Amazon 适用于亚马逊的托管政策 SageMaker - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 适用于亚马逊的托管政策 SageMaker

要向用户、群组和角色添加权限,使用 Amazon 托管策略比自己编写策略要容易得多。创建仅为团队提供所需权限的 IAM 客户管理型策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些政策涵盖常见用例,可在您的 Amazon 账户中使用。有关 Amazon 托管策略的更多信息,请参阅 IAM 用户指南中的Amazon 托管策略

Amazon 服务维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管策略添加其他权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当推出新功能或有新操作可用时,服务最有可能更新 Amazon 托管策略。服务不会从 Amazon 托管策略中移除权限,因此策略更新不会破坏您的现有权限。

此外,还 Amazon 支持跨多个服务的工作职能的托管策略。例如,ReadOnlyAccess Amazon 托管策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动新特征时, Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的Amazon 管理型策略

重要

我们建议您使用允许执行使用案例的最严格的策略。

以下 Amazon 托管政策是亚马逊特有的,您可以将其附加到账户中的用户 SageMaker:

  • AmazonSageMakerFullAccess— 授予对 Amazon SageMaker 和 SageMaker 地理空间资源以及支持的操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限,但支持具有特定 sagemaker 标签的存储桶和对象。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但仅允许将其中带有 “AmazonSageMaker” 的 IAM 角色传递给 Amazon Glue Amazon Step Functions、和 Amazon RoboMaker 服务。

  • AmazonSageMakerReadOnly— 授予对 Amazon SageMaker 资源的只读访问权限。

以下 Amazon 托管策略可以附加到您账户中的用户,但不建议这样做:

  • AdministratorAccess – 为所有 Amazon 服务和账户中的所有资源授予所有操作权限。

  • DataScientist – 授予广泛的权限,以涵盖数据科学家所遇到的大多数使用案例(主要用于分析和商业智能)。

您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。

您也可以创建自己的自定义 IAM 策略,根据需要授予对 Amazon SageMaker 操作和资源的权限。您可以将这些自定义策略附加到需要它们的用户或组。

Amazon 托管策略: AmazonSageMakerFullAccess

该政策授予管理权限,允许委托人完全访问所有 Amazon SageMaker 和 SageMaker 地理空间资源及操作。该策略还提供对相关服务的部分访问权限。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但仅允许将其中带有 “AmazonSageMaker” 的 IAM 角色传递给 Amazon Glue Amazon Step Functions、和 Amazon RoboMaker 服务。该政策不包括创建 Amazon SageMaker 域名的权限。有关创建域所需策略的信息,请参阅Amazon SageMaker 先决条件

权限详细信息

该策略包含以下权限。

  • application-autoscaling— 允许委托人自动扩展 SageMaker 实时推理端点。

  • athena— 允许委托人从中查询数据目录、数据库和表元数据的列表。 Amazon Athena

  • aws-marketplace— 允许委托人查看 Amazon AI Marketplace 订阅。如果您想访问中订阅的 SageMaker软件,则需要此选项。 Amazon Web Services Marketplace

  • cloudformation— 允许委托人获取使用 SageMaker JumpStart 解决方案和管道的 Amazon CloudFormation 模板。 SageMaker JumpStart创建运行与其他 Amazon 服务关联的 end-to-end 机器学习解决方案所需的资源。 SageMaker SageMaker Pipelines 创建由 Service Catalog 支持的新项目。

  • cloudwatch— 允许委托人发布 CloudWatch 指标、与警报交互以及将日志上传到您账户中的 CloudWatch 日志。

  • codebuild— 允许委托人存储 SageMaker 管道和项目的 Amazon CodeBuild 构件。

  • codecommit— 需要与 SageMaker笔记本实例 Amazon CodeCommit 集成。

  • cognito-idp— Amazon G SageMaker round Truth 需要定义私人员工和工作团队。

  • ec2— 当您 SageMaker 为 SageMaker 任务、模型、终端节点和笔记本实例指定 Amazon VPC 时,需要用于管理 Amazon EC2 资源和网络接口。

  • ecr— 需要提取和存储 Amazon SageMaker Studio Classic(自定义映像)、训练、处理、批量推理和推理终端节点的 Docker 工件。在里面使用自己的容器也需要这样做 SageMaker。代表用户创建和删除自定义映像需要 SageMaker JumpStart 解决方案的额外权限。

  • elastic-inference— 允许委托人连接到 Amazon Elastic Inferen SageMaker ce 以使用笔记本实例和终端节点。

  • elasticfilesystem - 允许主体访问 Amazon Elastic File System。这是使用 Amazon Elastic File System 中的数据源训练机器学习模型所必需的。 SageMaker

  • fsx - 允许主体访问 Amazon FSx。这是使用 Amazon FSx 中的数据源训练机器学习模型所必需的。 SageMaker

  • glue— 需要在 SageMaker 笔记本实例中进行推理管道预处理。

  • groundtruthlabeling - Ground Truth 标注作业所需。可通过 Ground Truth 控制台访问 groundtruthlabeling 端点。

  • iam— 需要向 SageMaker 控制台授予对可用 IAM 角色的访问权限并创建与服务相关的角色。

  • kms— 需要授予 SageMaker 控制台访问可用 Amazon KMS 密钥的权限,并针对任务和端点中的任何指定 Amazon KMS 别名检索这些密钥。

  • lambda - 允许主体调用和获取 Amazon Lambda 函数列表。

  • logs— 需要允许 SageMaker 作业和端点发布日志流。

  • redshift - 允许主体访问 Amazon Redshift 集群凭证。

  • redshift-data - 允许主体使用 Amazon Redshift 中的数据来运行、描述和取消语句;获取语句结果;以及列出架构和表。

  • robomaker— 允许委托人拥有创建、获取描述和删除 Amazon RoboMaker 仿真应用程序和作业的完全访问权限。这也是在笔记本实例上运行强化学习示例时所需。

  • s3, s3express— 允许委托人完全访问与亚马逊 S3 或 Amazon S3 Express 相关但不是全部的 Amazon S3 和 Amazon S3 Express 资源。 SageMaker

  • sagemaker— 允许委托人列出 SageMaker 用户个人资料上的标签,并向 SageMaker 应用程序和空间添加标签。仅允许访问 sagemaker 的 SageMaker 流程定义:WorkteamType “私人人群” 或 “供应商人群”。

  • sagemakersagemaker-geospatial — 允许委托人对 SageMaker 域和用户配置文件进行只读访问。

  • secretsmanager - 允许主体完全访问 Amazon Secrets Manager。主体可以安全地加密、存储和检索数据库和其他服务的凭证。对于带有使用 SageMaker 代码存储库的 SageMaker 笔记本实例,也需要这样做 GitHub。

  • servicecatalog - 允许主体使用 Service Catalog。委托人可以创建、获取、更新或终止预配置产品,例如使用 Amazon 资源部署的服务器、数据库、网站或应用程序。 SageMaker JumpStart 和 Projects 需要这样才能在用户中查找和读取服务目录产品和启动 Amazon 资源。

  • sns - 允许主体获取 Amazon SNS 主题列表。启用了同步推理功能的端点需要该权限来通知用户推理已完成。

  • states— SageMaker JumpStart 和 Pipelines 需要使用服务目录来创建步骤函数资源。

  • tag— SageMaker 流水线需要在 Studio Classic 中渲染。Studio Classic 需要标有sagemaker:project-id特定标签键的资源。这需要 tag:GetResources 权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllNonAdminSageMakerActions", "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Sid": "AllowAddTagsForSpace", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:space/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } }, { "Sid": "AllowAddTagsForApp", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Sid": "AllowStudioActions", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:DescribeApp", "sagemaker:ListApps" ], "Resource": "*" }, { "Sid": "AllowAppActionsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "AllowAppActionsForSharedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "StringEquals": { "sagemaker:SpaceSharingType": [ "Shared" ] } } }, { "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private", "Shared" ] } } }, { "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private" ] } } }, { "Sid": "AllowFlowDefinitionActions", "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Sid": "AllowAWSServiceActions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Sid": "AllowECRActions", "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Sid": "AllowCodeCommitActions", "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Sid": "AllowCodeBuildActions", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Sid": "AllowStepFunctionsActions", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Sid": "AllowSecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "AllowReadOnlySecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "AllowServiceCatalogProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Sid": "AllowS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AllowS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Sid": "AllowS3BucketACL", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowLambdaInvokeFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AllowCreateServiceLinkedRoleForRobomaker", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Sid": "AllowSNSActions", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "AllowPassRoleForSageMakerRoles", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Sid": "AllowPassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AllowAthenaActions", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Sid": "AllowGlueCreateTable", "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueUpdateTable", "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Sid": "AllowGlueDeleteTable", "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetTablesAndDatabases", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetAndCreateDatabase", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Sid": "AllowRedshiftDataActions", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Sid": "AllowRedshiftGetClusterCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "AllowListTagsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid": "AllowCloudformationListStackResources", "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AllowS3ExpressObjectActions", "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*", "arn:aws:s3express:*:*:bucket/*aws-glue*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressCreateBucketActions", "Effect": "Allow", "Action": [ "s3express:CreateBucket" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressListBucketActions", "Effect": "Allow", "Action": [ "s3express:ListAllMyDirectoryBuckets" ], "Resource": "*" } ] }

Amazon 托管策略: AmazonSageMakerReadOnly

此政策授予 SageMaker 通过 Amazon Web Services Management Console 和软件开发工具包对 Amazon 的只读访问权限。

权限详细信息

该策略包含以下权限。

  • application-autoscaling— 允许用户浏览可扩展的 SageMaker 实时推理端点的描述。

  • aws-marketplace— 允许用户查看 Amazon AI Marketplace 订阅。

  • cloudwatch— 允许用户接收 CloudWatch 警报。

  • cognito-idp— Amazon Gro SageMaker und Truth 需要浏览私人员工和工作团队的描述和列表。

  • ecr - 读取 Docker 构件以进行训练和推理时所需。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }

SageMaker Amazon 托管策略的更新

查看 SageMaker 自该服务开始跟踪这些更改以来 Amazon 托管策略更新的详细信息。

Policy 版本 更改 Date

AmazonSageMakerFull访问权限 – 对现有策略的更新

26

添加 sagemaker:AddTags 权限

2024 年 3 月 29 日

AmazonSageMakerFullAccess -更新现有政策

25

添加sagemaker:CreateAppsagemaker:DescribeAppsagemaker:DeleteAppsagemaker:CreateSpacesagemaker:UpdateSpacesagemaker:DeleteSpaces3express:CreateSessions3express:CreateBucket、和s3express:ListAllMyDirectoryBuckets权限。

2023 年 11 月 30 日

AmazonSageMakerFullAccess -更新现有政策

24

添加 sagemaker-geospatial:*sagemaker:AddTagssagemaker-ListTagssagemaker-DescribeSpacesagemaker:ListSpaces 权限。

2022 年 11 月 30 日

AmazonSageMakerFullAccess -更新现有政策

23

添加 glue:UpdateTable

2022 年 6 月 29 日

AmazonSageMakerFullAccess -更新现有政策

22

添加 cloudformation:ListStackResources

2022 年 5 月 1 日

AmazonSageMakerRead只有 – 对现有策略的更新

11

添加 sagemaker:QueryLineagesagemaker:GetLineageGroupPolicysagemaker:BatchDescribeModelPackagesagemaker:GetModelPackageGroupPolicy 权限。

2021 年 12 月 1 日

AmazonSageMakerFullAccess -更新现有政策

21

为启用了异步推理的端点添加 sns:Publish 权限。

2021 年 9 月 8 日

AmazonSageMakerFullAccess -更新现有政策

20

更新 iam:PassRole 资源和权限。

2021 年 7 月 15 日

AmazonSageMakerReadOnly -更新现有政策

10

为 SageMaker 功能商店BatchGetRecord添加了新 API。

2021 年 6 月 10 日

SageMaker 开始跟踪其 Amazon 托管策略的更改。

2021 年 6 月 1 日