本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS Amazon A SageMaker I 模型自定义的托管策略
这些 AWS 托管策略增加了使用 Amazon A SageMaker I 模型自定义功能所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerModelCustomizationCoreAccess](#security-iam-awsmanpol-AmazonSageMakerModelCustomizationCoreAccess)
+ [Amazon SageMaker AI 更新了模型自定义托管策略](#security-iam-awsmanpol-model-customization-updates)
## AWS 托管策略: AmazonSageMakerModelCustomizationCoreAccess
该政策授予 Amazon A SageMaker I 中模型自定义工作流程所需的权限,包括无服务器训练、自定义奖励功能强化学习、模型评估以及部署到 SageMaker 或 Bedrock 终端节点。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `sagemaker`— 允许校长管理 SageMaker Hub 内容、创建和管理训练作业、管道、带有推理组件的端点、模型包、谱系跟踪、mlFlow 实验跟踪,以及跨模型自定义资源执行搜索和标记操作。
+ `sagemaker-mlflow`— 允许委托人访问 mlFlow 跟踪用户界面、创建实验和运行以及记录指标、参数和模型。
+ `s3`— 允许委托人从 JumpStart存储桶中读取 read/write 对象以及名称包含 “sagemaker”(不区分大小写)且仅限于委托人自己的账户的 S3 存储桶中的对象。
+ `lambda`— 允许委托人列出、创建、删除、调用和获取名称包含 SageMaker “”(不区分大小写)的 Lambda 函数,用于自定义奖励函数。还允许对 AWS 软件开发工具包 Lambda 层进行读取访问。
+ `bedrock`— 允许委托人创建自定义模型和评估任务、导入模型、调用模型(包括流式传输)以及列出基础模型和预配置吞吐量。
+ `ecr`— 允许委托人提取容器镜像并获取用于推理的授权令牌。`Resource: *`用于支持从 AWS 深度学习容器账户进行跨账户拉取。
+ `application-autoscaling`— 允许委托人描述推理端点自动缩放的可扩展目标。
+ `logs`— 允许委托人读取和写入 CloudWatch SageMaker 日志组的日志 (`/aws/sagemaker/*`)。
+ `iam`— 允许委托人将角色传递给 SageMaker、Lambda 和 Bedrock 服务。 PassRole 由角色命名约定(`*SageMaker*`对于 Lambda SageMaker`SageMakerForBedrock*`,对`SageMakerForLambda*`于 Bedrock)和条件进行限定。`iam:PassedToService`还允许`ListRoles`用户界面下拉菜单。
+ `kms`— 允许委托人描述密钥和列出任务配置的别名。 Read-only。
+ `ec2`— 允许委托人描述用于任务配置的 VPC。 Read-only。
**Example 权限策略**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SageMakerPublicHubPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ListHubContents"
],
"Resource": [
"arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"
]
},
{
"Sid": "SageMakerHubPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ImportHubContent",
"sagemaker:ListHubs",
"sagemaker:ListHubContents",
"sagemaker:ListHubContentVersions",
"sagemaker:DescribeHubContent",
"sagemaker:DeleteHubContent"
],
"Resource": [
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "JumpStartS3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::jumpstart*"
]
},
{
"Sid": "SageMakerTrainingJob",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListTrainingJobs",
"sagemaker:StopTrainingJob"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-job/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerMLFlow",
"Effect": "Allow",
"Action": [
"sagemaker:UpdateMlflowApp",
"sagemaker:DescribeMlflowApp",
"sagemaker:CreatePresignedMlflowAppUrl",
"sagemaker:CallMlflowAppApi",
"sagemaker-mlflow:AccessUI",
"sagemaker-mlflow:GetExperiment",
"sagemaker-mlflow:GetExperimentByName",
"sagemaker-mlflow:GetRun",
"sagemaker-mlflow:GetMetricHistory",
"sagemaker-mlflow:GetLoggedModel",
"sagemaker-mlflow:SearchExperiments",
"sagemaker-mlflow:SearchRuns",
"sagemaker-mlflow:ListArtifacts",
"sagemaker-mlflow:CreateExperiment",
"sagemaker-mlflow:CreateRun",
"sagemaker-mlflow:LogBatch",
"sagemaker-mlflow:LogMetric",
"sagemaker-mlflow:LogParam",
"sagemaker-mlflow:LogModel",
"sagemaker-mlflow:LogInputs",
"sagemaker-mlflow:SetTag",
"sagemaker-mlflow:UpdateRun"
],
"Resource": [
"arn:aws:sagemaker:*:*:mlflow-app/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BYODataSetS3Access",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerModelPackage",
"Effect": "Allow",
"Action": [
"sagemaker:CreateModel",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:UpdateModelPackage",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:ListModelPackages",
"sagemaker:ListModelPackageGroups",
"sagemaker:DescribeModel",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerLineage",
"Effect": "Allow",
"Action": [
"sagemaker:CreateAction",
"sagemaker:CreateArtifact",
"sagemaker:CreateContext",
"sagemaker:DescribeAction",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeTrialComponent",
"sagemaker:QueryLineage",
"sagemaker:AddAssociation",
"sagemaker:UpdateArtifact"
],
"Resource": [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:pipeline/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerPipelines",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePipeline",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:UpdatePipeline",
"sagemaker:StartPipelineExecution"
],
"Resource": [
"arn:aws:sagemaker:*:*:pipeline/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerInference",
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateInferenceComponent",
"sagemaker:DescribeInferenceComponent",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DeleteInferenceComponent",
"sagemaker:DeleteEndpoint",
"sagemaker:InvokeEndpoint"
],
"Resource": [
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerInferenceAutoscaling",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets"
],
"Resource": [
"arn:aws:application-autoscaling:*:*:scalable-target/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerInferenceEcrReadAccess",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Sid": "SageMakerListPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ListActions",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListEndpoints",
"sagemaker:ListInferenceComponents",
"sagemaker:ListMlflowApps",
"sagemaker:ListMlflowTrackingServers",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListWorkforces",
"sagemaker:Search"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerTagsPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags",
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:action/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerJobAdvancedSettings",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"iam:ListRoles",
"ec2:DescribeVpcs"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogReadAccess",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/*",
"arn:aws:logs:*:*:log-group::log-stream:"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogWriteAccess",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaListFunctions",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaPermissionsForRewardFunction",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaLayerForAWSSDK",
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:336392948345:layer:AWSSDK*"
]
},
{
"Sid": "BedrockCustomModelAndEvaluation",
"Effect": "Allow",
"Action": [
"bedrock:CreateCustomModel",
"bedrock:CreateEvaluationJob",
"bedrock:GetCustomModel",
"bedrock:GetModelImportJob",
"bedrock:GetImportedModel",
"bedrock:GetEvaluationJob",
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:*:*:evaluation-job/*",
"arn:aws:bedrock:*:*:imported-model/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:model-import-job/*",
"arn:aws:bedrock:*:*:foundation-model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockModelImportAndList",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelImportJob",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListCustomModelDeployments",
"bedrock:ListCustomModels",
"bedrock:ListModelImportJobs"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockFoundationModelOperations",
"Effect": "Allow",
"Action": [
"bedrock:GetFoundationModelAvailability",
"bedrock:ListFoundationModels"
],
"Resource": [
"*"
]
},
{
"Sid": "PassRoleForSageMaker",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/*SageMaker*",
"arn:aws:iam::*:role/service-role/*Sagemaker*",
"arn:aws:iam::*:role/service-role/*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}",
"iam:PassedToService": [
"sagemaker.amazonaws.com",
"job.sagemaker.amazonaws.com"
]
},
"ArnLike": {
"iam:AssociatedResourceArn": "arn:aws:sagemaker:*:*:*"
}
}
},
{
"Sid": "PassRoleForAWSLambda",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/SageMakerForLambda*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}",
"iam:PassedToService": "lambda.amazonaws.com"
},
"ArnLike": {
"iam:AssociatedResourceArn": "arn:aws:lambda:*:*:function:*"
}
}
},
{
"Sid": "PassRoleForBedrock",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/SageMakerForBedrock*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}",
"iam:PassedToService": "bedrock.amazonaws.com"
}
}
}
]
}
```
## Amazon SageMaker AI 更新了模型自定义托管策略
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI 模型自定义 AWS 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 SageMaker AI [文档历史记录页面上的 RSS 提要。](doc-history.md)
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| AmazonSageMakerModelCustomizationCoreAccess -新政策 | 1 | 初始策略 | 2026年5月22日 |