本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# AWS SageMaker 笔记本电脑的托管策略
<a name="security-iam-awsmanpol-notebooks"></a>

这些 AWS 托管策略增加了使用 SageMaker 笔记本所需的权限。这些策略可在您的 AWS 账户中使用，并由从 SageMaker AI 控制台创建的执行角色使用。

**Topics**
+ [AWS 托管策略： AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy)
+ [Amazon SageMaker AI 更新了 SageMaker AI Notebook 托管政策](#security-iam-awsmanpol-notebooks-updates)

## AWS 托管策略： AmazonSageMakerNotebooksServiceRolePolicy
<a name="security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy"></a>

该 AWS 托管政策授予使用亚马逊 SageMaker 笔记本通常所需的权限。该政策将添加到您加入 Amazon SageMaker Studio Classic 时创建的策略中。`AWSServiceRoleForAmazonSageMakerNotebooks`有关服务相关角色的更多信息，请参阅[服务关联角色](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service-linked)。有关更多信息，请参阅 [AmazonSageMakerNotebooksServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerNotebooksServiceRolePolicy.html)。

**权限详细信息**

该策略包含以下权限。
+ `elasticfilesystem` - 允许主体创建和删除 Amazon Elastic File System (EFS) 文件系统、接入点和挂载目标。这些仅限于那些标有钥匙的人*ManagedByAmazonSageMakerResource*。允许主体描述所有 EFS 文件系统、接入点和挂载目标。允许主体为 EFS 接入点和挂载目标创建或覆盖标签。
+ `ec2` - 允许主体为 Amazon Elastic Compute Cloud (EC2) 实例创建网络接口和安全组。还允许主体为这些资源创建和覆盖标签。
+ `sso` - 允许主体向 AWS IAM Identity Center添加以及从中删除托管的应用程序实例。
+ `sagemaker`— 允许委托人创建和读取 SageMaker AI 用户配置文件和 SageMaker AI 空间；删除 SageMaker AI 空间和 SageMaker AI 应用程序；以及添加和列出标签。
+ `fsx`— 允许委托人描述 Amazon f FSx or Lustre 文件系统，并使用元数据将其挂载到笔记本上。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {   
            "Sid": "AllowFSxDescribe",
            "Effect": "Allow",
            "Action": [
                "fsx:DescribeFileSystems"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "AllowSageMakerDeleteApp",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DeleteApp"
            ],
            "Resource": "arn:aws:sagemaker:*:*:app/*"
        },
        {
            "Sid": "AllowEFSAccessPointCreation",
            "Effect": "Allow",
            "Action": "elasticfilesystem:CreateAccessPoint",
            "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*",
                    "aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSAccessPointDeletion",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DeleteAccessPoint"
            ],
            "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSCreation",
            "Effect": "Allow",
            "Action": "elasticfilesystem:CreateFileSystem",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSMountWithDeletion",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteMountTarget"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSDescribe",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEFSTagging",
            "Effect": "Allow",
            "Action": "elasticfilesystem:TagResource",
            "Resource": [
                "arn:aws:elasticfilesystem:*:*:access-point/*",
                "arn:aws:elasticfilesystem:*:*:file-system/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEC2Tagging",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        },
        {
            "Sid": "AllowEC2Operations",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEC2AuthZ",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowIdcOperations",
            "Effect": "Allow",
            "Action": [
                "sso:CreateManagedApplicationInstance",
                "sso:DeleteManagedApplicationInstance",
                "sso:GetManagedApplicationInstance"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSagemakerProfileCreation",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateUserProfile",
                "sagemaker:DescribeUserProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateSpace",
                "sagemaker:DescribeSpace",
                "sagemaker:DeleteSpace",
                "sagemaker:ListTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*"
        },
        {
            "Sid": "AllowSagemakerAddTagsForAppManagedSpaces",
            "Effect": "Allow",
            "Action": [
                "sagemaker:AddTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*",
            "Condition": {
                "StringEquals": {
                    "sagemaker:TaggingAction": "CreateSpace"
                }
            }
        }
    ]
}
```

------

## Amazon SageMaker AI 更新了 SageMaker AI Notebook 托管政策
<a name="security-iam-awsmanpol-notebooks-updates"></a>

查看自该服务开始跟踪这些更改以来，Amazon SageMaker AI AWS 托管策略更新的详细信息。


| Policy | 版本 | 更改 | 日期 | 
| --- | --- | --- | --- | 
|  [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) – 对现有策略的更新  | 10 |  添加 `fsx:DescribeFileSystems` 权限  | 2024 年 11 月 14 日 | 
|  [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) – 对现有策略的更新  | 9 |  添加 `sagemaker:DeleteApp` 权限  | 2024 年 7 月 24 日 | 
| AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 | 8 |  添加 `sagemaker:CreateSpace`、`sagemaker:DescribeSpace`、`sagemaker:DeleteSpace`、`sagemaker:ListTags` 和 `sagemaker:AddTags` 权限。  | 2024 年 5 月 22 日 | 
| AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 | 7 |  添加 `elasticfilesystem:TagResource` 权限  | 2023 年 3 月 9 日 | 
| AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 | 6 |  添加 `elasticfilesystem:CreateAccessPoint`、`elasticfilesystem:DeleteAccessPoint` 和 `elasticfilesystem:DescribeAccessPoints` 权限。  | 2023 年 1 月 12 日 | 
|  |  |  SageMaker AI 开始跟踪其 AWS 托管策略的更改。  | 2021 年 6 月 1 日 |