AmazonAmazon SageMaker 的托管式策略 - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AmazonAmazon SageMaker 的托管式策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些策略涵盖常见使用案例,可在您的 Amazon 账户中使用。有关 Amazon 托管策略的更多信息,请参阅《IAM 用户指南》中的 Amazon 托管策略

Amazon 服务负责维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新功能。此类更新会影响附加到策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管式策略。例如,ReadOnlyAccess Amazon托管策略提供对所有的只读访问Amazon服务和资源。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

重要

我们建议您使用最受限制的策略,以便您执行使用案例。

以下Amazon您可以将托管策略附加到您账户中的用户,这些策略特定于 Amazon SageMaker:

  • AmazonSageMakerFullAccess— 授予对 Amazon 的完全访问权限 SageMaker 资源以及受支持的操作。这不提供无限制的 Amazon S3 访问,但支持具有特定特定的存储桶和对象。sagemaker标签。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但只允许将其中包含 “AmazonSageMaker” 的 IAM 角色传递给Amazon Glue、Amazon Step Functions, 和Amazon RoboMaker 服务。

  • AmazonSageMakerReadOnly— 授予对 Amazon 的只读访问权限 SageMaker 资源的费用。

以下Amazon您可以将托管策略附加到您账户中的用户,但不建议使用:

  • AdministratorAccess— 授予所有操作Amazon服务和账户中的所有资源。

  • DataScientist— 授予广泛的权限以涵盖数据科学家所遇到的大多数使用案例(主要用于分析和商业智能)。

您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。

您还可以创建自己的自定义 IAM 策略,以授予 Amazon SageMaker 操作和资源的相关权限(根据需要它们)。您可以将这些自定义策略附加到需要它们的 IAM 用户或组。

Amazon托管策略:AmazonSageMakerFullAccess

此策略授予管理权限,允许委托人完全访问所有 Amazon。 SageMaker 资源和操作。该策略还提供了对相关服务的选择访问权限。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但只允许将其中包含 “AmazonSageMaker” 的 IAM 角色传递给Amazon Glue、Amazon Step Functions, 和Amazon RoboMaker 服务。此策略不包括创建亚马逊的权限 SageMaker 域。有关创建域所需的策略的信息,请参阅创建 IAM 管理员用户和组 .

权限详细信息

此策略包含以下权限。

  • application-autoscaling— 允许委托人自动扩展 SageMaker 实时推理终端节点。

  • athena— 允许承担者查询来自的数据目录、数据库和表元数据的列表Amazon Athena.

  • aws-marketplace— 允许委托人查看Amazon订阅 AI Marketplace。如果你想访问订阅的 SageMaker 软件,你需要这个Amazon Web Services Marketplace.

  • cloudformation— 允许校长获得Amazon CloudFormation使用的模板 SageMaker JumpStart 解决方案和管道。 SageMaker JumpStart 创建运行所需的资源 end-to-end 紧密的机器学习解决方案 SageMaker 到其他Amazon服务。 SageMaker Pipeline 创建了由以下支持的新项目Amazon Service Catalog.

  • cloudwatch— 允许校长发布 CloudWatch 指标、与警报交互以及将日志上传到 CloudWatch 登录你的账户。

  • codebuild— 允许委托人存储Amazon CodeBuild的构件 SageMaker 管道和项目。

  • codecommit— 必需Amazon CodeCommit与 SageMaker 笔记本实例相集成。

  • cognito-idp— 亚马逊需要 SageMaker 定义私有人力和工作团队的 Ground Truth。

  • ec2— 必需 SageMaker 在为您指定 Amazon VPC 时管理 Amazon EC2 资源和网络接口 SageMaker 作业、模型、终端节点和笔记本实例。

  • ecr— 需要为亚马逊提取和存储 Docker 文物 SageMaker Studio(自定义图像)、训练、处理、批量推理和推理端点。在 SageMaker 中使用您自己的容器也需要此项目。其他权限 SageMaker 需要 JumpStart 解决方案来代表用户创建和删除自定义映像。

  • elastic-inference— 允许委托人连接到 Amazon Elastic Inference 以便使用 SageMaker 笔记本实例和终端节点。

  • elasticfilesystem— 允许委托人访问 Amazon Elastic File System。需要使用此信息 SageMaker 使用 Amazon Elastic File System 中的数据源来训练机器学习模型。

  • fsx— 允许委托人访问亚马逊 FSx。需要使用此信息 SageMaker 使用 Amazon FSx 中的数据源来训练机器学习模型。

  • glue— 从内部进行推理管道预处理所需 SageMaker 笔记本实例。

  • groundtruthlabeling— 为 Ground Truth 贴标工作所需。这些区域有:groundtruthlabeling终端节点由 Ground Truth 控制台访问。

  • iam— 需要给 SageMaker 对可用 IAM 角色的控制台访问权限并创建服务相关角色。

  • kms— 需要给 SageMaker 对可用的控制台访问Amazon KMS密钥并检索任何指定的Amazon KMS作业和终端中的别名。

  • lambda— 允许委托人调用并获取列表Amazon Lambda函数。

  • logs— 需要允许 SageMaker 作业和终端节点来发布日志流。

  • redshift— 允许委托人访问 Amazon Redshift 群集凭证。

  • redshift-data— 允许委托人使用来自 Amazon Redshift 的数据来运行、描述和取消语句;获取语句结果;以及列出架构和表格。

  • robomaker— 允许委托人拥有创建、获取描述和删除的完全访问权限Amazon RoboMaker 模拟应用程序和作业。在笔记本实例上运行强化学习示例也需要这样做。

  • s3— 允许委托人完全访问与 SageMaker 相关的 Amazon S3 资源,但不是所有 Amazon S3。

  • sagemaker— 允许委托人在亚马逊上发布标签 SageMaker 用户配置文件。

  • secretsmanager— 允许委托人拥有完全访问权限Amazon Secrets Manager. 委托人可以安全地加密、存储和检索数据库和其他服务的凭证。这也是必需的 SageMaker 带有笔记本实例 SageMaker 使用 GitHub 的代码存储库。

  • servicecatalog— 允许委托人使用Amazon Service Catalog. 委托人可以创建、获取列表、更新或终止使用部署的服务器、数据库、网站或应用程序等预配置产品Amazon资源的费用。需要使用此信息 SageMaker JumpStart 和 Projects 用于查找和阅读服务目录产品并启动Amazon用户帐户中的资源。

  • sns— 允许委托人获取 Amazon SNS 主题列表。启用了异步推理的端点需要这样做,才能通知用户他们的推理已完成。

  • states— 必需 SageMaker JumpStart 和 Pipeline 使用服务目录创建步骤函数资源。

  • tag— 必需 SageMaker 要在 Studio 中渲染的管道。Studio 需要特别标记的资源sagemaker:project-id标签键。这需要tag:GetResources权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:*App", "sagemaker:ListApps" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" } ] }

Amazon托管策略:AmazonSageMakerReadOnly

此策略授予对亚马逊的只读访问 SageMaker 通过Amazon Web Services Management Console和开发工具包。

权限详细信息

此策略包含以下权限。

  • application-autoscaling— 允许用户浏览可扩展的描述 SageMaker 实时推理终端节点。

  • aws-marketplace— 允许用户查看Amazon订阅 AI Marketplace。

  • cloudwatch— 允许用户接收 CloudWatch 警报。

  • cognito-idp— 亚马逊需要 SageMaker Ground Truth 浏览私有人力和工作团队的描述和列表。

  • ecr— 需要阅读 Docker 项目以进行培训和推理。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }

SageMaker 更新Amazon管理的策略

查看有关更新的详细信息Amazon适用于 的托管策略 SageMaker 因为该服务开始跟踪这些更改。要获得有关此页面更改的自动提示,请订阅上的 RSS 源。SageMaker 文档记录页.

策略 版本 更改 日期

AmazonSageMakerFullAccess

22

添加 cloudformation:ListStackResources.

2022 年 5 月 1 日

AmazonSageMakerReadOnly

11

Addsagemaker:QueryLineagesagemaker:GetLineageGroupPolicysagemaker:BatchDescribeModelPackagesagemaker:GetModelPackageGroupPolicy权限。

2021 年 12 月 1 日

AmazonSageMakerFullAccess

21

Addsns:Publish启用了异步推理的终端的权限。

2021 年 9 月 8 日

AmazonSageMakerFullAccess

20

更新iam:PassRole资源和权限。

2021 年 7 月 15 日

AmazonSageMakerReadOnly

10

新 APIBatchGetRecord增加了 SageMaker 功能商店。

2021 年 6 月 10 日

SageMaker 开始跟踪其的更改Amazon托管策略。

2021 年 6 月 1 日