翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。
# AWS Amazon SageMaker AI モデルカスタマイズの マネージドポリシー
これらの AWS 管理ポリシーは、Amazon SageMaker AI モデルのカスタマイズを使用するために必要なアクセス許可を追加します。ポリシーは AWS アカウントで使用でき、SageMaker AI コンソールから作成された実行ロールによって使用されます。
**Topics**
+ [AWS マネージドポリシー: AmazonSageMakerModelCustomizationCoreAccess](#security-iam-awsmanpol-AmazonSageMakerModelCustomizationCoreAccess)
+ [Amazon SageMaker AI によるモデルカスタマイズ管理ポリシーの更新](#security-iam-awsmanpol-model-customization-updates)
## AWS マネージドポリシー: AmazonSageMakerModelCustomizationCoreAccess
このポリシーは、サーバーレストレーニング、カスタム報酬関数の強化学習、モデル評価、Amazon SageMaker SageMaker AI のモデルカスタマイズワークフローに必要なアクセス許可を付与します。
**アクセス許可の詳細**
この AWS 管理ポリシーには、次のアクセス許可が含まれます。
+ `sagemaker` – プリンシパルが SageMaker Hub コンテンツを管理し、トレーニングジョブ、パイプライン、推論コンポーネントを含むエンドポイント、モデルパッケージ、系統追跡、MLflow 実験追跡を作成し、モデルカスタマイズリソース間で検索およびタグ付けオペレーションを実行できるようにします。
+ `sagemaker-mlflow` – プリンシパルが MLflow 追跡 UI にアクセスし、実験と実行を作成し、メトリクス、パラメータ、モデルを記録できるようにします。
+ `s3` – プリンシパルが JumpStart バケットからオブジェクトを読み取り、「sagemaker」 (大文字と小文字を区別しない) を含む名前の S3 バケット内のオブジェクトを読み取り/書き込みできるようにします。プリンシパル自身のアカウントに限定されます。
+ `lambda` – プリンシパルがカスタム報酬関数のSageMaker」 (大文字と小文字を区別しない) を含む名前の Lambda 関数を一覧表示、作成、削除、呼び出し、取得できるようにします。 AWS SDK Lambda レイヤーへの読み取りアクセスも許可します。
+ `bedrock` – プリンシパルがカスタムモデルと評価ジョブを作成し、モデルをインポートし、モデルを呼び出し (ストリーミングを含む)、基盤モデルとプロビジョニングされたスループットを一覧表示できるようにします。
+ `ecr` – プリンシパルがコンテナイメージをプルし、推論用の認可トークンを取得できるようにします。Deep AWS Learning Container アカウントからのクロスアカウントプルをサポートする`Resource: *`ために使用されます。
+ `application-autoscaling` – プリンシパルが推論エンドポイントの自動スケーリングのスケーラブルターゲットを記述できるようにします。
+ `logs` – プリンシパルが SageMaker ロググループの CloudWatch Logs を読み書きできるようにします (`/aws/sagemaker/*`)。
+ `iam` – プリンシパルが SageMaker、Lambda、および Bedrock サービスにロールを渡すことを許可します。PassRole は、ロールの命名規則 (`*SageMaker*`SageMaker の場合は 、`SageMakerForLambda*`Lambda の場合は 、Bedrock `SageMakerForBedrock*`の場合は ) と`iam:PassedToService`条件によって範囲が異なります。UI ドロップダウンも`ListRoles`許可します。
+ `kms` – プリンシパルがジョブ設定のキーとリストエイリアスを記述できるようにします。読み取り専用モード。
+ `ec2` – プリンシパルがジョブ設定の VPCs記述できるようにします。読み取り専用モード。
**Example アクセス許可ポリシー**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SageMakerPublicHubPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ListHubContents"
],
"Resource": [
"arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"
]
},
{
"Sid": "SageMakerHubPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ImportHubContent",
"sagemaker:ListHubs",
"sagemaker:ListHubContents",
"sagemaker:ListHubContentVersions",
"sagemaker:DescribeHubContent",
"sagemaker:DeleteHubContent"
],
"Resource": [
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "JumpStartS3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::jumpstart*"
]
},
{
"Sid": "SageMakerTrainingJob",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListTrainingJobs",
"sagemaker:StopTrainingJob"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-job/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerMLFlow",
"Effect": "Allow",
"Action": [
"sagemaker:UpdateMlflowApp",
"sagemaker:DescribeMlflowApp",
"sagemaker:CreatePresignedMlflowAppUrl",
"sagemaker:CallMlflowAppApi",
"sagemaker-mlflow:AccessUI",
"sagemaker-mlflow:GetExperiment",
"sagemaker-mlflow:GetExperimentByName",
"sagemaker-mlflow:GetRun",
"sagemaker-mlflow:GetMetricHistory",
"sagemaker-mlflow:GetLoggedModel",
"sagemaker-mlflow:SearchExperiments",
"sagemaker-mlflow:SearchRuns",
"sagemaker-mlflow:ListArtifacts",
"sagemaker-mlflow:CreateExperiment",
"sagemaker-mlflow:CreateRun",
"sagemaker-mlflow:LogBatch",
"sagemaker-mlflow:LogMetric",
"sagemaker-mlflow:LogParam",
"sagemaker-mlflow:LogModel",
"sagemaker-mlflow:LogInputs",
"sagemaker-mlflow:SetTag",
"sagemaker-mlflow:UpdateRun"
],
"Resource": [
"arn:aws:sagemaker:*:*:mlflow-app/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BYODataSetS3Access",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerModelPackage",
"Effect": "Allow",
"Action": [
"sagemaker:CreateModel",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:UpdateModelPackage",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:ListModelPackages",
"sagemaker:ListModelPackageGroups",
"sagemaker:DescribeModel",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerLineage",
"Effect": "Allow",
"Action": [
"sagemaker:CreateAction",
"sagemaker:CreateArtifact",
"sagemaker:CreateContext",
"sagemaker:DescribeAction",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeTrialComponent",
"sagemaker:QueryLineage",
"sagemaker:AddAssociation",
"sagemaker:UpdateArtifact"
],
"Resource": [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:pipeline/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerPipelines",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePipeline",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:UpdatePipeline",
"sagemaker:StartPipelineExecution"
],
"Resource": [
"arn:aws:sagemaker:*:*:pipeline/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerInference",
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateInferenceComponent",
"sagemaker:DescribeInferenceComponent",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DeleteInferenceComponent",
"sagemaker:DeleteEndpoint",
"sagemaker:InvokeEndpoint"
],
"Resource": [
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerInferenceAutoscaling",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets"
],
"Resource": [
"arn:aws:application-autoscaling:*:*:scalable-target/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerInferenceEcrReadAccess",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Sid": "SageMakerListPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ListActions",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListEndpoints",
"sagemaker:ListInferenceComponents",
"sagemaker:ListMlflowApps",
"sagemaker:ListMlflowTrackingServers",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListWorkforces",
"sagemaker:Search"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerTagsPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags",
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:action/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerJobAdvancedSettings",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"iam:ListRoles",
"ec2:DescribeVpcs"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogReadAccess",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/*",
"arn:aws:logs:*:*:log-group::log-stream:"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogWriteAccess",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaListFunctions",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaPermissionsForRewardFunction",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaLayerForAWSSDK",
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:336392948345:layer:AWSSDK*"
]
},
{
"Sid": "BedrockCustomModelAndEvaluation",
"Effect": "Allow",
"Action": [
"bedrock:CreateCustomModel",
"bedrock:CreateEvaluationJob",
"bedrock:GetCustomModel",
"bedrock:GetModelImportJob",
"bedrock:GetImportedModel",
"bedrock:GetEvaluationJob",
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:*:*:evaluation-job/*",
"arn:aws:bedrock:*:*:imported-model/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:model-import-job/*",
"arn:aws:bedrock:*:*:foundation-model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockModelImportAndList",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelImportJob",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListCustomModelDeployments",
"bedrock:ListCustomModels",
"bedrock:ListModelImportJobs"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockFoundationModelOperations",
"Effect": "Allow",
"Action": [
"bedrock:GetFoundationModelAvailability",
"bedrock:ListFoundationModels"
],
"Resource": [
"*"
]
},
{
"Sid": "PassRoleForSageMaker",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/*SageMaker*",
"arn:aws:iam::*:role/service-role/*Sagemaker*",
"arn:aws:iam::*:role/service-role/*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}",
"iam:PassedToService": [
"sagemaker.amazonaws.com",
"job.sagemaker.amazonaws.com"
]
},
"ArnLike": {
"iam:AssociatedResourceArn": "arn:aws:sagemaker:*:*:*"
}
}
},
{
"Sid": "PassRoleForAWSLambda",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/SageMakerForLambda*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}",
"iam:PassedToService": "lambda.amazonaws.com"
},
"ArnLike": {
"iam:AssociatedResourceArn": "arn:aws:lambda:*:*:function:*"
}
}
},
{
"Sid": "PassRoleForBedrock",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/SageMakerForBedrock*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}",
"iam:PassedToService": "bedrock.amazonaws.com"
}
}
}
]
}
```
## Amazon SageMaker AI によるモデルカスタマイズ管理ポリシーの更新
このサービスがこれらの変更の追跡を開始してからの Amazon SageMaker AI モデルカスタマイズの AWS マネージドポリシーの更新に関する詳細を表示します。このページの変更に関する自動通知については、「SageMaker AI [ドキュメント履歴](doc-history.md)」ページの RSS フィードをサブスクライブしてください。
| ポリシー | バージョン | 変更 | 日付 |
| --- | --- | --- | --- |
| AmazonSageMakerModelCustomizationCoreAccess - 新しいポリシー | 1 | 初期ポリシー | 2026 年 5 月 22 日 |