AmazonAmazon SageMaker 的托管策略 - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AmazonAmazon SageMaker 的托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的Amazon托管式策略。这些策略涵盖常见使用案例,可在您的Amazon账户中使用。有关 Amazon 托管策略的更多信息,请参阅《IAM 用户指南》中的Amazon 托管策略

Amazon服务负责维护和更新Amazon托管式策略。您无法更改Amazon托管策略中的权限。服务偶尔会向Amazon托管式策略添加额外权限以支持新功能。此类更新会影响策略附加到的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新Amazon托管策略。服务不会从Amazon托管策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon还支持跨多种服务的工作职能的托管式策略。例如,ReadOnlyAccess Amazon托管策略提供对所有Amazon服务和资源. 当服务启动新功能时,Amazon会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅《IAM 用户指南》中的适用于工作职能的Amazon托管式策略

重要

我们建议您使用允许您执行您的使用案例的最受限制的策略。

以下Amazon托管策略(您可以将它们附加到自己账户中的用户)是特定于 Amazon SageMaker 的:

  • AmazonSageMakerFullAccess— 授予对 Amazon SageMaker 资源以及受支持操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限,但支持具有特定的存储桶和对象。sagemaker标签。此策略允许将所有 IAM 角色传递给亚马逊 SageMaker,但仅允许将其中包含 “卓越 Amazon SageMaker” 的 IAM 角色传递给Amazon Glue、Amazon Step Functions, 和AmazonRoboMaker 服务.

  • AmazonSageMakerReadOnly— 授予对 Amazon SageMaker 资源的只读访问权限。

以下Amazon托管策略可以附加到帐户中的用户,但不建议使用以下命令:

  • AdministratorAccess— 授予所有针对所有Amazon服务和帐户中的所有资源。

  • DataScientist— 授予广泛的权限,以涵盖数据科学家所遇到的大多数使用案例 (主要用于分析和商业智能)。

您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。

此外,您还可以创建自己的自定义 IAM 策略,以授予 Amazon SageMaker 操作和资源的相关权限 (在需要它们时)。您可以将这些自定义策略附加到需要它们的 IAM 用户或组。

AmazonSageMakerFullAccess

此策略授予管理权限,允许委托人完全访问所有 Amazon SageMaker 资源和操作。该策略还提供对相关服务的选择访问权限。此策略允许将所有 IAM 角色传递给亚马逊 SageMaker,但仅允许将其中包含 “卓越 Amazon SageMaker” 的 IAM 角色传递给Amazon Glue、Amazon Step Functions, 和AmazonRoboMaker 服务.

权限详细信息

此策略包含以下权限。

  • application-autoscaling— 允许委托人自动扩展 SageMaker 实时推导终端节点。

  • athena— 允许委托人查询数据目录、数据库和表元数据的列表Amazon Athena.

  • aws-marketplace— 允许委托人查看AmazonAI Marketplace 订阅。如果您想访问在Amazon Web Services Marketplace.

  • cloudformation— 允许委托人获取Amazon CloudFormation模板,用于使用 SageMaker 快速启动解决方案和管道。SageMaker JumpStart 为运行端到端机器学习解决方案创建所需的资源,这些解决方案将 SageMaker 与其他Amazon服务。SageMaker 管道创建由Amazon Service Catalog.

  • cloudwatch— 允许委托人发布 CloudWatch 指标、与警报交互以及向您账户中的 CloudWatch Logs 上传日志。

  • codebuild— 允许委托人存储Amazon CodeBuild对于 SageMaker 管道和项目的工件。

  • codecommit— 需要的Amazon CodeCommit与 SageMaker 笔记本实例相集成。

  • cognito-idp— Amazon SageMaker Ground Truth 定义私有人力和工作团队时所需。

  • ec2— 当您为 SageMaker 作业、模型、终端节点和笔记本实例指定 Amazon VPC 时,SageMaker 需要管理 Amazon EC2 资源和网络接口。

  • ecr— 需要为 Amazon SageMaker Studio(自定义图像)、培训、处理、批量推理和推理终端节点提取和存储 Docker 工件。在 SageMaker 中使用您自己的容器时,也需要此权限。代表用户创建和删除自定义映像需要 SageMaker JumpStart 解决方案的其他权限。

  • elastic-inference— 允许委托人连接到 Amazon Elastic Inference,以便使用 SageMaker 笔记本实例和终端节点。

  • elasticfilesystem— 允许委托人访问 Amazon Elastic File System。SageMaker 使用 Amazon Elastic File System 中的数据源来培训机器学习模型是必需的。

  • fsx— 允许委托人访问亚马逊 FSX。SageMaker 需要使用 Amazon FSX 中的数据源来培训机器学习模型。

  • glue— 从 SageMaker 笔记本实例中预处理推理管道时所需。

  • groundtruthlabeling— 对接 Ground Truth 标签作业所需。这些区域有:groundtruthlabeling终端节点是由 Ground Truth 控制台访问的。

  • iam— 需要为 SageMaker 控制台授予对可用 IAM 角色的访问权限以及创建与服务相关的角色。

  • kms— 需要授予 SageMaker 控制台访问可用Amazon KMS键并为任何指定的Amazon KMS作业和终端节点中的别名。

  • lambda— 允许委托人调用并获取Amazon Lambda函数。

  • logs— 允许 SageMaker 作业和终端节点发布日志流时需要。

  • redshift— 允许委托人访问 Amazon Redshift 集群凭据。

  • redshift-data— 允许委托人使用 Amazon Redshift 中的数据运行、描述和取消语句;获取语句结果;以及列出架构和表。

  • robomaker— 允许委托人拥有创建、获取描述和删除的完全访问权限Amazon罗博马克仿真应用程序和工作. 在笔记本实例上运行强化学习示例时也需要这样做。

  • s3— 允许委托人拥有对与 SageMaker 相关的 Amazon S3 资源的完全访问权限,但不允许所有 Amazon S3 的访问权限。

  • secretsmanager— 允许委托人拥有对的完全访问权限Amazon Secrets Manager. 委托人可以安全地加密、存储和检索数据库和其他服务的凭证。这对于具有使用 GitHub 的 SageMaker 代码存储库的 SageMaker 笔记本实例也是必需的。

  • servicecatalog— 允许委托人使用Amazon Service Catalog. 委托人可以创建、获取列表、更新或终止预配置产品,例如服务器、数据库、网站或使用Amazon资源的费用。这对于 SageMaker 快速启动和项目来查找和读取服务目录产品并启动Amazon用户帐户中的资源。

  • sns— 允许委托人获取 Amazon SNS 主题列表。启用了异步推理的终端节点需要这样做,以通知用户他们的推断已完成。

  • states— SageMaker 快速启动和管道使用服务目录来创建步骤函数资源所需。

  • tag— SageMaker 管道在工作室中进行渲染所需的。工作室需要标记为特定sagemaker:project-id标签键。这需要tag:GetResources权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:*App", "sagemaker:ListApps" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] } ] }

AmazonSageMakerReadOnly

此策略提供对 SageMaker 的只读访问权限,通过Amazon Web Services Management Console和 SDK。

权限详细信息

此策略包含以下权限。

  • application-autoscaling— 允许用户浏览可扩展 SageMaker 实时推理端点的描述。

  • aws-marketplace— 允许用户查看AmazonAI Marketplace 订阅。

  • cloudwatch— 允许用户接收 CloudWatch 警报。

  • cognito-idp— Amazon SageMaker Ground Truth 浏览私有人力和工作团队的描述和列表时所需。

  • ecr— 需要阅读 Docker 项目以进行培训和推理时所需。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:BatchGetRecord", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:GetRecord", "sagemaker:Search" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }

SageMaker 更新到Amazon管理的策略

查看有关更新的详细信息Amazon托管的策略,因为此服务开始跟踪这些更改。有关此页面更改的自动提示,请订阅SageMaker 文档历史记录页.

更改 说明 日期

AmazonSageMakerFullAccess更新 — 对现有策略的更新。

Addsns:Publish权限启用了异步推理的终端。

2021 年 8 月 2 日

AmazonSageMakerReadOnly更新 — 对现有策略的更新

新 APIBatchGetRecord添加到 SageMaker 功能商店。

2021 年 6 月 10 日

SageMaker 开启跟踪更改

SageMaker 为其Amazon托管策略。

2021 年 6 月 1 日