Amazon SageMaker 笔记本电脑的托管策略 - 亚马逊 SageMaker AI
AmazonSageMakerNotebooksServiceRolePolicySageMaker 笔记本政策更新
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon SageMaker 笔记本电脑的托管策略

这些 Amazon 托管策略增加了使用 SageMaker 笔记本所需的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。

Amazon 托管策略: AmazonSageMakerNotebooksServiceRolePolicy

该 Amazon 托管政策授予使用亚马逊 SageMaker 笔记本通常所需的权限。该政策将添加到您加入 Amazon SageMaker Studio Classic 时创建的策略中。AWSServiceRoleForAmazonSageMakerNotebooks有关服务相关角色的更多信息,请参阅服务相关角色。有关更多信息,请参阅 AmazonSageMakerNotebooksServiceRolePolicy

权限详细信息

该策略包含以下权限。

  • elasticfilesystem - 允许主体创建和删除 Amazon Elastic File System (EFS) 文件系统、接入点和挂载目标。这些仅限于那些标有钥匙的人ManagedByAmazonSageMakerResource。允许主体描述所有 EFS 文件系统、接入点和挂载目标。允许主体为 EFS 接入点和挂载目标创建或覆盖标签。

  • ec2— 允许委托人为 Amazon 弹性计算云 (EC2) 实例创建网络接口和安全组。还允许主体为这些资源创建和覆盖标签。

  • sso - 允许主体向 Amazon IAM Identity Center添加以及从中删除托管的应用程序实例。

  • sagemaker— 允许委托人创建和读取 SageMaker AI 用户配置文件和 SageMaker AI 空间;删除 SageMaker AI 空间和 SageMaker AI 应用程序;以及添加和列出标签。

  • fsx— 允许委托人描述 Amazon f FSx or Lustre 文件系统,并使用元数据将其挂载到笔记本上。

{
    "Version": "2012-10-17",
    "Statement": [
        {   
            "Sid": "AllowFSxDescribe",
            "Effect": "Allow",
            "Action": [
                "fsx:DescribeFileSystems",
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "AllowSageMakerDeleteApp",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DeleteApp"
            ],
            "Resource": "arn:aws:sagemaker:*:*:app/*"
        },
        {
            "Sid": "AllowEFSAccessPointCreation",
            "Effect": "Allow",
            "Action": "elasticfilesystem:CreateAccessPoint",
            "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*",
                    "aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSAccessPointDeletion",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DeleteAccessPoint"
            ],
            "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSCreation",
            "Effect": "Allow",
            "Action": "elasticfilesystem:CreateFileSystem",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSMountWithDeletion",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteMountTarget"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSDescribe",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEFSTagging",
            "Effect": "Allow",
            "Action": "elasticfilesystem:TagResource",
            "Resource": [
                "arn:aws:elasticfilesystem:*:*:access-point/*",
                "arn:aws:elasticfilesystem:*:*:file-system/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEC2Tagging",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        },
        {
            "Sid": "AllowEC2Operations",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEC2AuthZ",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowIdcOperations",
            "Effect": "Allow",
            "Action": [
                "sso:CreateManagedApplicationInstance",
                "sso:DeleteManagedApplicationInstance",
                "sso:GetManagedApplicationInstance"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSagemakerProfileCreation",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateUserProfile",
                "sagemaker:DescribeUserProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateSpace",
                "sagemaker:DescribeSpace",
                "sagemaker:DeleteSpace",
                "sagemaker:ListTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*"
        },
        {
            "Sid": "AllowSagemakerAddTagsForAppManagedSpaces",
            "Effect": "Allow",
            "Action": [
                "sagemaker:AddTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*",
            "Condition": {
                "StringEquals": {
                    "sagemaker:TaggingAction": "CreateSpace"
                }
            }
        }
    ]
}

Amazon SageMaker AI 更新了 SageMaker AI Notebook 托管政策

查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI Amazon 托管策略更新的详细信息。

策略 版本 更改 日期

AmazonSageMakerNotebooksServiceRolePolicy – 对现有策略的更新

10

添加 fsx:DescribeFileSystems 权限

 2024 年 11 月 14 日

AmazonSageMakerNotebooksServiceRolePolicy – 对现有策略的更新

9

添加 sagemaker:DeleteApp 权限

 2024 年 7 月 24 日

AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策

8

添加 sagemaker:CreateSpacesagemaker:DescribeSpacesagemaker:DeleteSpacesagemaker:ListTagssagemaker:AddTags 权限。

 2024 年 5 月 22 日

AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策

7

添加 elasticfilesystem:TagResource 权限

 2023 年 3 月 9 日

AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策

6

添加 elasticfilesystem:CreateAccessPointelasticfilesystem:DeleteAccessPointelasticfilesystem:DescribeAccessPoints 权限。

 2023 年 1 月 12 日

SageMaker AI 开始跟踪其 Amazon 托管策略的更改。

 2021 年 6 月 1 日