AmazonSageMakerFullAccess AmazonSageMakerReadOnly 亚马逊 SageMaker AI 政策更新

Amazon 亚马逊 A SageMaker I 的托管策略

要向用户、群组和角色添加权限，使用 Amazon 托管策略比自己编写策略要容易得多。创建仅为团队提供所需权限的 IAM 客户管理型策略需要时间和专业知识。要快速入门，您可以使用我们的 Amazon 托管策略。这些政策涵盖常见用例，可在您的 Amazon 账户中使用。有关 Amazon 托管策略的更多信息，请参阅 IAM 用户指南中的Amazon 托管策略。

Amazon 服务维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份（用户、组和角色）。当启动新特征或新操作可用时，服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管策略中移除权限，因此策略更新不会破坏您的现有权限。

此外，还 Amazon 支持跨多个服务的工作职能的托管策略。例如，ReadOnlyAccess Amazon 托管策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动一项新功能时， Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明，请参阅 IAM 用户指南中的适用于工作职能的Amazon 托管式策略。

重要

我们建议您使用允许执行使用案例的最严格的策略。

以下 Amazon 托管策略仅适用于 Amazon A SageMaker I，您可以将其附加到账户中的用户：

AmazonSageMakerFullAccess— 授予对 Amazon A SageMaker I 和 A SageMaker I 地理空间资源以及支持的操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限，但支持具有特定 sagemaker 标签的存储桶和对象。此策略允许将所有 IAM 角色传递给 Amazon A SageMaker I，但仅允许将其中带有 AmazonSageMaker “” 的 IAM 角色传递给 Amazon Glue Amazon Step Functions、和 Amazon RoboMaker 服务。
AmazonSageMakerReadOnly— 授予对 Amazon A SageMaker I 资源的只读访问权限。

以下 Amazon 托管策略可以附加到您账户中的用户，但不建议这样做：

AdministratorAccess – 为所有 Amazon 服务和账户中的所有资源授予所有操作权限。
DataScientist – 授予广泛的权限，以涵盖数据科学家所遇到的大多数使用案例（主要用于分析和商业智能）。

您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。

您也可以创建自己的自定义 IAM 策略，根据需要授予对 SageMaker Amazon AI 操作和资源的权限。您可以将这些自定义策略附加到需要它们的用户或组。

主题

Amazon 托管策略： AmazonSageMakerFullAccess

该策略授予管理权限，允许委托人完全访问所有 Amazon SageMaker AI 和 SageMaker AI 地理空间资源和操作。该策略还提供对相关服务的部分访问权限。此策略允许将所有 IAM 角色传递给 Amazon A SageMaker I，但仅允许将其中带有 AmazonSageMaker “” 的 IAM 角色传递给 Amazon Glue Amazon Step Functions、和 Amazon RoboMaker 服务。该政策不包括创建 Amazon A SageMaker I 域的权限。有关创建域所需策略的信息，请参阅完成 Amazon A SageMaker I 先决条件。

权限详细信息

该策略包含以下权限。

application-autoscaling— 允许委托人自动扩展 A SageMaker I 实时推理端点。
athena— 允许委托人从中查询数据目录、数据库和表元数据的列表。 Amazon Athena
aws-marketplace— 允许委托人查看 Amazon AI Marketplace 订阅。如果您想访问中订阅的 SageMaker AI 软件，则需要此选项。 Amazon Web Services Marketplace
cloudformation— 允许校长获取用于使用 SageMaker AI JumpStart 解决方案和管道的 Amazon CloudFormation 模板。 SageMaker AI JumpStart 创造了运行将 SageMaker 人工智能与其他 Amazon 服务联系起来的 end-to-end机器学习解决方案所必需的资源。 SageMaker AI Pipelines 创建由 Service Catalog 支持的新项目。
cloudwatch— 允许委托人发布 CloudWatch 指标、与警报交互以及将日志上传到您账户中的 CloudWatch 日志。
codebuild— 允许委托人存储 SageMaker AI 管道和项目的 Amazon CodeBuild 工件。
codecommit— 需要与 SageMaker AI 笔记本实例 Amazon CodeCommit 集成。
cognito-idp— Amazon G SageMaker round Truth 需要定义私人员工和工作团队。
ec2— 当您为 SageMaker AI 任务、模型、终端节点和笔记本实例指定 Amazon VPC 时， SageMaker AI 需要管理亚马逊 EC2 资源和网络接口。
ecr— 需要提取和存储 Amazon SageMaker Studio Classic（自定义映像）、训练、处理、批量推理和推理终端节点的 Docker 工件。在 SageMaker AI 中使用自己的容器也需要这样做。要代表用户创建和移除自定义映像，还需要获得 SageMaker AI JumpStart 解决方案的额外权限。
elasticfilesystem - 允许主体访问 Amazon Elastic File System。这是 SageMaker 人工智能使用亚马逊弹性文件系统（Amazon Elastic File System）中的数据源来训练机器学习模型所必需的。
fsx— 允许委托人访问亚马逊 FSx。这是 SageMaker AI 使用 Amazon 中的数据源训练机器学习模型 FSx 所必需的。
glue— 需要在 SageMaker AI 笔记本实例中进行推理管道预处理。
groundtruthlabeling - Ground Truth 标注作业所需。可通过 Ground Truth 控制台访问 groundtruthlabeling 端点。
iam— 需要向 SageMaker AI 控制台授予对可用 IAM 角色的访问权限并创建与服务相关的角色。
kms— 需要让 SageMaker AI 控制台访问可用 Amazon KMS 密钥并检索任务和终端节点中任何指定 Amazon KMS 别名的密钥。
lambda - 允许主体调用和获取 Amazon Lambda 函数列表。
logs— 需要允许 SageMaker AI 作业和端点发布日志流。
redshift - 允许主体访问 Amazon Redshift 集群凭证。
redshift-data - 允许主体使用 Amazon Redshift 中的数据来运行、描述和取消语句；获取语句结果；以及列出架构和表。
robomaker— 允许委托人拥有创建、获取描述和删除 Amazon RoboMaker 仿真应用程序和作业的完全访问权限。这也是在笔记本实例上运行强化学习示例时所需。
s3, s3express— 允许委托人完全访问与 SageMaker 人工智能相关的亚马逊 S3 和 Amazon S3 Express 资源，但不能完全访问所有亚马逊 S3 或 Amazon S3 Express 资源。
sagemaker— 允许委托人在 SageMaker AI 用户个人资料上列出标签，并向 SageMaker AI 应用程序和空间添加标签。仅允许访问 sagemaker 的 SageMaker AI 流程定义：WorkteamType “私人人群” 或 “供应商人群”。允许在所有可访问训练计划功能的 Amazon 区域中使用和描述 SageMaker AI SageMaker 训练计划和预留容量，以及训练作业和 SageMaker HyperPod集群中的预留容量。
sagemaker和 sagemaker-geospatial — 允许委托人对 SageMaker AI 域和用户配置文件进行只读访问。
secretsmanager - 允许主体完全访问 Amazon Secrets Manager。主体可以安全地加密、存储和检索数据库和其他服务的凭证。对于使用的 SageMaker AI 代码存储库的 A SageMaker I 笔记本实例，也需要这样做 GitHub。
servicecatalog - 允许主体使用 Service Catalog。委托人可以创建、获取、更新或终止预配置产品，例如使用 Amazon 资源部署的服务器、数据库、网站或应用程序。这是 SageMaker AI JumpStart 和 Projects 查找和阅读服务目录产品以及在用户中启动 Amazon 资源所必需的。
sns - 允许主体获取 Amazon SNS 主题列表。启用了同步推理功能的端点需要该权限来通知用户推理已完成。
states— SageMaker AI JumpStart 和 Pipelines 需要使用服务目录来创建步骤函数资源。
tag— SageMaker 人工智能管道需要在 Studio Classic 中进行渲染。Studio Classic 需要使用特定 sagemaker:project-id 标记键标记的资源。这需要 tag:GetResources 权限。

JSON


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAllNonAdminSageMakerActions",
      "Effect": "Allow",
      "Action": [
        "sagemaker:*",
        "sagemaker-geospatial:*"
      ],
      "NotResource": [
        "arn:aws:sagemaker:*:*:domain/*",
        "arn:aws:sagemaker:*:*:user-profile/*",
        "arn:aws:sagemaker:*:*:app/*",
        "arn:aws:sagemaker:*:*:space/*",
        "arn:aws:sagemaker:*:*:partner-app/*",
        "arn:aws:sagemaker:*:*:flow-definition/*",
        "arn:aws:sagemaker:*:*:training-plan/*",
        "arn:aws:sagemaker:*:*:reserved-capacity/*"
      ]
    },
    {
      "Sid": "AllowAddTagsForSpace",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddTags"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:space/*"
      ],
      "Condition": {
        "StringEquals": {
          "sagemaker:TaggingAction": "CreateSpace"
        }
      }
    },
    {
      "Sid": "AllowAddTagsForApp",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddTags"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:app/*"
      ]
    },
    {
      "Sid": "AllowUseOfTrainingPlanResources",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateTrainingJob",
        "sagemaker:CreateCluster",
        "sagemaker:UpdateCluster",
        "sagemaker:DescribeTrainingPlan"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:training-plan/*",
        "arn:aws:sagemaker:*:*:reserved-capacity/*"
      ]
    },
    {
      "Sid": "AllowStudioActions",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreatePresignedDomainUrl",
        "sagemaker:DescribeDomain",
        "sagemaker:ListDomains",
        "sagemaker:DescribeUserProfile",
        "sagemaker:ListUserProfiles",
        "sagemaker:DescribeSpace",
        "sagemaker:ListSpaces",
        "sagemaker:DescribeApp",
        "sagemaker:ListApps"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAppActionsForUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*",
      "Condition": {
        "Null": {
          "sagemaker:OwnerUserProfileArn": "true"
        }
      }
    },
    {
      "Sid": "AllowAppActionsForSharedSpaces",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
      "Condition": {
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Shared"
          ]
        }
      }
    },
    {
      "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateSpace",
        "sagemaker:UpdateSpace",
        "sagemaker:DeleteSpace"
      ],
      "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
      "Condition": {
        "Null": {
          "sagemaker:OwnerUserProfileArn": "true"
        }
      }
    },
    {
      "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateSpace",
        "sagemaker:UpdateSpace",
        "sagemaker:DeleteSpace"
      ],
      "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
      "Condition": {
        "ArnLike": {
          "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
        },
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Private",
            "Shared"
          ]
        }
      }
    },
    {
      "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
      "Condition": {
        "ArnLike": {
          "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
        },
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Private"
          ]
        }
      }
    },
    {
      "Sid": "AllowFlowDefinitionActions",
      "Effect": "Allow",
      "Action": "sagemaker:*",
      "Resource": [
        "arn:aws:sagemaker:*:*:flow-definition/*"
      ],
      "Condition": {
        "StringEqualsIfExists": {
          "sagemaker:WorkteamType": [
            "private-crowd",
            "vendor-crowd"
          ]
        }
      }
    },
    {
      "Sid": "AllowAWSServiceActions",
      "Effect": "Allow",
      "Action": [
        "application-autoscaling:DeleteScalingPolicy",
        "application-autoscaling:DeleteScheduledAction",
        "application-autoscaling:DeregisterScalableTarget",
        "application-autoscaling:DescribeScalableTargets",
        "application-autoscaling:DescribeScalingActivities",
        "application-autoscaling:DescribeScalingPolicies",
        "application-autoscaling:DescribeScheduledActions",
        "application-autoscaling:PutScalingPolicy",
        "application-autoscaling:PutScheduledAction",
        "application-autoscaling:RegisterScalableTarget",
        "aws-marketplace:ViewSubscriptions",
        "cloudformation:GetTemplateSummary",
        "cloudwatch:DeleteAlarms",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricAlarm",
        "cloudwatch:PutMetricData",
        "codecommit:BatchGetRepositories",
        "codecommit:CreateRepository",
        "codecommit:GetRepository",
        "codecommit:List*",
        "cognito-idp:AdminAddUserToGroup",
        "cognito-idp:AdminCreateUser",
        "cognito-idp:AdminDeleteUser",
        "cognito-idp:AdminDisableUser",
        "cognito-idp:AdminEnableUser",
        "cognito-idp:AdminRemoveUserFromGroup",
        "cognito-idp:CreateGroup",
        "cognito-idp:CreateUserPool",
        "cognito-idp:CreateUserPoolClient",
        "cognito-idp:CreateUserPoolDomain",
        "cognito-idp:DescribeUserPool",
        "cognito-idp:DescribeUserPoolClient",
        "cognito-idp:List*",
        "cognito-idp:UpdateUserPool",
        "cognito-idp:UpdateUserPoolClient",
        "ec2:CreateNetworkInterface",
        "ec2:CreateNetworkInterfacePermission",
        "ec2:CreateVpcEndpoint",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteNetworkInterfacePermission",
        "ec2:DescribeDhcpOptions",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeVpcs",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:CreateRepository",
        "ecr:Describe*",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:StartImageScan",
        "elastic-inference:Connect",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeMountTargets",
        "fsx:DescribeFileSystems",
        "glue:CreateJob",
        "glue:DeleteJob",
        "glue:GetJob*",
        "glue:GetTable*",
        "glue:GetWorkflowRun",
        "glue:ResetJobBookmark",
        "glue:StartJobRun",
        "glue:StartWorkflowRun",
        "glue:UpdateJob",
        "groundtruthlabeling:*",
        "iam:ListRoles",
        "kms:DescribeKey",
        "kms:ListAliases",
        "lambda:ListFunctions",
        "logs:CreateLogDelivery",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DeleteLogDelivery",
        "logs:Describe*",
        "logs:GetLogDelivery",
        "logs:GetLogEvents",
        "logs:ListLogDeliveries",
        "logs:PutLogEvents",
        "logs:PutResourcePolicy",
        "logs:UpdateLogDelivery",
        "robomaker:CreateSimulationApplication",
        "robomaker:DescribeSimulationApplication",
        "robomaker:DeleteSimulationApplication",
        "robomaker:CreateSimulationJob",
        "robomaker:DescribeSimulationJob",
        "robomaker:CancelSimulationJob",
        "secretsmanager:ListSecrets",
        "servicecatalog:Describe*",
        "servicecatalog:List*",
        "servicecatalog:ScanProvisionedProducts",
        "servicecatalog:SearchProducts",
        "servicecatalog:SearchProvisionedProducts",
        "sns:ListTopics",
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowECRActions",
      "Effect": "Allow",
      "Action": [
        "ecr:SetRepositoryPolicy",
        "ecr:CompleteLayerUpload",
        "ecr:BatchDeleteImage",
        "ecr:UploadLayerPart",
        "ecr:DeleteRepositoryPolicy",
        "ecr:InitiateLayerUpload",
        "ecr:DeleteRepository",
        "ecr:PutImage"
      ],
      "Resource": [
        "arn:aws:ecr:*:*:repository/*sagemaker*"
      ]
    },
    {
      "Sid": "AllowCodeCommitActions",
      "Effect": "Allow",
      "Action": [
        "codecommit:GitPull",
        "codecommit:GitPush"
      ],
      "Resource": [
        "arn:aws:codecommit:*:*:*sagemaker*",
        "arn:aws:codecommit:*:*:*SageMaker*",
        "arn:aws:codecommit:*:*:*Sagemaker*"
      ]
    },
    {
      "Sid": "AllowCodeBuildActions",
      "Action": [
        "codebuild:BatchGetBuilds",
        "codebuild:StartBuild"
      ],
      "Resource": [
        "arn:aws:codebuild:*:*:project/sagemaker*",
        "arn:aws:codebuild:*:*:build/*"
      ],
      "Effect": "Allow"
    },
    {
      "Sid": "AllowStepFunctionsActions",
      "Action": [
        "states:DescribeExecution",
        "states:GetExecutionHistory",
        "states:StartExecution",
        "states:StopExecution",
        "states:UpdateStateMachine"
      ],
      "Resource": [
        "arn:aws:states:*:*:statemachine:*sagemaker*",
        "arn:aws:states:*:*:execution:*sagemaker*:*"
      ],
      "Effect": "Allow"
    },
    {
      "Sid": "AllowSecretManagerActions",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:CreateSecret"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
      ]
    },
    {
      "Sid": "AllowReadOnlySecretManagerActions",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "secretsmanager:ResourceTag/SageMaker": "true"
        }
      }
    },
    {
      "Sid": "AllowServiceCatalogProvisionProduct",
      "Effect": "Allow",
      "Action": [
        "servicecatalog:ProvisionProduct"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct",
      "Effect": "Allow",
      "Action": [
        "servicecatalog:TerminateProvisionedProduct",
        "servicecatalog:UpdateProvisionedProduct"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "servicecatalog:userLevel": "self"
        }
      }
    },
    {
      "Sid": "AllowS3ObjectActions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::*SageMaker*",
        "arn:aws:s3:::*Sagemaker*",
        "arn:aws:s3:::*sagemaker*",
        "arn:aws:s3:::*aws-glue*"
      ]
    },
    {
      "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Condition": {
        "StringEqualsIgnoreCase": {
          "s3:ExistingObjectTag/SageMaker": "true"
        }
      }
    },
    {
      "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/servicecatalog:provisioning": "true"
        }
      }
    },
    {
      "Sid": "AllowS3BucketActions",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListAllMyBuckets",
        "s3:GetBucketCors",
        "s3:PutBucketCors"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowS3BucketACL",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketAcl",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::*SageMaker*",
        "arn:aws:s3:::*Sagemaker*",
        "arn:aws:s3:::*sagemaker*"
      ]
    },
    {
      "Sid": "AllowLambdaInvokeFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:*SageMaker*",
        "arn:aws:lambda:*:*:function:*sagemaker*",
        "arn:aws:lambda:*:*:function:*Sagemaker*",
        "arn:aws:lambda:*:*:function:*LabelingFunction*"
      ]
    },
    {
      "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling",
      "Action": "iam:CreateServiceLinkedRole",
      "Effect": "Allow",
      "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
      "Condition": {
        "StringLike": {
          "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowCreateServiceLinkedRoleForRobomaker",
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": "robomaker.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowSNSActions",
      "Effect": "Allow",
      "Action": [
        "sns:Subscribe",
        "sns:CreateTopic",
        "sns:Publish"
      ],
      "Resource": [
        "arn:aws:sns:*:*:*SageMaker*",
        "arn:aws:sns:*:*:*Sagemaker*",
        "arn:aws:sns:*:*:*sagemaker*"
      ]
    },
    {
      "Sid": "AllowPassRoleForSageMakerRoles",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "glue.amazonaws.com",
            "robomaker.amazonaws.com",
            "states.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "AllowPassRoleToSageMaker",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "sagemaker.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowAthenaActions",
      "Effect": "Allow",
      "Action": [
        "athena:ListDataCatalogs",
        "athena:ListDatabases",
        "athena:ListTableMetadata",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:StartQueryExecution",
        "athena:StopQueryExecution"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowGlueCreateTable",
      "Effect": "Allow",
      "Action": [
        "glue:CreateTable"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
        "arn:aws:glue:*:*:table/sagemaker_featurestore/*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*"
      ]
    },
    {
      "Sid": "AllowGlueUpdateTable",
      "Effect": "Allow",
      "Action": [
        "glue:UpdateTable"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/sagemaker_featurestore/*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/sagemaker_featurestore"
      ]
    },
    {
      "Sid": "AllowGlueDeleteTable",
      "Effect": "Allow",
      "Action": [
        "glue:DeleteTable"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*"
      ]
    },
    {
      "Sid": "AllowGlueGetTablesAndDatabases",
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabases",
        "glue:GetTable",
        "glue:GetTables"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*"
      ]
    },
    {
      "Sid": "AllowGlueGetAndCreateDatabase",
      "Effect": "Allow",
      "Action": [
        "glue:CreateDatabase",
        "glue:GetDatabase"
      ],
      "Resource": [
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/sagemaker_featurestore",
        "arn:aws:glue:*:*:database/sagemaker_processing",
        "arn:aws:glue:*:*:database/default",
        "arn:aws:glue:*:*:database/sagemaker_data_wrangler"
      ]
    },
    {
      "Sid": "AllowRedshiftDataActions",
      "Effect": "Allow",
      "Action": [
        "redshift-data:ExecuteStatement",
        "redshift-data:DescribeStatement",
        "redshift-data:CancelStatement",
        "redshift-data:GetStatementResult",
        "redshift-data:ListSchemas",
        "redshift-data:ListTables"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowRedshiftGetClusterCredentials",
      "Effect": "Allow",
      "Action": [
        "redshift:GetClusterCredentials"
      ],
      "Resource": [
        "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
        "arn:aws:redshift:*:*:dbname:*"
      ]
    },
    {
      "Sid": "AllowListTagsForUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:ListTags"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:user-profile/*"
      ]
    },
    {
      "Sid": "AllowCloudformationListStackResources",
      "Effect": "Allow",
      "Action": [
        "cloudformation:ListStackResources"
      ],
      "Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
    },
    {
      "Sid": "AllowS3ExpressObjectActions",
      "Effect": "Allow",
      "Action": [
        "s3express:CreateSession"
      ],
      "Resource": [
        "arn:aws:s3express:*:*:bucket/*SageMaker*",
        "arn:aws:s3express:*:*:bucket/*Sagemaker*",
        "arn:aws:s3express:*:*:bucket/*sagemaker*",
        "arn:aws:s3express:*:*:bucket/*aws-glue*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid": "AllowS3ExpressCreateBucketActions",
      "Effect": "Allow",
      "Action": [
        "s3express:CreateBucket"
      ],
      "Resource": [
        "arn:aws:s3express:*:*:bucket/*SageMaker*",
        "arn:aws:s3express:*:*:bucket/*Sagemaker*",
        "arn:aws:s3express:*:*:bucket/*sagemaker*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid": "AllowS3ExpressListBucketActions",
      "Effect": "Allow",
      "Action": [
        "s3express:ListAllMyDirectoryBuckets"
      ],
      "Resource": "*"
    }
  ]
}

显示更多

显示更少

Amazon 托管策略： AmazonSageMakerReadOnly

此政策授予通过 Amazon Web Services Management Console 和软件开发工具包对 Amazon SageMaker AI 的只读访问权限。

权限详细信息

该策略包含以下权限。

application-autoscaling— 允许用户浏览可扩展的 SageMaker AI 实时推理端点的描述。
aws-marketplace— 允许用户查看 Amazon AI Marketplace 订阅。
cloudwatch— 允许用户接收 CloudWatch 警报。
cognito-idp— Amazon Gro SageMaker und Truth 需要浏览私人员工和工作团队的描述和列表。
ecr - 读取 Docker 构件以进行训练和推理时所需。

SageMaker Amazon 托管策略的 AI 更新

查看自该服务开始跟踪这些更改以来， SageMaker AI Amazon 托管策略更新的详细信息。

策略	版本	更改	日期
AmazonSageMakerFullAccess – 对现有策略的更新	27	使用以下操作添加`AllowUseOfTrainingPlanResources`对账单 ID：`sagemaker:CreateTrainingJob`、`sagemaker:CreateCluster`、`sagemaker:UpdateCluster`、`sagemaker:DescribeTrainingPlan`。在`AllowAllNonAdminSageMakerActions`政策声明中排除的资源中添加合作伙伴应用程序、培训计划和预留容量。	2024年12月4日
AmazonSageMakerFullAccess – 对现有策略的更新	26	添加 `sagemaker:AddTags` 权限	2024 年 3 月 29 日
AmazonSageMakerFullAccess -更新现有政策	25	添加 `sagemaker:CreateApp`、`sagemaker:DescribeApp`、`sagemaker:DeleteApp`、`sagemaker:CreateSpace`、`sagemaker:UpdateSpace`、`sagemaker:DeleteSpace`、`s3express:CreateSession`、`s3express:CreateBucket` 和 `s3express:ListAllMyDirectoryBuckets` 权限。	2023 年 11 月 30 日
AmazonSageMakerFullAccess -更新现有政策	24	添加 `sagemaker-geospatial:*`、`sagemaker:AddTags`、`sagemaker-ListTags`、`sagemaker-DescribeSpace` 和 `sagemaker:ListSpaces` 权限。	2022 年 11 月 30 日
AmazonSageMakerFullAccess -更新现有政策	23	添加 `glue:UpdateTable`。	2022 年 6 月 29 日
AmazonSageMakerFullAccess -更新现有政策	22	添加 `cloudformation:ListStackResources`。	2022 年 5 月 1 日
AmazonSageMakerReadOnly – 对现有策略的更新	11	添加 `sagemaker:QueryLineage`、`sagemaker:GetLineageGroupPolicy`、`sagemaker:BatchDescribeModelPackage` 和 `sagemaker:GetModelPackageGroupPolicy` 权限。	2021 年 12 月 1 日
AmazonSageMakerFullAccess -更新现有政策	21	为启用了异步推理的端点添加 `sns:Publish` 权限。	2021 年 9 月 8 日
AmazonSageMakerFullAccess -更新现有政策	20	更新 `iam:PassRole` 资源和权限。	2021 年 7 月 15 日
AmazonSageMakerReadOnly -更新现有政策	10	为 AI 功能商店`BatchGetRecord`添加了新 AP SageMaker I。	2021 年 6 月 10 日
		SageMaker AI 开始跟踪其 Amazon 托管策略的更改。	2021 年 6 月 1 日

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

亚马逊 SageMaker AI API 权限参考

SageMaker 帆布