本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon 亚马逊 A SageMaker I 的托管策略
要向用户、群组和角色添加权限,使用 Amazon 托管策略比自己编写策略要容易得多。创建仅为团队提供所需权限的 [IAM 客户管理型策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create-console.html)需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些政策涵盖常见用例,可在您的 Amazon 账户中使用。有关 Amazon 托管策略的更多信息,请参阅 *IAM 用户指南*中的[Amazon 托管策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
Amazon 服务维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新特征或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管策略中移除权限,因此策略更新不会破坏您的现有权限。
此外,还 Amazon 支持跨多个服务的工作职能的托管策略。例如,`ReadOnlyAccess` Amazon 托管策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动一项新功能时, Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 *IAM 用户指南*中的[适用于工作职能的Amazon 托管式策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html)。
**重要**
我们建议您使用允许执行使用案例的最严格的策略。
以下 Amazon 托管策略仅适用于 Amazon A SageMaker I,您可以将其附加到账户中的用户:
+ **`AmazonSageMakerFullAccess`**— 授予对 Amazon A SageMaker I 和 A SageMaker I 地理空间资源以及支持的操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限,但支持具有特定 `sagemaker` 标签的存储桶和对象。此策略允许将所有 IAM 角色传递给 Amazon A SageMaker I,但仅允许将其中带有 AmazonSageMaker “” 的 IAM 角色传递给 Amazon Glue Amazon Step Functions、和 Amazon RoboMaker 服务。
+ **`AmazonSageMakerReadOnly`**— 授予对 Amazon A SageMaker I 资源的只读访问权限。
以下 Amazon 托管策略可以附加到您账户中的用户,但不建议这样做:
+ [https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator) – 为所有 Amazon 服务和账户中的所有资源授予所有操作权限。
+ [https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist) – 授予广泛的权限,以涵盖数据科学家所遇到的大多数使用案例(主要用于分析和商业智能)。
您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。
您也可以创建自己的自定义 IAM 策略,根据需要授予对 SageMaker Amazon AI 操作和资源的权限。您可以将这些自定义策略附加到需要它们的用户或组。
**Topics**
+ [Amazon 托管策略: AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess)
+ [Amazon 托管策略: AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly)
+ [Amazon 亚马逊 C SageMaker anvas 的托管政策](security-iam-awsmanpol-canvas.md)
+ [Amazon Amazon Feature Stor SageMaker e 托管政策](security-iam-awsmanpol-feature-store.md)
+ [Amazon Amazon SageMaker 地理空间托管政策](security-iam-awsmanpol-geospatial.md)
+ [Amazon 亚马逊 G SageMaker round Truth 的托管政策](security-iam-awsmanpol-ground-truth.md)
+ [Amazon Amazon 的托管政策 SageMaker HyperPod](security-iam-awsmanpol-hyperpod.md)
+ [Amazon 用于 SageMaker AI 模型治理的托管策略](security-iam-awsmanpol-governance.md)
+ [Amazon 模型注册管理机构的托管策略](security-iam-awsmanpol-model-registry.md)
+ [Amazon SageMaker 笔记本电脑的托管策略](security-iam-awsmanpol-notebooks.md)
+ [Amazon Amazon SageMaker 合作伙伴 AI 应用程序的托管政策](security-iam-awsmanpol-partner-apps.md)
+ [Amazon 管道托 SageMaker 管策略](security-iam-awsmanpol-pipelines.md)
+ [Amazon SageMaker 培训计划的托管策略](security-iam-awsmanpol-training-plan.md)
+ [Amazon SageMaker 项目管理策略和 JumpStart](security-iam-awsmanpol-sc.md)
+ [SageMaker Amazon 托管策略的 AI 更新](#security-iam-awsmanpol-updates)
## Amazon 托管策略: AmazonSageMakerFullAccess
该策略授予管理权限,允许委托人完全访问所有 Amazon SageMaker AI 和 SageMaker AI 地理空间资源和操作。该策略还提供对相关服务的部分访问权限。此策略允许将所有 IAM 角色传递给 Amazon A SageMaker I,但仅允许将其中带有 AmazonSageMaker “” 的 IAM 角色传递给 Amazon Glue Amazon Step Functions、和 Amazon RoboMaker 服务。该政策不包括创建 Amazon A SageMaker I 域的权限。有关创建域所需策略的信息,请参阅[完成 Amazon A SageMaker I 先决条件](gs-set-up.md)。
**权限详细信息**
该策略包含以下权限。
+ `application-autoscaling`— 允许委托人自动扩展 A SageMaker I 实时推理端点。
+ `athena`— 允许委托人从中查询数据目录、数据库和表元数据的列表。 Amazon Athena
+ `aws-marketplace`— 允许委托人查看 Amazon AI Marketplace 订阅。如果您想访问中订阅的 SageMaker AI 软件,则需要此选项。 Amazon Web Services Marketplace
+ `cloudformation`— 允许校长获取用于使用 SageMaker AI JumpStart 解决方案和管道的 Amazon CloudFormation 模板。 SageMaker AI JumpStart 创造了运行将 SageMaker 人工智能与其他 Amazon 服务联系起来的 end-to-end机器学习解决方案所必需的资源。 SageMaker AI Pipelines 创建由 Service Catalog 支持的新项目。
+ `cloudwatch`— 允许委托人发布 CloudWatch 指标、与警报交互以及将日志上传到您账户中的 CloudWatch 日志。
+ `codebuild`— 允许委托人存储 SageMaker AI 管道和项目的 Amazon CodeBuild 工件。
+ `codecommit`— 需要与 SageMaker AI 笔记本实例 Amazon CodeCommit 集成。
+ `cognito-idp`— Amazon G SageMaker round Truth 需要定义私人员工和工作团队。
+ `ec2`— 当您为 SageMaker AI 任务、模型、终端节点和笔记本实例指定 Amazon VPC 时, SageMaker AI 需要管理 Amazon EC2 资源和网络接口。
+ `ecr`— 需要提取和存储 Amazon SageMaker Studio Classic(自定义映像)、训练、处理、批量推理和推理终端节点的 Docker 工件。在 SageMaker AI 中使用自己的容器也需要这样做。要代表用户创建和移除自定义映像,还需要获得 SageMaker AI JumpStart 解决方案的额外权限。
+ `elasticfilesystem` - 允许主体访问 Amazon Elastic File System。这是 SageMaker 人工智能使用 Amazon Elastic File System 中的数据源来训练机器学习模型所必需的。
+ `fsx`— 允许委托人访问亚马逊 FSx。这是 SageMaker AI 使用 Amazon 中的数据源训练机器学习模型 FSx 所必需的。
+ `glue`— 需要在 SageMaker AI 笔记本实例中进行推理管道预处理。
+ `groundtruthlabeling` - Ground Truth 标注作业所需。可通过 Ground Truth 控制台访问 `groundtruthlabeling` 端点。
+ `iam`— 需要向 SageMaker AI 控制台授予对可用 IAM 角色的访问权限并创建与服务相关的角色。
+ `kms`— 需要让 SageMaker AI 控制台访问可用 Amazon KMS 密钥并检索任务和终端节点中任何指定 Amazon KMS 别名的密钥。
+ `lambda` - 允许主体调用和获取 Amazon Lambda 函数列表。
+ `logs`— 需要允许 SageMaker AI 作业和端点发布日志流。
+ `redshift` - 允许主体访问 Amazon Redshift 集群凭证。
+ `redshift-data` - 允许主体使用 Amazon Redshift 中的数据来运行、描述和取消语句;获取语句结果;以及列出架构和表。
+ `robomaker`— 允许委托人拥有创建、获取描述和删除 Amazon RoboMaker 仿真应用程序和作业的完全访问权限。这也是在笔记本实例上运行强化学习示例时所需。
+ `s3, s3express`— 允许委托人完全访问与 SageMaker 人工智能相关的亚马逊 S3 和 Amazon S3 Express 资源,但不能完全访问所有亚马逊 S3 或 Amazon S3 Express 资源。
+ `sagemaker`— 允许委托人在 SageMaker AI 用户个人资料上列出标签,并向 SageMaker AI 应用程序和空间添加标签。仅允许访问 sagemaker 的 SageMaker AI 流程定义:WorkteamType “私人人群” 或 “供应商人群”。允许在所有可访问训练计划功能的 Amazon 区域中使用和描述 SageMaker AI SageMaker 训练计划和预留容量,以及训练作业和 SageMaker HyperPod集群。
+ `sagemaker`和 `sagemaker-geospatial` — 允许委托人对 SageMaker AI 域和用户配置文件进行只读访问。
+ `secretsmanager` - 允许主体完全访问 Amazon Secrets Manager。主体可以安全地加密、存储和检索数据库和其他服务的凭证。对于使用的 SageMaker AI 代码存储库的 A SageMaker I 笔记本实例,也需要这样做 GitHub。
+ `servicecatalog` - 允许主体使用 Service Catalog。委托人可以创建、获取、更新或终止预配置产品,例如使用 Amazon 资源部署的服务器、数据库、网站或应用程序。这是 SageMaker AI JumpStart 和 Projects 查找和阅读服务目录产品以及在用户中启动 Amazon 资源所必需的。
+ `sns` - 允许主体获取 Amazon SNS 主题列表。启用了同步推理功能的端点需要该权限来通知用户推理已完成。
+ `states`— SageMaker AI JumpStart 和 Pipelines 需要使用服务目录来创建步骤函数资源。
+ `tag`— SageMaker 人工智能管道需要在 Studio Classic 中进行渲染。Studio Classic 需要使用特定 `sagemaker:project-id` 标记键标记的资源。这需要 `tag:GetResources` 权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllNonAdminSageMakerActions",
"Effect": "Allow",
"Action": [
"sagemaker:*",
"sagemaker-geospatial:*"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:space/*",
"arn:aws:sagemaker:*:*:partner-app/*",
"arn:aws:sagemaker:*:*:flow-definition/*",
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowAddTagsForSpace",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:space/*"
],
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
},
{
"Sid": "AllowAddTagsForApp",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:app/*"
]
},
{
"Sid": "AllowUseOfTrainingPlanResources",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateCluster",
"sagemaker:UpdateCluster",
"sagemaker:DescribeTrainingPlan"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowStudioActions",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:DescribeSpace",
"sagemaker:ListSpaces",
"sagemaker:DescribeApp",
"sagemaker:ListApps"
],
"Resource": "*"
},
{
"Sid": "AllowAppActionsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "AllowAppActionsForSharedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Shared"
]
}
}
},
{
"Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private",
"Shared"
]
}
}
},
{
"Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private"
]
}
}
},
{
"Sid": "AllowFlowDefinitionActions",
"Effect": "Allow",
"Action": "sagemaker:*",
"Resource": [
"arn:aws:sagemaker:*:*:flow-definition/*"
],
"Condition": {
"StringEqualsIfExists": {
"sagemaker:WorkteamType": [
"private-crowd",
"vendor-crowd"
]
}
}
},
{
"Sid": "AllowAWSServiceActions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:RegisterScalableTarget",
"aws-marketplace:ViewSubscriptions",
"cloudformation:GetTemplateSummary",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutMetricData",
"codecommit:BatchGetRepositories",
"codecommit:CreateRepository",
"codecommit:GetRepository",
"codecommit:List*",
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:CreateGroup",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:List*",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateVpcEndpoint",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CreateRepository",
"ecr:Describe*",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:StartImageScan",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"fsx:DescribeFileSystems",
"glue:CreateJob",
"glue:DeleteJob",
"glue:GetJob*",
"glue:GetTable*",
"glue:GetWorkflowRun",
"glue:ResetJobBookmark",
"glue:StartJobRun",
"glue:StartWorkflowRun",
"glue:UpdateJob",
"groundtruthlabeling:*",
"iam:ListRoles",
"kms:DescribeKey",
"kms:ListAliases",
"lambda:ListFunctions",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery",
"robomaker:CreateSimulationApplication",
"robomaker:DescribeSimulationApplication",
"robomaker:DeleteSimulationApplication",
"robomaker:CreateSimulationJob",
"robomaker:DescribeSimulationJob",
"robomaker:CancelSimulationJob",
"secretsmanager:ListSecrets",
"servicecatalog:Describe*",
"servicecatalog:List*",
"servicecatalog:ScanProvisionedProducts",
"servicecatalog:SearchProducts",
"servicecatalog:SearchProvisionedProducts",
"sns:ListTopics",
"tag:GetResources"
],
"Resource": "*"
},
{
"Sid": "AllowECRActions",
"Effect": "Allow",
"Action": [
"ecr:SetRepositoryPolicy",
"ecr:CompleteLayerUpload",
"ecr:BatchDeleteImage",
"ecr:UploadLayerPart",
"ecr:DeleteRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:DeleteRepository",
"ecr:PutImage"
],
"Resource": [
"arn:aws:ecr:*:*:repository/*sagemaker*"
]
},
{
"Sid": "AllowCodeCommitActions",
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": [
"arn:aws:codecommit:*:*:*sagemaker*",
"arn:aws:codecommit:*:*:*SageMaker*",
"arn:aws:codecommit:*:*:*Sagemaker*"
]
},
{
"Sid": "AllowCodeBuildActions",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker*",
"arn:aws:codebuild:*:*:build/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowStepFunctionsActions",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StartExecution",
"states:StopExecution",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*:*:statemachine:*sagemaker*",
"arn:aws:states:*:*:execution:*sagemaker*:*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid": "AllowReadOnlySecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowServiceCatalogProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:ProvisionProduct"
],
"Resource": "*"
},
{
"Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:TerminateProvisionedProduct",
"servicecatalog:UpdateProvisionedProduct"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"servicecatalog:userLevel": "self"
}
}
},
{
"Sid": "AllowS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*",
"arn:aws:s3:::*aws-glue*"
]
},
{
"Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
},
{
"Sid": "AllowS3BucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketCors",
"s3:PutBucketCors"
],
"Resource": "*"
},
{
"Sid": "AllowS3BucketACL",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowLambdaInvokeFunction",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*",
"arn:aws:lambda:*:*:function:*LabelingFunction*"
]
},
{
"Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateServiceLinkedRoleForRobomaker",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "robomaker.amazonaws.com"
}
}
},
{
"Sid": "AllowSNSActions",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:CreateTopic",
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "AllowPassRoleForSageMakerRoles",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*AmazonSageMaker*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"glue.amazonaws.com",
"robomaker.amazonaws.com",
"states.amazonaws.com"
]
}
}
},
{
"Sid": "AllowPassRoleToSageMaker",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "AllowAthenaActions",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowGlueCreateTable",
"Effect": "Allow",
"Action": [
"glue:CreateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueUpdateTable",
"Effect": "Allow",
"Action": [
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore"
]
},
{
"Sid": "AllowGlueDeleteTable",
"Effect": "Allow",
"Action": [
"glue:DeleteTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetTablesAndDatabases",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables"
],
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetAndCreateDatabase",
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:GetDatabase"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore",
"arn:aws:glue:*:*:database/sagemaker_processing",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/sagemaker_data_wrangler"
]
},
{
"Sid": "AllowRedshiftDataActions",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowRedshiftGetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "AllowListTagsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:user-profile/*"
]
},
{
"Sid": "AllowCloudformationListStackResources",
"Effect": "Allow",
"Action": [
"cloudformation:ListStackResources"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
},
{
"Sid": "AllowS3ExpressObjectActions",
"Effect": "Allow",
"Action": [
"s3express:CreateSession"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*",
"arn:aws:s3express:*:*:bucket/*aws-glue*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressCreateBucketActions",
"Effect": "Allow",
"Action": [
"s3express:CreateBucket"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressListBucketActions",
"Effect": "Allow",
"Action": [
"s3express:ListAllMyDirectoryBuckets"
],
"Resource": "*"
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerReadOnly
此政策授予通过 Amazon Web Services 管理控制台 和软件开发工具包对 Amazon SageMaker AI 的只读访问权限。
**权限详细信息**
该策略包含以下权限。
+ `application-autoscaling`— 允许用户浏览可扩展的 SageMaker AI 实时推理端点的描述。
+ `aws-marketplace`— 允许用户查看 Amazon AI Marketplace 订阅。
+ `cloudwatch`— 允许用户接收 CloudWatch 警报。
+ `cognito-idp`— Amazon Gro SageMaker und Truth 需要浏览私人员工和工作团队的描述和列表。
+ `ecr` - 读取 Docker 构件以进行训练和推理时所需。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:Describe*",
"sagemaker:List*",
"sagemaker:BatchGetMetrics",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetSearchSuggestions",
"sagemaker:BatchGetRecord",
"sagemaker:GetRecord",
"sagemaker:Search",
"sagemaker:QueryLineage",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:GetModelPackageGroupPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"aws-marketplace:ViewSubscriptions",
"cloudwatch:DescribeAlarms",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListUserPoolClients",
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"cognito-idp:ListUsersInGroup",
"ecr:Describe*"
],
"Resource": "*"
}
]
}
```
------
## SageMaker Amazon 托管策略的 AI 更新
查看自该服务开始跟踪这些更改以来, SageMaker AI Amazon 托管策略更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) – 对现有策略的更新 | 27 | [See the AWS documentation website for more details](http://docs.amazonaws.cn/sagemaker/latest/dg/security-iam-awsmanpol.html) | 2024 年 12 月 4 日 |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) – 对现有策略的更新 | 26 | 添加 `sagemaker:AddTags` 权限 | 2024 年 3 月 29 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 25 | 添加 `sagemaker:CreateApp`、`sagemaker:DescribeApp`、`sagemaker:DeleteApp`、`sagemaker:CreateSpace`、`sagemaker:UpdateSpace`、`sagemaker:DeleteSpace`、`s3express:CreateSession`、`s3express:CreateBucket` 和 `s3express:ListAllMyDirectoryBuckets` 权限。 | 2023 年 11 月 30 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 24 | 添加 `sagemaker-geospatial:*`、`sagemaker:AddTags`、`sagemaker-ListTags`、`sagemaker-DescribeSpace` 和 `sagemaker:ListSpaces` 权限。 | 2022 年 11 月 30 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 23 | 添加 `glue:UpdateTable`。 | 2022 年 6 月 29 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 22 | 添加 `cloudformation:ListStackResources`。 | 2022 年 5 月 1 日 |
| [AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly) – 对现有策略的更新 | 11 | 添加 `sagemaker:QueryLineage`、`sagemaker:GetLineageGroupPolicy`、`sagemaker:BatchDescribeModelPackage` 和 `sagemaker:GetModelPackageGroupPolicy` 权限。 | 2021 年 12 月 1 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 21 | 为启用了异步推理的端点添加 `sns:Publish` 权限。 | 2021 年 9 月 8 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 20 | 更新 `iam:PassRole` 资源和权限。 | 2021 年 7 月 15 日 |
| AmazonSageMakerReadOnly -更新现有政策 | 10 | 为 AI 功能商店`BatchGetRecord`添加了新 AP SageMaker I。 | 2021 年 6 月 10 日 |
| | | SageMaker AI 开始跟踪其 Amazon 托管策略的更改。 | 2021 年 6 月 1 日 |