "Resource": "*" }, { "Sid": "AllowSagemakerProfileCreation", "Effect": "Allow", "Action": [ "sagemaker:CreateUserProfile", "sagemaker:DescribeUserProfile" ], "Resource": "*" }, { "Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:DescribeSpace", "sagemaker:DeleteSpace", "sagemaker:ListTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*" }, { "Sid": "AllowSagemakerAddTagsForAppManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*", "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } } ] }
Amazon SageMaker 更新了 SageMaker笔记本托管政策
查看 SageMaker 自该服务开始跟踪这些变更以来亚马逊 Amazon 托管政策更新的详细信息。
Policy | 版本 | 更改 | Date |
---|---|---|---|
AmazonSageMakerNotebooksServiceRole政策 – 对现有策略的更新 |
8 |
添加 |
2024年5月22日 |
AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 |
7 |
添加 |
2023 年 3 月 9 日 |
AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 |
6 |
添加 |
2023 年 1 月 12 日 |
SageMaker 开始跟踪其 Amazon 托管策略的更改。 |
2021 年 6 月 1 日 |