本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS 亚马逊 A SageMaker I 的托管策略
要向用户、群组和角色添加权限,使用 AWS 托管策略比自己编写策略要容易得多。创建仅为团队提供所需权限的 [IAM 客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)需要时间和专业知识。要快速入门,您可以使用我们的 AWS 托管策略。这些政策涵盖常见用例,可在您的 AWS 账户中使用。有关 AWS 托管策略的更多信息,请参阅 *IAM 用户指南*中的[AWS 托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
AWS 服务维护和更新 AWS 托管策略。您无法更改 AWS 托管策略中的权限。服务偶尔会向 AWS 托管式策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新特征或新操作可用时,服务最有可能会更新 AWS 托管式策略。服务不会从 AWS 托管策略中移除权限,因此策略更新不会破坏您的现有权限。
此外,还 AWS 支持跨多个服务的工作职能的托管策略。例如,`ReadOnlyAccess` AWS 托管策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动一项新功能时, AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 *IAM 用户指南*中的[适用于工作职能的AWS 托管式策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
**重要**
我们建议您使用允许执行使用案例的最严格的策略。
以下 AWS 托管策略仅适用于 Amazon A SageMaker I,您可以将其附加到账户中的用户:
+ **`AmazonSageMakerFullAccess`**— 授予对 Amazon A SageMaker I 和 A SageMaker I 地理空间资源以及支持的操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限,但支持具有特定 `sagemaker` 标签的存储桶和对象。此策略允许将所有 IAM 角色传递给 Amazon A SageMaker I,但仅允许将其中带有 AmazonSageMaker “” 的 IAM 角色传递给 AWS Glue AWS Step Functions、和 AWS RoboMaker 服务。
+ **`AmazonSageMakerReadOnly`**— 授予对 Amazon A SageMaker I 资源的只读访问权限。
以下 AWS 托管策略可以附加到您账户中的用户,但不建议这样做:
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator) – 为所有 AWS 服务和账户中的所有资源授予所有操作权限。
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist) – 授予广泛的权限,以涵盖数据科学家所遇到的大多数使用案例(主要用于分析和商业智能)。
您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。
您也可以创建自己的自定义 IAM 策略,根据需要授予对 SageMaker Amazon AI 操作和资源的权限。您可以将这些自定义策略附加到需要它们的用户或组。
**Topics**
+ [AWS 托管策略: AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess)
+ [AWS 托管策略: AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly)
+ [AWS 亚马逊 C SageMaker anvas 的托管政策](security-iam-awsmanpol-canvas.md)
+ [AWS Amazon SageMaker 特色商店的托管政策](security-iam-awsmanpol-feature-store.md)
+ [AWS Amazon SageMaker 地理空间的托管政策](security-iam-awsmanpol-geospatial.md)
+ [AWS 亚马逊 G SageMaker round Truth 的托管政策](security-iam-awsmanpol-ground-truth.md)
+ [AWS Amazon 的托管政策 SageMaker HyperPod](security-iam-awsmanpol-hyperpod.md)
+ [AWS 用于 SageMaker AI 模型治理的托管策略](security-iam-awsmanpol-governance.md)
+ [AWS 模型注册管理机构的托管策略](security-iam-awsmanpol-model-registry.md)
+ [AWS SageMaker 笔记本电脑的托管策略](security-iam-awsmanpol-notebooks.md)
+ [AWS Amazon SageMaker 合作伙伴 AI 应用程序的托管政策](security-iam-awsmanpol-partner-apps.md)
+ [AWS 管 SageMaker 道的托管策略](security-iam-awsmanpol-pipelines.md)
+ [AWS SageMaker 培训计划的托管策略](security-iam-awsmanpol-training-plan.md)
+ [AWS SageMaker 项目管理策略和 JumpStart](security-iam-awsmanpol-sc.md)
+ [SageMaker AWS 托管策略的 AI 更新](#security-iam-awsmanpol-updates)
## AWS 托管策略: AmazonSageMakerFullAccess
该策略授予管理权限,允许委托人完全访问所有 Amazon SageMaker AI 和 SageMaker AI 地理空间资源和操作。该策略还提供对相关服务的部分访问权限。此策略允许将所有 IAM 角色传递给 Amazon A SageMaker I,但仅允许将其中带有 AmazonSageMaker “” 的 IAM 角色传递给 AWS Glue AWS Step Functions、和 AWS RoboMaker 服务。该政策不包括创建 Amazon A SageMaker I 域的权限。有关创建域所需策略的信息,请参阅[完成 Amazon A SageMaker I 先决条件](gs-set-up.md)。
**权限详细信息**
该策略包含以下权限。
+ `application-autoscaling`— 允许委托人自动扩展 A SageMaker I 实时推理端点。
+ `athena`— 允许委托人从中查询数据目录、数据库和表元数据的列表。 Amazon Athena
+ `aws-marketplace`— 允许委托人查看 AWS AI Marketplace 订阅。如果您想访问中订阅的 SageMaker AI 软件,则需要此选项。 AWS Marketplace
+ `cloudformation`— 允许校长获取用于使用 SageMaker AI JumpStart 解决方案和管道的 AWS CloudFormation 模板。 SageMaker AI JumpStart 创造了运行将 SageMaker 人工智能与其他 AWS 服务联系起来的 end-to-end机器学习解决方案所必需的资源。 SageMaker AI Pipelines 创建由 Service Catalog 支持的新项目。
+ `cloudwatch`— 允许委托人发布 CloudWatch 指标、与警报交互以及将日志上传到您账户中的 CloudWatch 日志。
+ `codebuild`— 允许委托人存储 SageMaker AI 管道和项目的 AWS CodeBuild 工件。
+ `codecommit`— 需要与 SageMaker AI 笔记本实例 AWS CodeCommit 集成。
+ `cognito-idp`— Amazon G SageMaker round Truth 需要定义私人员工和工作团队。
+ `ec2`— 当您为 SageMaker AI 任务、模型、终端节点和笔记本实例指定 Amazon VPC 时, SageMaker AI 需要管理 Amazon EC2 资源和网络接口。
+ `ecr`— 需要提取和存储 Amazon SageMaker Studio Classic(自定义映像)、训练、处理、批量推理和推理终端节点的 Docker 工件。在 SageMaker AI 中使用自己的容器也需要这样做。要代表用户创建和移除自定义映像,还需要获得 SageMaker AI JumpStart 解决方案的额外权限。
+ `elasticfilesystem` - 允许主体访问 Amazon Elastic File System。这是 SageMaker 人工智能使用 Amazon Elastic File System 中的数据源来训练机器学习模型所必需的。
+ `fsx`— 允许委托人访问亚马逊 FSx。这是 SageMaker AI 使用 Amazon 中的数据源训练机器学习模型 FSx 所必需的。
+ `glue`— 需要在 SageMaker AI 笔记本实例中进行推理管道预处理。
+ `groundtruthlabeling` - Ground Truth 标注作业所需。可通过 Ground Truth 控制台访问 `groundtruthlabeling` 端点。
+ `iam`— 需要向 SageMaker AI 控制台授予对可用 IAM 角色的访问权限并创建与服务相关的角色。
+ `kms`— 需要让 SageMaker AI 控制台访问可用 AWS KMS 密钥并检索任务和终端节点中任何指定 AWS KMS 别名的密钥。
+ `lambda` - 允许主体调用和获取 AWS Lambda 函数列表。
+ `logs`— 需要允许 SageMaker AI 作业和端点发布日志流。
+ `redshift` - 允许主体访问 Amazon Redshift 集群凭证。
+ `redshift-data` - 允许主体使用 Amazon Redshift 中的数据来运行、描述和取消语句;获取语句结果;以及列出架构和表。
+ `robomaker`— 允许委托人拥有创建、获取描述和删除 AWS RoboMaker 仿真应用程序和作业的完全访问权限。这也是在笔记本实例上运行强化学习示例时所需。
+ `s3, s3express`— 允许委托人完全访问与 SageMaker 人工智能相关的亚马逊 S3 和 Amazon S3 Express 资源,但不能完全访问所有亚马逊 S3 或 Amazon S3 Express 资源。
+ `sagemaker`— 允许委托人在 SageMaker AI 用户个人资料上列出标签,并向 SageMaker AI 应用程序和空间添加标签。仅允许访问 sagemaker 的 SageMaker AI 流程定义:WorkteamType “私人人群” 或 “供应商人群”。允许在所有可访问训练计划功能的 AWS 区域中使用和描述 SageMaker AI SageMaker 训练计划和预留容量,以及训练作业和 SageMaker HyperPod集群。
+ `sagemaker`和 `sagemaker-geospatial` — 允许委托人对 SageMaker AI 域和用户配置文件进行只读访问。
+ `secretsmanager` - 允许主体完全访问 AWS Secrets Manager。主体可以安全地加密、存储和检索数据库和其他服务的凭证。对于使用的 SageMaker AI 代码存储库的 A SageMaker I 笔记本实例,也需要这样做 GitHub。
+ `servicecatalog` - 允许主体使用 Service Catalog。委托人可以创建、获取、更新或终止预配置产品,例如使用 AWS 资源部署的服务器、数据库、网站或应用程序。这是 SageMaker AI JumpStart 和 Projects 查找和阅读服务目录产品以及在用户中启动 AWS 资源所必需的。
+ `sns` - 允许主体获取 Amazon SNS 主题列表。启用了同步推理功能的端点需要该权限来通知用户推理已完成。
+ `states`— SageMaker AI JumpStart 和 Pipelines 需要使用服务目录来创建步骤函数资源。
+ `tag`— SageMaker 人工智能管道需要在 Studio Classic 中进行渲染。Studio Classic 需要使用特定 `sagemaker:project-id` 标记键标记的资源。这需要 `tag:GetResources` 权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllNonAdminSageMakerActions",
"Effect": "Allow",
"Action": [
"sagemaker:*",
"sagemaker-geospatial:*"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:space/*",
"arn:aws:sagemaker:*:*:partner-app/*",
"arn:aws:sagemaker:*:*:flow-definition/*",
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowAddTagsForSpace",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:space/*"
],
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
},
{
"Sid": "AllowAddTagsForApp",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:app/*"
]
},
{
"Sid": "AllowUseOfTrainingPlanResources",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateCluster",
"sagemaker:UpdateCluster",
"sagemaker:DescribeTrainingPlan"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowStudioActions",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:DescribeSpace",
"sagemaker:ListSpaces",
"sagemaker:DescribeApp",
"sagemaker:ListApps"
],
"Resource": "*"
},
{
"Sid": "AllowAppActionsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "AllowAppActionsForSharedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Shared"
]
}
}
},
{
"Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private",
"Shared"
]
}
}
},
{
"Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private"
]
}
}
},
{
"Sid": "AllowFlowDefinitionActions",
"Effect": "Allow",
"Action": "sagemaker:*",
"Resource": [
"arn:aws:sagemaker:*:*:flow-definition/*"
],
"Condition": {
"StringEqualsIfExists": {
"sagemaker:WorkteamType": [
"private-crowd",
"vendor-crowd"
]
}
}
},
{
"Sid": "AllowAWSServiceActions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:RegisterScalableTarget",
"aws-marketplace:ViewSubscriptions",
"cloudformation:GetTemplateSummary",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutMetricData",
"codecommit:BatchGetRepositories",
"codecommit:CreateRepository",
"codecommit:GetRepository",
"codecommit:List*",
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:CreateGroup",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:List*",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateVpcEndpoint",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CreateRepository",
"ecr:Describe*",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:StartImageScan",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"fsx:DescribeFileSystems",
"glue:CreateJob",
"glue:DeleteJob",
"glue:GetJob*",
"glue:GetTable*",
"glue:GetWorkflowRun",
"glue:ResetJobBookmark",
"glue:StartJobRun",
"glue:StartWorkflowRun",
"glue:UpdateJob",
"groundtruthlabeling:*",
"iam:ListRoles",
"kms:DescribeKey",
"kms:ListAliases",
"lambda:ListFunctions",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery",
"robomaker:CreateSimulationApplication",
"robomaker:DescribeSimulationApplication",
"robomaker:DeleteSimulationApplication",
"robomaker:CreateSimulationJob",
"robomaker:DescribeSimulationJob",
"robomaker:CancelSimulationJob",
"secretsmanager:ListSecrets",
"servicecatalog:Describe*",
"servicecatalog:List*",
"servicecatalog:ScanProvisionedProducts",
"servicecatalog:SearchProducts",
"servicecatalog:SearchProvisionedProducts",
"sns:ListTopics",
"tag:GetResources"
],
"Resource": "*"
},
{
"Sid": "AllowECRActions",
"Effect": "Allow",
"Action": [
"ecr:SetRepositoryPolicy",
"ecr:CompleteLayerUpload",
"ecr:BatchDeleteImage",
"ecr:UploadLayerPart",
"ecr:DeleteRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:DeleteRepository",
"ecr:PutImage"
],
"Resource": [
"arn:aws:ecr:*:*:repository/*sagemaker*"
]
},
{
"Sid": "AllowCodeCommitActions",
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": [
"arn:aws:codecommit:*:*:*sagemaker*",
"arn:aws:codecommit:*:*:*SageMaker*",
"arn:aws:codecommit:*:*:*Sagemaker*"
]
},
{
"Sid": "AllowCodeBuildActions",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker*",
"arn:aws:codebuild:*:*:build/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowStepFunctionsActions",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StartExecution",
"states:StopExecution",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*:*:statemachine:*sagemaker*",
"arn:aws:states:*:*:execution:*sagemaker*:*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid": "AllowReadOnlySecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowServiceCatalogProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:ProvisionProduct"
],
"Resource": "*"
},
{
"Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:TerminateProvisionedProduct",
"servicecatalog:UpdateProvisionedProduct"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"servicecatalog:userLevel": "self"
}
}
},
{
"Sid": "AllowS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*",
"arn:aws:s3:::*aws-glue*"
]
},
{
"Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
},
{
"Sid": "AllowS3BucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketCors",
"s3:PutBucketCors"
],
"Resource": "*"
},
{
"Sid": "AllowS3BucketACL",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowLambdaInvokeFunction",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*",
"arn:aws:lambda:*:*:function:*LabelingFunction*"
]
},
{
"Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateServiceLinkedRoleForRobomaker",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "robomaker.amazonaws.com"
}
}
},
{
"Sid": "AllowSNSActions",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:CreateTopic",
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "AllowPassRoleForSageMakerRoles",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*AmazonSageMaker*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"glue.amazonaws.com",
"robomaker.amazonaws.com",
"states.amazonaws.com"
]
}
}
},
{
"Sid": "AllowPassRoleToSageMaker",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "AllowAthenaActions",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowGlueCreateTable",
"Effect": "Allow",
"Action": [
"glue:CreateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueUpdateTable",
"Effect": "Allow",
"Action": [
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore"
]
},
{
"Sid": "AllowGlueDeleteTable",
"Effect": "Allow",
"Action": [
"glue:DeleteTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetTablesAndDatabases",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables"
],
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetAndCreateDatabase",
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:GetDatabase"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore",
"arn:aws:glue:*:*:database/sagemaker_processing",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/sagemaker_data_wrangler"
]
},
{
"Sid": "AllowRedshiftDataActions",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowRedshiftGetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "AllowListTagsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:user-profile/*"
]
},
{
"Sid": "AllowCloudformationListStackResources",
"Effect": "Allow",
"Action": [
"cloudformation:ListStackResources"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
},
{
"Sid": "AllowS3ExpressObjectActions",
"Effect": "Allow",
"Action": [
"s3express:CreateSession"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*",
"arn:aws:s3express:*:*:bucket/*aws-glue*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressCreateBucketActions",
"Effect": "Allow",
"Action": [
"s3express:CreateBucket"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressListBucketActions",
"Effect": "Allow",
"Action": [
"s3express:ListAllMyDirectoryBuckets"
],
"Resource": "*"
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerReadOnly
此政策授予通过 AWS 管理控制台 和软件开发工具包对 Amazon SageMaker AI 的只读访问权限。
**权限详细信息**
该策略包含以下权限。
+ `application-autoscaling`— 允许用户浏览可扩展的 SageMaker AI 实时推理端点的描述。
+ `aws-marketplace`— 允许用户查看 AWS AI Marketplace 订阅。
+ `cloudwatch`— 允许用户接收 CloudWatch 警报。
+ `cognito-idp`— Amazon Gro SageMaker und Truth 需要浏览私人员工和工作团队的描述和列表。
+ `ecr` - 读取 Docker 构件以进行训练和推理时所需。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:Describe*",
"sagemaker:List*",
"sagemaker:BatchGetMetrics",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetSearchSuggestions",
"sagemaker:BatchGetRecord",
"sagemaker:GetRecord",
"sagemaker:Search",
"sagemaker:QueryLineage",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:GetModelPackageGroupPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"aws-marketplace:ViewSubscriptions",
"cloudwatch:DescribeAlarms",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListUserPoolClients",
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"cognito-idp:ListUsersInGroup",
"ecr:Describe*"
],
"Resource": "*"
}
]
}
```
------
# AWS 亚马逊 C SageMaker anvas 的托管政策
这些 AWS 托管策略增加了使用 Amazon SageMaker Canvas 所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerCanvasFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess)
+ [AWS 托管策略: AmazonSageMakerCanvasDataPrepFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess)
+ [AWS 托管策略: AmazonSageMakerCanvasDirectDeployAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess)
+ [AWS 托管策略: AmazonSageMakerCanvasAIServices访问权限](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess)
+ [AWS 托管策略: AmazonSageMakerCanvasBedrockAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess)
+ [AWS 托管策略: AmazonSageMakerCanvasForecastAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess)
+ [AWS 托管策略: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy)
+ [AWS 托管策略: AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess)
+ [亚马逊 SageMaker AI 更新了亚马逊 SageMaker Canvas 托管政策](#security-iam-awsmanpol-canvas-updates)
## AWS 托管策略: AmazonSageMakerCanvasFullAccess
此政策授予的权限允许通过 AWS 管理控制台 和软件开发工具包对 Amazon SageMaker Canvas 进行完全访问。该政策还提供对相关服务的精选访问权限 [例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊虚拟私有云 (亚马逊 VPC) AWS Identity and Access Management 、亚马逊弹性容器注册表 (Amazon ECR) Container Registry、亚马逊日志、亚马逊 Redshift、 CloudWatch Amazon Autop SageMaker ilo AWS Secrets Manager t SageMaker 、模型注册表和亚马逊预测]。
本政策旨在帮助客户尝试并开始使用 SageMaker Canvas 的所有功能。为了实现更精细的控制,我们建议客户在转向生产工作负载时构建自己的范围缩小版本。有关更多信息,请参阅 [IAM 策略类型:如何以及何时使用它们](https://aws.amazon.com/blogs/security/iam-policy-types-how-and-when-to-use-them/)。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `sagemaker`— 允许委托人在 ARN 包含 “画布”、“画布” 或 “模型编译-” 的资源上创建和托管 A SageMaker I 模型。此外,用户可以在同一个 AWS 账户中将他们的 SageMaker Canvas 模型注册到 SageMaker AI 模型注册中心。还允许校长创建和管理 SageMaker 训练、转换和 AutoML 作业。
+ `application-autoscaling`— 允许委托人自动扩展 A SageMaker I 推理端点。
+ `athena`:允许主体从 Amazon Athena 查询数据目录、数据库和表元数据列表,并访问目录中的表。
+ `cloudwatch`— 允许委托人创建和管理 Amazon CloudWatch 警报。
+ `ec2` - 允许主体创建 Amazon VPC 端点。
+ `ecr` - 允许主体获取有关容器映像的信息。
+ `emr-serverless`:允许主体创建和管理 Amazon EMR Serverless 应用程序和作业运行。还允许委托人标记 SageMaker Canvas 资源。
+ `forecast` - 允许主体使用 Amazon Forecast。
+ `glue`— 允许委托人检索 AWS Glue 目录中的表、数据库和分区。
+ `iam`— 允许委托人将 IAM 角色传递给 Amazon A SageMaker I、Amazon Forecast 和 Amazon EMR Serverless。还允许主体创建与服务相关联的角色。
+ `kms`— 允许委托人读取标有标签的 AWS KMS `Source:SageMakerCanvas`密钥。
+ `logs` - 允许主体发布来自训练作业和端点的日志。
+ `quicksight`— 允许委托人列出 Quick 账户中的命名空间。
+ `rds` - 允许主体返回有关预置 Amazon RDS 实例的信息。
+ `redshift` - 允许主体获取任何 Amazon Redshift 集群上的“sagemaker\$1access\$1”dbuser 的凭证(如果该用户存在)。
+ `redshift-data` - 允许主体使用 Amazon Redshift Data API 在 Amazon Redshift 上运行查询。这仅提供对 Redshift 数据 APIs 本身的访问权限,并不直接提供对您的 Amazon Redshift 集群的访问权限。有关更多信息,请参阅[使用 Amazon Redshift Data API](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api.html)。
+ `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象。还允许委托人从特定区域的 ARN 以 “jumpstart-cache-prod-” 开头的 Amazon S3 存储桶中检索对象。
+ `secretsmanager` - 允许主体存储客户凭证,以便使用 Secrets Manager 连接到 Snowflake 数据库。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerUserDetailsAndPackageOperations",
"Effect": "Allow",
"Action": [
"sagemaker:DescribeDomain",
"sagemaker:DescribeUserProfile",
"sagemaker:ListTags",
"sagemaker:ListModelPackages",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListEndpoints"
],
"Resource": "*"
},
{
"Sid": "SageMakerPackageGroupOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelPackage"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*"
]
},
{
"Sid": "SageMakerTrainingOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateAutoMLJobV2",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeAutoMLJobV2",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:AddTags",
"sagemaker:DeleteApp"
],
"Resource": [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*",
"arn:aws:sagemaker:*:*:*model-compilation-*"
]
},
{
"Sid": "SageMakerHostingOperations",
"Effect": "Allow",
"Action": [
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:InvokeEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:InvokeEndpointAsync"
],
"Resource": [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*"
]
},
{
"Sid": "EC2VPCOperation",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServices"
],
"Resource": "*"
},
{
"Sid": "ECROperations",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Sid": "IAMGetOperations",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/*"
},
{
"Sid": "IAMPassOperation",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "LoggingOperation",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
},
{
"Sid": "S3Operations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:GetBucketCors",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "ReadSageMakerJumpstartArtifacts",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::jumpstart-cache-prod-us-west-2/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-1/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-2/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*"
]
},
{
"Sid": "S3ListOperations",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "GlueOperations",
"Effect": "Allow",
"Action": "glue:SearchTables",
"Resource": [
"arn:aws:glue:*:*:table/*/*",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:catalog"
]
},
{
"Sid": "SecretsManagerARNBasedOperation",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:PutResourcePolicy"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid": "SecretManagerTagBasedOperation",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/SageMaker": "true"
}
}
},
{
"Sid": "RedshiftOperations",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables",
"redshift-data:DescribeTable"
],
"Resource": "*"
},
{
"Sid": "RedshiftGetCredentialsOperation",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "ForecastOperations",
"Effect": "Allow",
"Action": [
"forecast:CreateExplainabilityExport",
"forecast:CreateExplainability",
"forecast:CreateForecastEndpoint",
"forecast:CreateAutoPredictor",
"forecast:CreateDatasetImportJob",
"forecast:CreateDatasetGroup",
"forecast:CreateDataset",
"forecast:CreateForecast",
"forecast:CreateForecastExportJob",
"forecast:CreatePredictorBacktestExportJob",
"forecast:CreatePredictor",
"forecast:DescribeExplainabilityExport",
"forecast:DescribeExplainability",
"forecast:DescribeAutoPredictor",
"forecast:DescribeForecastEndpoint",
"forecast:DescribeDatasetImportJob",
"forecast:DescribeDataset",
"forecast:DescribeForecast",
"forecast:DescribeForecastExportJob",
"forecast:DescribePredictorBacktestExportJob",
"forecast:GetAccuracyMetrics",
"forecast:InvokeForecastEndpoint",
"forecast:GetRecentForecastContext",
"forecast:DescribePredictor",
"forecast:TagResource",
"forecast:DeleteResourceTree"
],
"Resource": [
"arn:aws:forecast:*:*:*Canvas*"
]
},
{
"Sid": "RDSOperation",
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
},
{
"Sid": "IAMPassOperationForForecast",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "forecast.amazonaws.com"
}
}
},
{
"Sid": "AutoscalingOperations",
"Effect": "Allow",
"Action": [
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget"
],
"Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*",
"Condition": {
"StringEquals": {
"application-autoscaling:service-namespace": "sagemaker",
"application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount"
}
}
},
{
"Sid": "AsyncEndpointOperations",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"sagemaker:DescribeEndpointConfig"
],
"Resource": "*"
},
{
"Sid": "DescribeScalingOperations",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalingActivities"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerCloudWatchUpdate",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": [
"arn:aws:cloudwatch:*:*:alarm:TargetTracking*"
],
"Condition": {
"StringEquals": {
"aws:CalledViaLast": "application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AutoscalingSageMakerEndpointOperation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AthenaOperation",
"Action": [
"athena:ListTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "GlueOperation",
"Action": [
"glue:GetDatabases",
"glue:GetPartitions",
"glue:GetTables"
],
"Effect": "Allow",
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "QuicksightOperation",
"Action": [
"quicksight:ListNamespaces"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowUseOfKeyInAccount",
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Source": "SageMakerCanvas",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessCreateApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:CreateApplication",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListApplications",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessApplicationOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:UpdateApplication",
"emr-serverless:StopApplication",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessStartJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:StartJobRun",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListJobRuns",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessJobRunOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessTagResourceOperation",
"Effect": "Allow",
"Action": "emr-serverless:TagResource",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "IAMPassOperationForEMRServerless",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
## AWS 托管策略: AmazonSageMakerCanvasDataPrepFullAccess
该政策授予的权限允许完全访问 Amazon SageMaker Canvas 的数据准备功能。该政策还为与数据准备功能集成的服务(例如,亚马逊简单存储服务 (Amazon S3)、(IAM)、亚马逊 EMR、 EventBridge亚马逊 AWS Identity and Access Management 、Amazon Redshift、() 和] 提供了最低权限权限。 AWS Key Management Service AWS KMS AWS Secrets Manager
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `sagemaker`:允许主体访问处理作业、训练作业、推理管道、AutoML 作业和特征组。
+ `athena`:允许主体从 Amazon Athena 查询数据目录、数据库和表元数据列表。
+ `elasticmapreduce`:允许主体读取和列出 Amazon EMR 集群。
+ `emr-serverless`:允许主体创建和管理 Amazon EMR Serverless 应用程序和作业运行。还允许委托人标记 SageMaker Canvas 资源。
+ `events`— 允许委托人为计划任务创建、读取、更新和向 Amazon EventBridge 规则添加目标。
+ `glue`— 允许委托人从 AWS Glue 目录中的数据库中获取和搜索表。
+ `iam`— 允许委托人将 IAM 角色传递给 Amazon A SageMaker I 和 Amazon EMR Serverless。 EventBridge还允许主体创建与服务相关联的角色。
+ `kms`— 允许委托人检索存储在作业和终端节点中的 AWS KMS 别名,并访问关联的 KMS 密钥。
+ `logs` - 允许主体发布来自训练作业和端点的日志。
+ `redshift`:允许主体获取访问 Amazon Redshift 数据库的凭证。
+ `redshift-data`:允许主体运行、取消、描述、列出并获取 Amazon Redshift 查询的结果。还允许主体列出 Amazon Redshift 模式和表。
+ `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象;或者标有 “”,不区分大小写的对象。SageMaker
+ `secretsmanager`:允许主体使用保密管理器存储和检索客户数据库凭证。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerListFeatureGroupOperation",
"Effect": "Allow",
"Action": "sagemaker:ListFeatureGroups",
"Resource": "*"
},
{
"Sid": "SageMakerFeatureGroupOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateFeatureGroup",
"sagemaker:DescribeFeatureGroup"
],
"Resource": "arn:aws:sagemaker:*:*:feature-group/*"
},
{
"Sid": "SageMakerProcessingJobOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateProcessingJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
},
{
"Sid": "SageMakerProcessingJobListOperation",
"Effect": "Allow",
"Action": "sagemaker:ListProcessingJobs",
"Resource": "*"
},
{
"Sid": "SageMakerPipelineOperations",
"Effect": "Allow",
"Action": [
"sagemaker:DescribePipeline",
"sagemaker:CreatePipeline",
"sagemaker:UpdatePipeline",
"sagemaker:DeletePipeline",
"sagemaker:StartPipelineExecution",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:DescribePipelineExecution"
],
"Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
},
{
"Sid": "KMSListOperations",
"Effect": "Allow",
"Action": "kms:ListAliases",
"Resource": "*"
},
{
"Sid": "KMSOperations",
"Effect": "Allow",
"Action": "kms:DescribeKey",
"Resource": "arn:aws:kms:*:*:key/*"
},
{
"Sid": "S3Operations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3GetObjectOperation",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3ListOperations",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "IAMListOperations",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
},
{
"Sid": "IAMGetOperations",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::*:role/*"
},
{
"Sid": "IAMPassOperation",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"sagemaker.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Sid": "EventBridgePutOperation",
"Effect": "Allow",
"Action": [
"events:PutRule"
],
"Resource": "arn:aws:events:*:*:rule/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true"
}
}
},
{
"Sid": "EventBridgeOperations",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:PutTargets"
],
"Resource": "arn:aws:events:*:*:rule/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
}
}
},
{
"Sid": "EventBridgeTagBasedOperations",
"Effect": "Allow",
"Action": [
"events:TagResource"
],
"Resource": "arn:aws:events:*:*:rule/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true",
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
}
}
},
{
"Sid": "EventBridgeListTagOperation",
"Effect": "Allow",
"Action": "events:ListTagsForResource",
"Resource": "*"
},
{
"Sid": "GlueOperations",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:SearchTables"
],
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "EMROperations",
"Effect": "Allow",
"Action": [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups"
],
"Resource": "arn:aws:elasticmapreduce:*:*:cluster/*"
},
{
"Sid": "EMRListOperation",
"Effect": "Allow",
"Action": "elasticmapreduce:ListClusters",
"Resource": "*"
},
{
"Sid": "AthenaListDataCatalogOperation",
"Effect": "Allow",
"Action": "athena:ListDataCatalogs",
"Resource": "*"
},
{
"Sid": "AthenaQueryExecutionOperations",
"Effect": "Allow",
"Action": [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": "arn:aws:athena:*:*:workgroup/*"
},
{
"Sid": "AthenaDataCatalogOperations",
"Effect": "Allow",
"Action": [
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": "arn:aws:athena:*:*:datacatalog/*"
},
{
"Sid": "RedshiftOperations",
"Effect": "Allow",
"Action": [
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult"
],
"Resource": "*"
},
{
"Sid": "RedshiftArnBasedOperations",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource": "arn:aws:redshift:*:*:cluster:*"
},
{
"Sid": "RedshiftGetCredentialsOperation",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "SecretsManagerARNBasedOperation",
"Effect": "Allow",
"Action": "secretsmanager:CreateSecret",
"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
},
{
"Sid": "SecretManagerTagBasedOperation",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SageMaker": "true",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "RDSOperation",
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
},
{
"Sid": "LoggingOperation",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
},
{
"Sid": "EMRServerlessCreateApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:CreateApplication",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListApplications",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessApplicationOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:UpdateApplication",
"emr-serverless:GetApplication"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessStartJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:StartJobRun",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListJobRuns",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessJobRunOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessTagResourceOperation",
"Effect": "Allow",
"Action": "emr-serverless:TagResource",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "IAMPassOperationForEMRServerless",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
## AWS 托管策略: AmazonSageMakerCanvasDirectDeployAccess
该政策授予 Amazon SageMaker Canvas 创建和管理亚马逊 A SageMaker I 终端节点所需的权限。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `sagemaker`— 允许委托人使用以 “Canv SageMaker as” 或 “画布” 开头的 ARN 资源名称创建和管理 AI 端点。
+ `cloudwatch`— 允许委托人检索 Amazon CloudWatch 指标数据。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerEndpointPerms",
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:InvokeEndpoint",
"sagemaker:UpdateEndpoint"
],
"Resource": [
"arn:aws:sagemaker:*:*:Canvas*",
"arn:aws:sagemaker:*:*:canvas*"
]
},
{
"Sid": "ReadCWInvocationMetrics",
"Effect": "Allow",
"Action": "cloudwatch:GetMetricData",
"Resource": "*"
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerCanvasAIServices访问权限
该政策授予亚马逊 SageMaker Canvas 使用亚马逊 Textract、Amazon Rekognition、Amazon Comprehend 和亚马逊 Bedrock 的权限。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `textract` - 允许主体使用 Amazon Textract 检测图像中的文档、费用和身份。
+ `rekognition` - 允许主体使用 Amazon Rekognition 检测图像中的标签和文本。
+ `comprehend` - 允许主体使用 Amazon Comprehend 检测文本文档中的情绪和主要语言,以及姓名和个人身份信息 (PII) 实体。
+ `bedrock` - 允许主体使用 Amazon Bedrock 列出和调用基础模型。
+ `iam`:允许主体将 IAM 角色传递给 Amazon Bedrock。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Textract",
"Effect": "Allow",
"Action": [
"textract:AnalyzeDocument",
"textract:AnalyzeExpense",
"textract:AnalyzeID",
"textract:StartDocumentAnalysis",
"textract:StartExpenseAnalysis",
"textract:GetDocumentAnalysis",
"textract:GetExpenseAnalysis"
],
"Resource": "*"
},
{
"Sid": "Rekognition",
"Effect": "Allow",
"Action": [
"rekognition:DetectLabels",
"rekognition:DetectText"
],
"Resource": "*"
},
{
"Sid": "Comprehend",
"Effect": "Allow",
"Action": [
"comprehend:BatchDetectDominantLanguage",
"comprehend:BatchDetectEntities",
"comprehend:BatchDetectSentiment",
"comprehend:DetectPiiEntities",
"comprehend:DetectEntities",
"comprehend:DetectSentiment",
"comprehend:DetectDominantLanguage"
],
"Resource": "*"
},
{
"Sid": "Bedrock",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:ListFoundationModels",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": "*"
},
{
"Sid": "CreateBedrockResourcesPermission",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelCustomizationJob",
"bedrock:CreateProvisionedModelThroughput",
"bedrock:TagResource"
],
"Resource": [
"arn:aws:bedrock:*:*:model-customization-job/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:provisioned-model/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"SageMaker",
"Canvas"
]
},
"StringEquals": {
"aws:RequestTag/SageMaker": "true",
"aws:RequestTag/Canvas": "true",
"aws:ResourceTag/SageMaker": "true",
"aws:ResourceTag/Canvas": "true"
}
}
},
{
"Sid": "GetStopAndDeleteBedrockResourcesPermission",
"Effect": "Allow",
"Action": [
"bedrock:GetModelCustomizationJob",
"bedrock:GetCustomModel",
"bedrock:GetProvisionedModelThroughput",
"bedrock:StopModelCustomizationJob",
"bedrock:DeleteProvisionedModelThroughput"
],
"Resource": [
"arn:aws:bedrock:*:*:model-customization-job/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:provisioned-model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/SageMaker": "true",
"aws:ResourceTag/Canvas": "true"
}
}
},
{
"Sid": "FoundationModelPermission",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelCustomizationJob"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/*"
]
},
{
"Sid": "BedrockFineTuningPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock.amazonaws.com"
}
}
}
]
}
```
## AWS 托管策略: AmazonSageMakerCanvasBedrockAccess
该政策授予将 Amazon C SageMaker anvas 与 Amazon Bedrock 配合使用通常所需的权限。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `s3`:允许主体从“sagemaker-\$1/Canvas”目录下的 Amazon S3 存储桶中添加和获取对象。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3CanvasAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/Canvas",
"arn:aws:s3:::sagemaker-*/Canvas/*"
]
},
{
"Sid": "S3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerCanvasForecastAccess
该政策授予将亚马逊 Canvas 与 Amazon For SageMaker ecast 配合使用通常所需的权限。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称以“sagemaker-”开头的对象。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/Canvas",
"arn:aws:s3:::sagemaker-*/canvas"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy
该政策向亚马逊 EMR Serverless 授予权限,允许其使用诸如 Amazon S3 之类的 AWS 服务,这些服务由 Amazon SageMaker Canvas 用于处理大型数据。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “” SageMaker 或 “sagemaker” 的对象;或者标有 SageMaker “”,不区分大小写的对象。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3Operations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3GetObjectOperation",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3ListOperations",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerCanvasSMDataScienceAssistantAccess
此政策授予 Amazon SageMaker Canvas 中的用户开始与 Amazon Q 开发者对话的权限。此功能需要 Amazon Q Developer 和 SageMaker AI 数据科学助手服务的权限。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `q` – 允许主体向 Amazon Q 开发者版发送提示。
+ `sagemaker-data-science-assistant`— 允许校长向 SageMaker Canvas 数据科学助手服务发送提示。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerDataScienceAssistantAccess",
"Effect": "Allow",
"Action": [
"sagemaker-data-science-assistant:SendConversation"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AmazonQDeveloperAccess",
"Effect": "Allow",
"Action": [
"q:SendMessage",
"q:StartConversation"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## 亚马逊 SageMaker AI 更新了亚马逊 SageMaker Canvas 托管政策
查看自该服务开始跟踪这些更改以来对 SageMaker Canvas AWS 托管策略的更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) – 对现有策略的更新 | 2 | 添加 `q:StartConversation` 权限 | 2025 年 1 月 14 日 |
| [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess):新策略 | 1 | 初始策略 | 2024 年 12 月 4 日 |
| [AmazonSageMakerCanvasDataPrepFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess) – 对现有策略的更新 | 4 | 为 `IAMPassOperationForEMRServerless` 权限添加资源。 | 2024 年 8 月 16 日 |
| [AmazonSageMakerCanvasFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess) – 对现有策略的更新 | 11 | 为 `IAMPassOperationForEMRServerless` 权限添加资源。 | 2024 年 8 月 15 日 |
| [AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy):新策略 | 1 | 初始策略 | 2024 年 7 月 26 日 |
| AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新 | 3 | 添加 `emr-serverless:CreateApplication`、`emr-serverless:ListApplications`、`emr-serverless:UpdateApplication`、`emr-serverless:GetApplication`、`emr-serverless:StartJobRun`、`emr-serverless:ListJobRuns`、`emr-serverless:GetJobRun`、`emr-serverless:CancelJobRun` 和 `emr-serverless:TagResource` 权限。 | 2024 年 7 月 18 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 10 | 添加 `application-autoscaling:DescribeScalingActivities` `iam:PassRole`、`kms:DescribeKey` 和 `quicksight:ListNamespaces` 权限。 添加 `sagemaker:CreateTrainingJob`、`sagemaker:CreateTransformJob`、`sagemaker:DescribeTrainingJob`、`sagemaker:DescribeTransformJob`、`sagemaker:StopAutoMLJob`、`sagemaker:StopTrainingJob` 和 `sagemaker:StopTransformJob` 权限。 添加 `athena:ListTableMetadata`、`athena:ListDataCatalogs` 和 `athena:ListDatabases` 权限。 添加 `glue:GetDatabases`、`glue:GetPartitions` 和 `glue:GetTables` 权限。 添加 `emr-serverless:CreateApplication`、`emr-serverless:ListApplications`、`emr-serverless:UpdateApplication`、`emr-serverless:StopApplication`、`emr-serverless:GetApplication`、`emr-serverless:StartApplication`、`emr-serverless:StartJobRun`、`emr-serverless:ListJobRuns`、`emr-serverless:GetJobRun`、`emr-serverless:CancelJobRun` 和 `emr-serverless:TagResource` 权限。 | 2024 年 7 月 9 日 |
| [AmazonSageMakerCanvasBedrockAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess):新策略 | 1 | 初始策略 | 2024 年 2 月 2 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 9 | 添加 `sagemaker:ListEndpoints` 权限 | 2024 年 1 月 24 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 8 | 添加 `sagemaker:UpdateEndpointWeightsAndCapacities`、`sagemaker:DescribeEndpointConfig`、`sagemaker:InvokeEndpointAsync`、`athena:ListDataCatalogs`、`athena:GetQueryExecution`、`athena:GetQueryResults`、`athena:StartQueryExecution`、`athena:StopQueryExecution`、`athena:ListDatabases`、`cloudwatch:DescribeAlarms`、`cloudwatch:PutMetricAlarm`、`cloudwatch:DeleteAlarms` 和 `iam:CreateServiceLinkedRole` 权限。 | 2023 年 12 月 8 日 |
| AmazonSageMakerCanvasDataPrepFullAccess – 对现有策略的更新 | 2 | 小幅更新,以执行先前策略第 1 版的意图;未添加或删除任何权限。 | 2023 年 12 月 7 日 |
| [AmazonSageMakerCanvasAIServices访问权限](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess) – 对现有策略的更新 | 3 | 添加 `bedrock:InvokeModelWithResponseStream`、`bedrock:GetModelCustomizationJob`、`bedrock:StopModelCustomizationJob`、`bedrock:GetCustomModel`、`bedrock:GetProvisionedModelThroughput`、`bedrock:DeleteProvisionedModelThroughput`、`bedrock:TagResource`、`bedrock:CreateModelCustomizationJob`、`bedrock:CreateProvisionedModelThroughput` 和 `iam:PassRole` 权限。 | 2023 年 11 月 29 日 |
| AmazonSageMakerCanvasDataPrepFullAccess -新政策 | 1 | 初始策略 | 2023 年 10 月 26 日 |
| [AmazonSageMakerCanvasDirectDeployAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess):新策略 | 1 | 初始策略 | 2023 年 10 月 6 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 7 | 添加 `sagemaker:DeleteEndpointConfig`、`sagemaker:DeleteModel` 和 `sagemaker:InvokeEndpoint` 权限。还要为特定区域的 JumpStart资源添加`s3:GetObject`权限。 | 2023 年 9 月 29 日 |
| AmazonSageMakerCanvasAIServices访问权限-更新现有策略 | 2 | 添加 `bedrock:InvokeModel` 和 `bedrock:ListFoundationModels` 权限。 | 2023 年 9 月 29 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 6 | 添加 `rds:DescribeDBInstances` 权限 | 2023 年 8 月 29 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 5 | 添加 `application-autoscaling:PutScalingPolicy` 和 `application-autoscaling:RegisterScalableTarget` 权限。 | 2023 年 7 月 24 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 4 | 添加 `sagemaker:CreateModelPackage`、`sagemaker:CreateModelPackageGroup`、`sagemaker:DescribeModelPackage`、`sagemaker:DescribeModelPackageGroup`、`sagemaker:ListModelPackages` 和 `sagemaker:ListModelPackageGroups` 权限。 | 2023 年 5 月 4 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 3 | 添加 `sagemaker:CreateAutoMLJobV2`、`sagemaker:DescribeAutoMLJobV2` 和 `glue:SearchTables` 权限。 | 2023 年 3 月 24 日 |
| AmazonSageMakerCanvasAIServices访问权限-新政策 | 1 | 初始策略 | 2023 年 3 月 23 日 |
| AmazonSageMakerCanvasFullAccess -更新现有政策 | 2 | 添加 `forecast:DeleteResourceTree` 权限 | 2022 年 12 月 6 日 |
| AmazonSageMakerCanvasFullAccess -新政策 | 1 | 初始策略 | 2022 年 9 月 8 日 |
| [AmazonSageMakerCanvasForecastAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess):新策略 | 1 | 初始策略 | 2022 年 8 月 24 日 |
# AWS Amazon SageMaker 特色商店的托管政策
这些 AWS 托管策略添加了使用功能商店所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerFeatureStoreAccess](#security-iam-awsmanpol-AmazonSageMakerFeatureStoreAccess)
+ [亚马逊 SageMaker AI 更新了亚马逊 SageMaker 功能商店托管政策](#security-iam-awsmanpol-feature-store-updates)
## AWS 托管策略: AmazonSageMakerFeatureStoreAccess
此策略授予为亚马逊 SageMaker 特色商店功能组启用离线商店所需的权限。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `s3` - 允许主体将数据写入离线存储 Amazon S3 存储桶。这些桶仅限于名字中包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的桶。
+ `s3` - 允许主体读取保存在离线存储 S3 存储桶 `metadata` 文件夹中的现有清单文件。
+ `glue`— 允许校长读取和更新 AWS Glue 表。这些权限仅限于 `sagemaker_featurestore` 文件夹中的表。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*/metadata/*",
"arn:aws:s3:::*Sagemaker*/metadata/*",
"arn:aws:s3:::*sagemaker*/metadata/*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore",
"arn:aws:glue:*:*:table/sagemaker_featurestore/*"
]
}
]
}
```
------
## 亚马逊 SageMaker AI 更新了亚马逊 SageMaker 功能商店托管政策
查看自该服务开始跟踪这些更改以来,Feature Store AWS 托管政策更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 SageMaker AI [文档历史记录页面上的 RSS 提要。](doc-history.md)
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerFeatureStoreAccess](#security-iam-awsmanpol-AmazonSageMakerFeatureStoreAccess) – 对现有策略的更新 | 3 | 添加 `s3:GetObject`、`glue:GetTable` 和 `glue:UpdateTable` 权限。 | 2022 年 12 月 5 日 |
| AmazonSageMakerFeatureStoreAccess -更新现有政策 | 2 | 添加 `s3:PutObjectAcl` 权限 | 2021 年 2 月 23 日 |
| AmazonSageMakerFeatureStoreAccess -新政策 | 1 | 初始策略 | 2020 年 12 月 1 日 |
# AWS Amazon SageMaker 地理空间的托管政策
这些 AWS 托管策略添加了使用 SageMaker 地理空间所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerGeospatialFullAccess](#security-iam-awsmanpol-AmazonSageMakerGeospatialFullAccess)
+ [AWS 托管策略: AmazonSageMakerGeospatialExecutionRole](#security-iam-awsmanpol-AmazonSageMakerGeospatialExecutionRole)
+ [亚马逊 SageMaker AI 更新了亚马逊 SageMaker 地理空间托管政策](#security-iam-awsmanpol-geospatial-updates)
## AWS 托管策略: AmazonSageMakerGeospatialFullAccess
此政策授予的权限允许通过 AWS 管理控制台 和 SDK 完全访问 Amazon SageMaker 地理空间。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `sagemaker-geospatial`— 允许委托人完全访问所有 SageMaker 地理空间资源。
+ `iam`— 允许委托人将 IAM 角色传递给 SageMaker 地理空间。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sagemaker-geospatial:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"sagemaker-geospatial.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerGeospatialExecutionRole
此策略授予使用 SageMaker 地理空间通常所需的权限。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于名称包含 “”、SageMaker “Sagemaker” 或 “sagemaker” 的对象。
+ `sagemaker-geospatial` - 允许主体通过 `GetEarthObservationJob` API 访问地球观测作业。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": "sagemaker-geospatial:GetEarthObservationJob",
"Resource": "arn:aws:sagemaker-geospatial:*:*:earth-observation-job/*"
},
{
"Effect": "Allow",
"Action": "sagemaker-geospatial:GetRasterDataCollection",
"Resource": "arn:aws:sagemaker-geospatial:*:*:raster-data-collection/*"
}
]
}
```
------
## 亚马逊 SageMaker AI 更新了亚马逊 SageMaker 地理空间托管政策
查看有关自该服务开始跟踪 SageMaker 地理空间 AWS 托管策略变更以来这些更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerGeospatialExecutionRole](#security-iam-awsmanpol-AmazonSageMakerGeospatialExecutionRole):更新策略 | 2 | 添加 `sagemaker-geospatial:GetRasterDataCollection` 权限 | 2023 年 5 月 10 日 |
| [AmazonSageMakerGeospatialFullAccess](#security-iam-awsmanpol-AmazonSageMakerGeospatialFullAccess):新策略 | 1 | 初始策略 | 2022 年 11 月 30 日 |
| AmazonSageMakerGeospatialExecutionRole -新政策 | 1 | 初始策略 | 2022 年 11 月 30 日 |
# AWS 亚马逊 G SageMaker round Truth 的托管政策
这些 AWS 托管策略增加了使用 SageMaker AI Ground Truth 所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution)
+ [亚马逊 A SageMaker I 更新了 A SageMaker I Ground Truth 托管政策](#security-iam-awsmanpol-groundtruth-updates)
## AWS 托管策略: AmazonSageMakerGroundTruthExecution
此 AWS 托管策略授予使用 SageMaker AI Ground Truth 通常所需的权限。
**权限详细信息**
该策略包含以下权限。
+ `lambda`— 允许委托人调用名称包含 “sagemaker”(不区分大小写)、GtRecipe “” 或 “” 的 Lambda 函数。LabelingFunction
+ `s3` - 允许主体从 Amazon S3 存储桶中添加和检索对象。这些对象仅限于那些不区分大小写的名称包含 “groundtruth” 或 “sagemaker”,或者标有 “” 的对象。SageMaker
+ `cloudwatch`— 允许校长发布 CloudWatch 指标。
+ `logs` - 允许主体创建和访问日志流,并发布日志事件。
+ `sqs` - 允许主体创建 Amazon SQS 队列以及发送和接收 Amazon SQS 消息。这些权限仅限于名称包含 “GroundTruth” 的队列。
+ `sns` 允许主体订阅名称包含“groundtruth”或“sagemaker”的 Amazon SNS 主题(不区分大小写)并向其发布消息。
+ `ec2`— 允许委托人创建、描述和删除 VPC 终端节点服务名称包含 “” 或 “标签” 的 Amazon VPC 终端节点。sagemaker-task-resources
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CustomLabelingJobs",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*GtRecipe*",
"arn:aws:lambda:*:*:function:*LabelingFunction*",
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*GroundTruth*",
"arn:aws:s3:::*Groundtruth*",
"arn:aws:s3:::*groundtruth*",
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "StreamingQueue",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:SetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:*GroundTruth*"
},
{
"Sid": "StreamingTopicSubscribe",
"Effect": "Allow",
"Action": "sns:Subscribe",
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
],
"Condition": {
"StringEquals": {
"sns:Protocol": "sqs"
},
"StringLike": {
"sns:Endpoint": "arn:aws:sqs:*:*:*GroundTruth*"
}
}
},
{
"Sid": "StreamingTopic",
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "StreamingTopicUnsubscribe",
"Effect": "Allow",
"Action": [
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "WorkforceVPC",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:VpceServiceName": [
"*sagemaker-task-resources*",
"aws.sagemaker*labeling*"
]
}
}
}
]
}
```
------
## 亚马逊 A SageMaker I 更新了 A SageMaker I Ground Truth 托管政策
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI Ground Truth AWS 托管政策更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution) – 对现有策略的更新 | 3 | 添加 `ec2:CreateVpcEndpoint`、`ec2:DescribeVpcEndpoints` 和 `ec2:DeleteVpcEndpoints` 权限。 | 2022 年 4 月 29 日 |
| AmazonSageMakerGroundTruthExecution -更新现有政策 | 2 | 删除 `sqs:SendMessageBatch` 权限。 | 2022 年 4 月 11 日 |
| AmazonSageMakerGroundTruthExecution -新政策 | 1 | 初始策略 | 2020 年 7 月 20 日 |
# AWS Amazon 的托管政策 SageMaker HyperPod
以下 AWS 托管策略添加了使用 Amazon 所需的权限 SageMaker HyperPod。这些策略可在您的 AWS 账户中使用,由从 SageMaker AI 控制台创建的执行角色或 HyperPod 服务相关角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerHyperPodTrainingOperatorAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodTrainingOperatorAccess.md)
+ [AWS 托管策略: AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md)
+ [AWS 托管策略: AmazonSageMakerHyperPodServiceRolePolicy](security-iam-awsmanpol-AmazonSageMakerHyperPodServiceRolePolicy.md)
+ [AWS 托管策略: AmazonSageMakerClusterInstanceRolePolicy](security-iam-awsmanpol-AmazonSageMakerClusterInstanceRolePolicy.md)
+ [亚马逊 SageMaker AI 更新了 SageMaker HyperPod 托管策略](#security-iam-awsmanpol-hyperpod-updates)
# AWS 托管策略: AmazonSageMakerHyperPodTrainingOperatorAccess
此策略提供设置 SageMaker HyperPod 培训操作员所需的管理权限。它允许访问 SageMaker HyperPod 和 Amazon EKS 附加组件。该政策包括描述您账户中 SageMaker HyperPod 资源的权限。
**权限详细信息**
该策略包含以下权限:
+ `sagemaker:DescribeClusterNode`-允许用户返回有关 HyperPod 集群的信息。
要查看此策略的权限,请参阅《 AWS 托管策略参考》[AmazonSageMakerHyperPodTrainingOperatorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerHyperPodTrainingOperatorAccess.html)中的。
# AWS 托管策略: AmazonSageMakerHyperPodObservabilityAdminAccess
该策略提供设置 Amazon 可 SageMaker HyperPod观察性所需的管理权限。它允许访问 Amazon Managed Service for Prometheus、Amazon Managed Grafana 和 Amazon Elastic Kubernetes Service 加载项。该政策还包括通过您账户中的所有亚马逊托管 Grafana 工作空间广泛访问 Grafana APIs HTTP ServiceAccountTokens 。
**权限详细信息**
以下列表概述了该策略中包含的权限。
+ `prometheus` – 创建和管理 Amazon Managed Service for Prometheus 工作区和规则组
+ `grafana` – 创建和管理 Amazon Managed Grafana 工作区和服务账户
+ `eks` – 创建和管理 `amazon-sagemaker-hyperpod-observability` Amazon EKS 加载项
+ `iam` – 将特定的 IAM 服务角色传递给 Amazon Managed Grafana 和 Amazon EKS
+ `sagemaker`— 列出并描述 SageMaker HyperPod 集群
+ `sso` – 针对 Amazon Managed Grafana 设置创建和管理 IAM Identity Center 应用程序实例
+ `tag` – 标记 Amazon Managed Service for Prometheus、Amazon Managed Grafana 和 Amazon EKS 加载项资源
要查看策略 JSON,请参阅[AmazonSageMakerHyperPodObservabilityAdminAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerHyperPodObservabilityAdminAccess.html)。
# AWS 托管策略: AmazonSageMakerHyperPodServiceRolePolicy
SageMaker HyperPod 创建并使用名为的服务相关角色`AWSServiceRoleForSageMakerHyperPod`,并`AmazonSageMakerHyperPodServiceRolePolicy`附加到该角色。该政策授予亚马逊使用相关 AWS 服务(例如亚马逊 EKS 和亚马逊)的 SageMaker HyperPod 权限 CloudWatch。
服务相关角色使设置变得 SageMaker HyperPod 更加容易,因为您不必手动添加必要的权限。 SageMaker HyperPod 定义其服务相关角色的权限,除非另有定义,否则 SageMaker HyperPod 只能担任其角色。定义的权限包括信任策略和权限策略,以及不能附加到任何其他 IAM 实体的权限策略。
只有在首先删除相关资源后,您才能删除服务关联角色。这样可以保护您的 SageMaker HyperPod 资源,因为您不会无意中删除访问资源的权限。
有关支持服务相关角色的其他服务的信息,请参阅与 [IAM 配合使用的AWS 服务,](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)并在**服务相关角色**列中查找标有 “**是**” 的服务。选择**是**和链接,查看该服务的服务关联角色文档。
`AmazonSageMakerHyperPodServiceRolePolicy` SageMaker HyperPod 允许您代表您对指定资源完成以下操作。
**权限详细信息**
该服务关联角色策略包括以下权限。
+ `eks`:允许主体读取 Amazon Elastic Kubernetes(EKS)集群信息。
+ `logs`— 允许委托人将 Amazon CloudWatch 日志流发布到。`/aws/sagemaker/Clusters`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EKSClusterDescribePermissions",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogGroupPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogStreamPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
您必须配置使用户、组或角色能够创建、编辑或删除服务相关角色的权限。有关更多信息,请参阅*《IAM 用户指南》*中的[服务相关角色权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions)。
## 为创建服务相关角色 SageMaker HyperPod
您无需手动创建服务关联角色。当您使用 SageMaker AI 控制台创建 SageMaker HyperPod集群时 AWS CLI,或将 AWS SDKs为您 SageMaker HyperPod 创建服务相关角色。
如果您删除了此服务相关角色但需要重新创建,则可以使用相同的流程(创建新 SageMaker HyperPod 集群)在您的账户中重新创建该角色。
## 编辑的服务相关角色 SageMaker HyperPod
SageMaker HyperPod 不允许您编辑`AWSServiceRoleForSageMakerHyperPod`服务相关角色。创建服务关联角色后,您将无法更改角色的名称,因为可能有多种实体引用该角色。但是可以使用 IAM 编辑角色描述。有关更多信息,请参阅《IAM 用户指南》**中的[编辑服务关联角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role)。
## 删除的服务相关角色 SageMaker HyperPod
如果不再需要使用某个需要服务关联角色的功能或服务,我们建议您删除该角色。这样就没有未被主动监控或维护的未使用实体。但是,必须先清除服务相关角色的资源,然后才能手动删除它。
**使用服务相关角色删除 SageMaker HyperPod 群集资源**
使用以下选项之一删除 SageMaker HyperPod 群集资源。
+ 使用 SageMaker AI 控制台@@ [删除 SageMaker HyperPod 集群](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-operate-slurm-console-ui.html#sagemaker-hyperpod-operate-slurm-console-ui-delete-cluster)
+ 使用@@ [删除 SageMaker HyperPod 集群](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-operate-slurm-cli-command.html#sagemaker-hyperpod-operate-slurm-cli-command-delete-cluster) AWS CLI
**注意**
如果您尝试删除资源时 SageMaker HyperPod 服务正在使用该角色,则删除可能会失败。如果发生这种情况,请等待几分钟后重试。
**使用 IAM 手动删除服务关联角色**
使用 IAM 控制台 AWS CLI、或 AWS API 删除`AWSServiceRoleForSageMakerHyperPod`服务相关角色。有关更多信息,请参阅《IAM 用户指南》**中的[删除服务关联角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role)。
## SageMaker HyperPod 服务相关角色支持的区域
SageMaker HyperPod 支持在提供服务的所有区域中使用服务相关角色。有关更多信息,请参阅[的先决条件 SageMaker HyperPod](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-prerequisites.html)。
# AWS 托管策略: AmazonSageMakerClusterInstanceRolePolicy
该政策授予使用Amazon通常所需的权限 SageMaker HyperPod。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `cloudwatch`— 允许委托人发布 Amazon CloudWatch 指标。
+ `logs`— 允许委托人发布 CloudWatch 日志流。
+ `s3`:允许主体从您账户中的 Amazon S3 存储桶中列出并检索生命周期脚本文件。这些存储桶仅限于名称以“sagemaker-”开头的存储桶。
+ `ssmmessages`:允许主体打开与 AWS Systems Manager的连接。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Sid" : "CloudwatchLogStreamPublishPermissions",
"Effect" : "Allow",
"Action" : [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:DescribeLogStreams"
],
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*"
]
},
{
"Sid" : "CloudwatchLogGroupCreationPermissions",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup"
],
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*"
]
},
{
"Sid" : "CloudwatchPutMetricDataAccess",
"Effect" : "Allow",
"Action" : [
"cloudwatch:PutMetricData"
],
"Resource" : [
"*"
],
"Condition" : {
"StringEquals" : {
"cloudwatch:namespace" : "/aws/sagemaker/Clusters"
}
}
},
{
"Sid" : "DataRetrievalFromS3BucketPermissions",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:GetObject"
],
"Resource" : [
"arn:aws:s3:::sagemaker-*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SSMConnectivityPermissions",
"Effect" : "Allow",
"Action" : [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource" : "*"
}
]
}
```
------
## 亚马逊 SageMaker AI 更新了 SageMaker HyperPod 托管策略
查看 SageMaker HyperPod 自该服务开始跟踪这些更改以来 AWS 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 SageMaker AI [文档历史记录页面上的 RSS 提要。](doc-history.md)
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerHyperPodTrainingOperatorAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodTrainingOperatorAccess.md):新策略 | 1 | 初始策略 | 2025 年 8 月 22 日 |
| [AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md):更新策略 | 2 | 更新了策略,将角色范围缩小至固定值以包含 `service-role` 前缀。还添加了 end-to-end管理操作所需的`eks:DeletePodIdentityAssociation`和`eks:UpdatePodIdentityAssociation`权限。 | 2025 年 8 月 19 日 |
| [AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md):新策略 | 1 | 初始策略 | 2025 年 7 月 10 日 |
| [AmazonSageMakerHyperPodServiceRolePolicy](security-iam-awsmanpol-AmazonSageMakerHyperPodServiceRolePolicy.md):新策略 | 1 | 初始策略 | 2024 年 9 月 9 日 |
| [AmazonSageMakerClusterInstanceRolePolicy](security-iam-awsmanpol-AmazonSageMakerClusterInstanceRolePolicy.md):新策略 | 1 | 初始策略 | 2023 年 11 月 29 日 |
# AWS 用于 SageMaker AI 模型治理的托管策略
此 AWS 托管策略添加了使用 A SageMaker I 模型治理所需的权限。该策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerModelGovernanceUseAccess](#security-iam-awsmanpol-governance-AmazonSageMakerModelGovernanceUseAccess)
+ [Amazon SageMaker AI 更新了 SageMaker 人工智能模型治理托管策略](#security-iam-awsmanpol-governance-updates)
## AWS 托管策略: AmazonSageMakerModelGovernanceUseAccess
该 AWS 托管策略授予使用所有 Amazon A SageMaker I Governance 功能所需的权限。该政策可在您的 AWS 账户中使用。
该策略包含以下权限。
+ `s3` - 从 Amazon S3 存储桶中检索对象。可检索的对象仅限于名称(不区分大小写)包含字符串 `"sagemaker"` 的对象。
+ `kms`— 列出用于内容加密的 AWS KMS 密钥。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSMMonitoringModelCards",
"Effect": "Allow",
"Action": [
"sagemaker:ListMonitoringAlerts",
"sagemaker:ListMonitoringExecutions",
"sagemaker:UpdateMonitoringAlert",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StopMonitoringSchedule",
"sagemaker:ListMonitoringAlertHistory",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:CreateModelCard",
"sagemaker:DescribeModelCard",
"sagemaker:UpdateModelCard",
"sagemaker:DeleteModelCard",
"sagemaker:ListModelCards",
"sagemaker:ListModelCardVersions",
"sagemaker:CreateModelCardExportJob",
"sagemaker:DescribeModelCardExportJob",
"sagemaker:ListModelCardExportJobs"
],
"Resource": "*"
},
{
"Sid": "AllowSMTrainingModelsSearchTags",
"Effect": "Allow",
"Action": [
"sagemaker:ListTrainingJobs",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListModels",
"sagemaker:DescribeModel",
"sagemaker:Search",
"sagemaker:AddTags",
"sagemaker:DeleteTags",
"sagemaker:ListTags"
],
"Resource": "*"
},
{
"Sid": "AllowKMSActions",
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": "*"
},
{
"Sid": "AllowS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:CreateBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowS3ListActions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
```
------
## Amazon SageMaker AI 更新了 SageMaker 人工智能模型治理托管策略
查看有关自该服务开始跟踪 SageMaker AI 模型治理 AWS 托管策略变更以来这些更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 SageMaker AI [文档历史记录页面上的 RSS 提要。](doc-history.md)
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerModelGovernanceUseAccess](#security-iam-awsmanpol-governance-AmazonSageMakerModelGovernanceUseAccess) – 对现有策略的更新 | 3 | 添加语句 IDs (`Sid`)。 | 2024 年 6 月 4 日 |
| AmazonSageMakerModelGovernanceUseAccess -更新现有政策 | 2 | 添加 `sagemaker:DescribeModelPackage` 和 `DescribeModelPackageGroup` 权限。 | 2023 年 7 月 17 日 |
| AmazonSageMakerModelGovernanceUseAccess -新政策 | 1 | 初始策略 | 2022 年 11 月 30 日 |
# AWS 模型注册管理机构的托管策略
这些 AWS 托管策略增加了使用模型注册表所需的权限。这些策略可在您的 AWS 账户中使用,并由从 Amazon A SageMaker I 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerModelRegistryFullAccess](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess)
+ [Amazon SageMaker AI 更新了《模型注册表》托管政策](#security-iam-awsmanpol-model-registry-updates)
## AWS 托管策略: AmazonSageMakerModelRegistryFullAccess
此 AWS 托管策略授予使用 Amazon A SageMaker I 域内所有模型注册表功能所需的权限。配置模型注册表设置以启用模型注册表权限时,此策略会附加到执行角色中。
该策略包含以下权限。
+ `ecr` - 允许主体检索有关 Amazon Elastic Container Registry (Amazon ECR) 映像的信息,包括元数据。
+ `iam`— 允许委托人将执行角色传递给 Amazon A SageMaker I 服务。
+ `resource-groups`— 允许委托人创建、列出、标记和删除 AWS Resource Groups。
+ `s3` - 允许主体从存储模型版本的 Amazon Simple Storage Service (Amazon S3) 存储桶中检索对象。可检索的对象仅限于名称(不区分大小写)包含字符串 `"sagemaker"` 的对象。
+ `sagemaker`— 允许委托人使用模型注册表对模型进行编目、管理和部署。 SageMaker
+ `kms`— 仅允许 SageMaker AI 服务主体添加授权、生成数据密钥、解密和读取密 AWS KMS 钥,并且仅允许标记为 “sagemaker” 使用的密钥。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerModelRegistrySageMakerReadPermission",
"Effect": "Allow",
"Action": [
"sagemaker:DescribeAction",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineExecution",
"sagemaker:ListAssociations",
"sagemaker:ListArtifacts",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackages",
"sagemaker:Search",
"sagemaker:GetSearchSuggestions"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistrySageMakerWritePermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags",
"sagemaker:CreateModel",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteTags",
"sagemaker:UpdateModelPackage"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryS3GetPermission",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AmazonSageMakerModelRegistryS3ListPermission",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryECRReadPermission",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryIAMPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "AmazonSageMakerModelRegistryTagReadPermission",
"Effect": "Allow",
"Action": [
"tag:GetResources"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupGetPermission",
"Effect": "Allow",
"Action": [
"resource-groups:GetGroupQuery"
],
"Resource": "arn:aws:resource-groups:*:*:group/*"
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupListPermission",
"Effect": "Allow",
"Action": [
"resource-groups:ListGroupResources"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupWritePermission",
"Effect": "Allow",
"Action": [
"resource-groups:CreateGroup",
"resource-groups:Tag"
],
"Resource": "arn:aws:resource-groups:*:*:group/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "sagemaker:collection"
}
}
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupDeletePermission",
"Effect": "Allow",
"Action": "resource-groups:DeleteGroup",
"Resource": "arn:aws:resource-groups:*:*:group/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:collection": "true"
}
}
},
{
"Sid": "AmazonSageMakerModelRegistryResourceKMSPermission",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker" : "true"
},
"StringLike": {
"kms:ViaService": "sagemaker.*.amazonaws.com"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新了《模型注册表》托管政策
查看自该服务开始跟踪模型注册 AWS 管理机构托管策略更新以来,有关这些更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 SageMaker AI [文档历史记录页面上的 RSS 提要。](doc-history.md)
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerModelRegistryFullAccess](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess) – 对现有策略的更新 | 2 | 添加 `kms:CreateGrant`、`kms:DescribeKey`、`kms:GenerateDataKey` 和 `kms:Decrypt` 权限。 | 2024 年 6 月 6 日 |
| AmazonSageMakerModelRegistryFullAccess -新政策 | 1 | 初始策略 | 2023 年 4 月 12 日 |
# AWS SageMaker 笔记本电脑的托管策略
这些 AWS 托管策略增加了使用 SageMaker 笔记本所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy)
+ [Amazon SageMaker AI 更新了 SageMaker AI Notebook 托管政策](#security-iam-awsmanpol-notebooks-updates)
## AWS 托管策略: AmazonSageMakerNotebooksServiceRolePolicy
该 AWS 托管政策授予使用亚马逊 SageMaker 笔记本通常所需的权限。该政策将添加到您加入 Amazon SageMaker Studio Classic 时创建的策略中。`AWSServiceRoleForAmazonSageMakerNotebooks`有关服务相关角色的更多信息,请参阅[服务关联角色](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service-linked)。有关更多信息,请参阅 [AmazonSageMakerNotebooksServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerNotebooksServiceRolePolicy.html)。
**权限详细信息**
该策略包含以下权限。
+ `elasticfilesystem` - 允许主体创建和删除 Amazon Elastic File System (EFS) 文件系统、接入点和挂载目标。这些仅限于那些标有钥匙的人*ManagedByAmazonSageMakerResource*。允许主体描述所有 EFS 文件系统、接入点和挂载目标。允许主体为 EFS 接入点和挂载目标创建或覆盖标签。
+ `ec2` - 允许主体为 Amazon Elastic Compute Cloud (EC2) 实例创建网络接口和安全组。还允许主体为这些资源创建和覆盖标签。
+ `sso` - 允许主体向 AWS IAM Identity Center添加以及从中删除托管的应用程序实例。
+ `sagemaker`— 允许委托人创建和读取 SageMaker AI 用户配置文件和 SageMaker AI 空间;删除 SageMaker AI 空间和 SageMaker AI 应用程序;以及添加和列出标签。
+ `fsx`— 允许委托人描述 Amazon f FSx or Lustre 文件系统,并使用元数据将其挂载到笔记本上。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowFSxDescribe",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowSageMakerDeleteApp",
"Effect": "Allow",
"Action": [
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*"
},
{
"Sid": "AllowEFSAccessPointCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateAccessPoint",
"Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*",
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSAccessPointDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DeleteAccessPoint"
],
"Resource": "arn:aws:elasticfilesystem:*:*:access-point/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateFileSystem",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSMountWithDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSDescribe",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},
{
"Sid": "AllowEFSTagging",
"Effect": "Allow",
"Action": "elasticfilesystem:TagResource",
"Resource": [
"arn:aws:elasticfilesystem:*:*:access-point/*",
"arn:aws:elasticfilesystem:*:*:file-system/*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEC2Tagging",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "AllowEC2Operations",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Sid": "AllowEC2AuthZ",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowIdcOperations",
"Effect": "Allow",
"Action": [
"sso:CreateManagedApplicationInstance",
"sso:DeleteManagedApplicationInstance",
"sso:GetManagedApplicationInstance"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerProfileCreation",
"Effect": "Allow",
"Action": [
"sagemaker:CreateUserProfile",
"sagemaker:DescribeUserProfile"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:DescribeSpace",
"sagemaker:DeleteSpace",
"sagemaker:ListTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*"
},
{
"Sid": "AllowSagemakerAddTagsForAppManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*",
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新了 SageMaker AI Notebook 托管政策
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI AWS 托管策略更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) – 对现有策略的更新 | 10 | 添加 `fsx:DescribeFileSystems` 权限 | 2024 年 11 月 14 日 |
| [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) – 对现有策略的更新 | 9 | 添加 `sagemaker:DeleteApp` 权限 | 2024 年 7 月 24 日 |
| AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 | 8 | 添加 `sagemaker:CreateSpace`、`sagemaker:DescribeSpace`、`sagemaker:DeleteSpace`、`sagemaker:ListTags` 和 `sagemaker:AddTags` 权限。 | 2024 年 5 月 22 日 |
| AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 | 7 | 添加 `elasticfilesystem:TagResource` 权限 | 2023 年 3 月 9 日 |
| AmazonSageMakerNotebooksServiceRolePolicy -更新现有政策 | 6 | 添加 `elasticfilesystem:CreateAccessPoint`、`elasticfilesystem:DeleteAccessPoint` 和 `elasticfilesystem:DescribeAccessPoints` 权限。 | 2023 年 1 月 12 日 |
| | | SageMaker AI 开始跟踪其 AWS 托管策略的更改。 | 2021 年 6 月 1 日 |
# AWS Amazon SageMaker 合作伙伴 AI 应用程序的托管政策
这些 AWS 托管政策增加了使用亚马逊 SageMaker 合作伙伴 AI 应用程序所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerPartnerAppsFullAccess](#security-iam-awsmanpol-AmazonSageMakerPartnerAppsFullAccess)
+ [Amazon SageMaker AI 更新了合作伙伴 AI 应用程序托管政策](#security-iam-awsmanpol-partner-apps-updates)
## AWS 托管策略: AmazonSageMakerPartnerAppsFullAccess
允许对 Amazon SageMaker 合作伙伴 AI 应用程序进行完全管理访问。
**权限详细信息**
此 AWS 托管策略包括以下权限。
+ `sagemaker`— 授予亚马逊 SageMaker 合作伙伴 AI 应用程序用户访问应用程序、列出可用应用程序、启动应用程序 Web UIs 以及使用应用程序 SDK 进行连接的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerPartnerListAppsPermission",
"Effect": "Allow",
"Action": "sagemaker:ListPartnerApps",
"Resource": "*"
},
{
"Sid": "AmazonSageMakerPartnerAppsPermission",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePartnerAppPresignedUrl",
"sagemaker:DescribePartnerApp",
"sagemaker:CallPartnerAppApi"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Resource": "arn:aws:sagemaker:*:*:partner-app/*"
}
]
}
```
------
## Amazon SageMaker AI 更新了合作伙伴 AI 应用程序托管政策
查看自该服务开始跟踪这些变更以来,Partner AI Apps AWS 托管政策更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 SageMaker AI [文档历史记录页面上的 RSS 提要。](doc-history.md)
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| AmazonSageMakerPartnerAppsFullAccess -新政策 | 1 | 初始策略 | 2025 年 1 月 17 日 |
# AWS 管 SageMaker 道的托管策略
这些 AWS 托管策略添加了使用 SageMaker 管道所需的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
**Topics**
+ [AWS 托管策略: AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations)
+ [Amazon SageMaker AI 更新了 SageMaker AI Pipelines 托管策略](#security-iam-awsmanpol-pipelines-updates)
## AWS 托管策略: AmazonSageMakerPipelinesIntegrations
此 AWS 托管策略授予在管道中 SageMaker 使用回调步骤和 Lambda 步骤通常所需的权限。该政策将添加到您加入 Amazon SageMaker Studio Classic 时创建的策略中。`AmazonSageMaker-ExecutionRole`此策略可以附加到用于创作或执行管道的任何角色。
该策略授予构建调用 AWS Lambda 函数或包含回调步骤的管道时所需的相应的 Lambda、 EventBridge亚马逊简单队列服务 (Amazon SQS)、Amazon 和 IAM 权限,这些权限可用于手动批准步骤或运行自定义工作负载。
Amazon SQS 权限允许您创建接收回调消息所需的 Amazon SQS 队列,也可以向该队列发送消息。
Lambda 权限允许您创建、读取、更新和删除管道步骤中使用的 Lambda 函数,也可以调用这些 Lambda 函数。
此策略授予运行管道 Amazon EMR 步骤所需的 Amazon EMR 权限。
**权限详细信息**
该策略包含以下权限。
+ `elasticmapreduce` - 读取、添加和取消正在运行的 Amazon EMR 集群中的步骤。读取、创建和终止新的 Amazon EMR 集群。
+ `events`— 读取、创建、更新目标并将其添加到名为`SageMakerPipelineExecutionEMRStepStatusUpdateRule`和的 EventBridge 规则中`SageMakerPipelineExecutionEMRClusterStatusUpdateRule`。
+ `iam`— 将 IAM 角色传递给 AWS Lambda 服务、亚马逊 EMR 和亚马逊 EC2。
+ `lambda` - 创建、读取、更新、删除和调用 Lambda 函数。这些权限仅限于名称包含“sagemaker”的函数。
+ `sqs` - 创建 Amazon SQS 队列;发送 Amazon SQS 消息。这些权限仅限于名称包含“sagemaker”的队列。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:UpdateFunctionCode"
],
"Resource": [
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*sageMaker*",
"arn:aws:lambda:*:*:function:*SageMaker*"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:SendMessage"
],
"Resource": [
"arn:aws:sqs:*:*:*sagemaker*",
"arn:aws:sqs:*:*:*sageMaker*",
"arn:aws:sqs:*:*:*SageMaker*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"elasticmapreduce.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:PutTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRStepStatusUpdateRule",
"arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRClusterStatusUpdateRule"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:AddJobFlowSteps",
"elasticmapreduce:CancelSteps",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:RunJobFlow",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:TerminateJobFlows",
"elasticmapreduce:ListSteps"
],
"Resource": [
"arn:aws:elasticmapreduce:*:*:cluster/*"
]
}
]
}
```
------
## Amazon SageMaker AI 更新了 SageMaker AI Pipelines 托管策略
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI AWS 托管策略更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) – 对现有策略的更新 | 3 | 添加了 `elasticmapreduce:RunJobFlows`、`elasticmapreduce:TerminateJobFlows`、`elasticmapreduce:ListSteps` 和 `elasticmapreduce:DescribeCluster` 的权限。 | 2023 年 2 月 17 日 |
| [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) – 对现有策略的更新 | 2 | 添加了 `lambda:GetFunction`、`events:DescribeRule`、`events:PutRule`、`events:PutTargets`、`elasticmapreduce:AddJobFlowSteps`、`elasticmapreduce:CancelSteps` 和 `elasticmapreduce:DescribeStep` 的权限。 | 2022 年 4 月 20 日 |
| AmazonSageMakerPipelinesIntegrations -新政策 | 1 | 初始策略 | 2021 年 7 月 30 日 |
# AWS SageMaker 培训计划的托管策略
该 AWS 托管策略授予在 SageMaker 人工智能中创建和管理 Amazon SageMaker 培训计划和预留容量所需的权限。该策略可以附加到用于创建和管理训练计划的 IAM 角色以及 A SageMaker I 中的预留容量,包括您的 [SageMaker AI 执行角色](sagemaker-roles.md)。
**Topics**
+ [AWS 托管策略: AmazonSageMakerTrainingPlanCreateAccess](#security-iam-awsmanpol-AmazonSageMakerTrainingPlanCreateAccess)
+ [Amazon SageMaker AI 更新了 SageMaker 培训计划托管政策](#security-iam-awsmanpol-training-plan-updates)
## AWS 托管策略: AmazonSageMakerTrainingPlanCreateAccess
此策略提供在 SageMaker AI 中创建、描述、搜索和列出训练计划的必要权限。此外,它还允许在特定条件下向训练计划和预留容量资源添加标签。
**权限详细信息**
该策略包含以下权限。
+ `sagemaker` – 创建训练计划和预留容量,允许在具体标记操作为 `CreateTrainingPlan` 或 `CreateReservedCapacity` 时向训练计划和预留容量添加标签,或者允许描述训练计划,允许搜索训练计划产品并列出所有资源的现有训练计划。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateTrainingPlanPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingPlan",
"sagemaker:CreateReservedCapacity",
"sagemaker:DescribeReservedCapacity"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AggTagsToTrainingPlanPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
],
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": ["CreateTrainingPlan","CreateReservedCapacity"]
}
}
},
{
"Sid": "DescribeTrainingPlanPermissions",
"Effect": "Allow",
"Action": "sagemaker:DescribeTrainingPlan",
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*"
]
},
{
"Sid": "NonResourceLevelTrainingPlanPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:SearchTrainingPlanOfferings",
"sagemaker:ListTrainingPlans"
],
"Resource": "*"
},
{
"Sid": "ListUltraServersByReservedCapacityPermissions",
"Effect": "Allow",
"Action": "sagemaker:ListUltraServersByReservedCapacity",
"Resource": [
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
}
]
}
```
------
## Amazon SageMaker AI 更新了 SageMaker 培训计划托管政策
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI AWS 托管策略更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| AmazonSageMakerTrainingPlanCreateAccess -更新了政策 | 2 | 更新了政策,增加了检索有关特定预留容量的信息并列出所有 UltraServers 预留容量的权限。 | 2024 年 7 月 29 日 |
| AmazonSageMakerTrainingPlanCreateAccess -新政策 | 1 | 初始策略 | 2024 年 12 月 4 日 |
# AWS SageMaker 项目管理策略和 JumpStart
这些 AWS 托管策略增加了使用内置 Amazon A SageMaker I 项目模板和 JumpStart 解决方案的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
SageMaker 项目并 JumpStart 使用 S AWS ervice Catalog 在客户账户中配置 AWS 资源。一些创建的资源需要代入执行角色。例如,如果 S AWS ervice Catalog 代表客户为 SageMaker 人工智能机器学习 CI/CD 项目创建 CodePipeline 管道,则该管道需要一个 IAM 角色。
该[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)角色具有从 S AWS ervice Catalog 中启动 SageMaker AI 产品组合所需的权限。该[AmazonSageMakerServiceCatalogProductsUseRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsUseRole)角色拥有使用 S AWS ervice Catalog 中的 SageMaker AI 产品组合所需的权限。该`AmazonSageMakerServiceCatalogProductsLaunchRole`角色将角色传递给预`AmazonSageMakerServiceCatalogProductsUseRole`配置的 S AWS ervice Catalog 产品资源。
**Topics**
+ [AWS 托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy)
+ [AWS 托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy)
+ [Amazon SageMaker AI 更新了 S AWS ervice Catalog AWS 托管策略](#security-iam-awsmanpol-sc-updates)
## AWS 托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
该服务使用此服务角色策略来配置 Amazon A SageMaker I 产品组合中的产品。 AWS Service Catalog 该策略向一组相关 AWS 服务授予权限 AWS CodePipeline,包括、 AWS CodeBuild、 AWS CodeCommit AWS CloudFormation、 AWS Glue 等。
该`AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy`策略旨在由从 SageMaker AI 控制台创建的`AmazonSageMakerServiceCatalogProductsLaunchRole`角色使用。该策略为客户账户添加了为 SageMaker 项目配置 AWS 资源和 JumpStart 使用 Service Catalog 的权限。
**权限详细信息**
该策略包含以下权限。
+ `apigateway` - 允许角色调用标有 `sagemaker:launch-source` 的 API Gateway 端点。
+ `cloudformation`— AWS Service Catalog 允许创建、更新和删除 CloudFormation 堆栈。还允许服务目录标记和取消标记资源。
+ `codebuild`— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeBuild 项目。
+ `codecommit`— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeCommit 存储库。
+ `codepipeline`— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodePipelines。
+ `codeconnections`,`codestar-connections`— 还允许角色传递 AWS CodeConnections 和 AWS CodeStar 连接。
+ `cognito-idp` - 允许角色创建、更新和删除组和用户池。也允许标记资源。
+ `ecr`— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建和删除 Amazon ECR 存储库。也允许标记资源。
+ `events`— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建和删除 EventBridge 规则。用于连接 CICD 管道的各个组件。
+ `firehose`:允许角色与 Firehose 流交互。
+ `glue`— 允许角色与之交互 AWS Glue。
+ `iam` - 允许角色传递前缀为 `AmazonSageMakerServiceCatalog` 的角色。当 Projects 预置 AWS Service Catalog 产品时,需要该权限,因为需要将角色传递给 AWS Service Catalog。
+ `lambda` - 允许角色与 AWS Lambda交互。也允许标记资源。
+ `logs` - 允许角色创建、删除和访问日志流。
+ `s3`— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色访问存储项目模板代码的 Amazon S3 存储桶。
+ `sagemaker`— 允许角色与各种 SageMaker AI 服务进行交互。这既可以在模板配置 CloudFormation 期间完成,也可以在CICD管道执行 CodeBuild 期间完成。也允许标记以下资源:端点、端点配置、模型、管道、项目和模型包。
+ `states` - 允许角色创建、删除和更新前缀为 `sagemaker` 的 Step Functions。
要查看此策略的权限,请参阅《 AWS 托管策略参考》ServiceCatalogProductsServiceRolePolicy中的 [AmazonSageMakerAdmin-](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy.html)。
## AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 API Gateway 创建的需要角色的 AWS 资源。
**权限详细信息**
该策略包含以下权限。
+ `lambda` - 调用由合作伙伴模板创建的函数。
+ `sagemaker` - 调用由合作伙伴模板创建的端点。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:sagemaker-*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Effect": "Allow",
"Action": "sagemaker:InvokeEndpoint",
"Resource": "arn:aws:sagemaker:*:*:endpoint/*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS CloudFormation 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 CloudFormation 该角色创建的 AWS 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsLambdaRole` 和 `AmazonSageMakerServiceCatalogProductsApiGatewayRole` 角色。
+ `lambda`— 创建、更新、删除和调用 AWS Lambda 函数;检索、发布和删除 Lambda 层的版本。
+ `apigateway` - 创建、更新和删除 Amazon API Gateway 资源。
+ `s3` - 从 Amazon Simple Storage Service (Amazon S3) 存储桶中检索 `lambda-auth-code/layer.zip` 文件。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "apigateway.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:ListTags",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:PublishLayerVersion",
"lambda:GetLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:layer:sagemaker-*",
"arn:aws:lambda:*:*:function:sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/tags/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/lambda-auth-code/layer.zip"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS Lambda 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Lambda 创建的需要角色的 AWS 资源。
**权限详细信息**
该策略包含以下权限。
+ `secretsmanager` - 从合作伙伴为合作伙伴模板提供的密钥中检索数据。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:partner": false
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 API Gateway 创建的需要角色的 AWS 资源。
**权限详细信息**
该策略包含以下权限。
+ `logs`— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。
这些权限仅限于日志组前缀以“aws/apigateway/”开头的资源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/apigateway/*"
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 AWS CloudFormation 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 CloudFormation 该角色创建的 AWS 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `sagemaker`— 允许访问各种 SageMaker AI 资源,但域名、用户配置文件、应用程序和流程定义除外。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsCodeBuildRole` 和 `AmazonSageMakerServiceCatalogProductsExecutionRole` 角色。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:flow-definition/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS CodeBuild 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 CodeBuild 该角色创建的 AWS 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `sagemaker`— 允许访问各种 SageMaker AI 资源。
+ `codecommit`— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。这些权限仅限于名称以“sagemaker-”开头的资源。
+ `ecr` - 创建 Amazon ECR 存储库和容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。
`ecr` - 阅读所有资源。
+ `iam` - 传递以下角色:
+ `AmazonSageMakerServiceCatalogProductsCloudformationRole`到 AWS CloudFormation。
+ `AmazonSageMakerServiceCatalogProductsCodeBuildRole`到 AWS CodeBuild。
+ `AmazonSageMakerServiceCatalogProductsCodePipelineRole`到 AWS CodePipeline。
+ `AmazonSageMakerServiceCatalogProductsEventsRole`到亚马逊 EventBridge。
+ `AmazonSageMakerServiceCatalogProductsExecutionRole`到 Amazon SageMaker AI。
+ `logs`— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。
这些权限仅限于名称前缀以“aws/codebuild/”开头的资源。
+ `s3` - 创建、读取和列出 Amazon S3 存储桶。这些权限仅限于名称以“sagemaker-”开头的存储桶。
+ `codeconnections`,`codestar-connections`— 使用 AWS CodeConnections 和 AWS CodeStar 连接。
要查看此策略的权限,请参阅《 AWS 托管策略参考》[AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy.html)中的。
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS CodePipeline 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 CodePipeline 该角色创建的 AWS 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `cloudformation`— 创建、读取、删除和更新 CloudFormation堆栈;创建、读取、删除和执行更改集;设置堆栈策略;标记和取消标记资源。这些权限仅限于名称以“sagemaker-”开头的资源。
+ `s3` - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。
这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsCloudformationRole` 角色。
+ `codebuild`— 获取 CodeBuild 构建信息并开始构建。这些权限仅限于名称以“sagemaker-”开头的项目和构建资源。
+ `codecommit`— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。
+ `codeconnections`,`codestar-connections`— 使用 AWS CodeConnections 和 AWS CodeStar 连接。
要查看此策略的权限,请参阅《 AWS 托管策略参考》[AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy.html)中的。
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略
亚马逊 EventBridge 在 Amazon A SageMaker I 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 EventBridge 该角色创建的 AWS 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `codepipeline`— 开始 CodeBuild 执行。这些权限仅限于名称以“sagemaker-”开头的管道。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codepipeline:StartPipelineExecution",
"Resource": "arn:aws:codepipeline:*:*:sagemaker-*"
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略
亚马逊 Data Firehose 在亚马逊 AI 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。 SageMaker 该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Firehose 创建的需要角色的 AWS 资源。
**权限详细信息**
该策略包含以下权限。
+ `firehose`:发送 Firehose 记录。这些权限仅限于传输流名称以“sagemaker-”开头的资源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略
AWS Glue 在 S AWS ervice Catalog 配置的亚马逊 SageMaker 人工智能产品组合中使用此政策。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Glue 创建的需要角色的 AWS 资源。
**权限详细信息**
该策略包含以下权限。
+ `glue`— 创建、读取和删除 AWS Glue 分区、表和表版本。这些权限仅限于名称以“sagemaker-”开头的资源。创建和读取 AWS Glue 数据库。这些权限仅限于名称为“default”、“global\$1temp”或以“sagemaker-”开头的数据库。获取用户定义的函数。
+ `s3` - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。
这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。
+ `logs`— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。
这些权限仅限于名称前缀以“aws/glue/”开头的资源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:BatchCreatePartition",
"glue:BatchDeletePartition",
"glue:BatchDeleteTable",
"glue:BatchDeleteTableVersion",
"glue:BatchGetPartition",
"glue:CreateDatabase",
"glue:CreatePartition",
"glue:CreateTable",
"glue:DeletePartition",
"glue:DeleteTable",
"glue:DeleteTableVersion",
"glue:GetDatabase",
"glue:GetPartition",
"glue:GetPartitions",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:SearchTables",
"glue:UpdatePartition",
"glue:UpdateTable",
"glue:GetUserDefinedFunctions"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/global_temp",
"arn:aws:glue:*:*:database/sagemaker-*",
"arn:aws:glue:*:*:table/sagemaker-*",
"arn:aws:glue:*:*:tableVersion/sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/glue/*"
}
]
}
```
------
## AWS 托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 AWS Lambda 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Lambda 创建的需要角色的 AWS 资源。
**权限详细信息**
该策略包含以下权限。
+ `sagemaker`— 允许访问各种 SageMaker AI 资源。
+ `ecr` - 创建和删除 Amazon ECR 存储库;创建、读取和删除容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。
+ `events`— 创建、读取和删除 Amazon EventBridge 规则;以及创建和删除目标。这些权限仅限于名称以“sagemaker-”开头的规则。
+ `s3` - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。
这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsExecutionRole` 角色。
+ `logs`— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。
这些权限仅限于名称前缀以“aws/lambda/”开头的资源。
+ `codebuild`— 开始并获取有关 AWS CodeBuild 版本的信息。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid" : "AmazonSageMakerLambdaECRPermission",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaEventBridgePermission",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3BucketPermission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3ObjectPermission",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"Resource": [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:algorithm/*",
"arn:aws:sagemaker:*:*:app-image-config/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:automl-job/*",
"arn:aws:sagemaker:*:*:code-repository/*",
"arn:aws:sagemaker:*:*:compilation-job/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:data-quality-job-definition/*",
"arn:aws:sagemaker:*:*:device-fleet/*/device/*",
"arn:aws:sagemaker:*:*:device-fleet/*",
"arn:aws:sagemaker:*:*:edge-packaging-job/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:experiment/*",
"arn:aws:sagemaker:*:*:experiment-trial/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:feature-group/*",
"arn:aws:sagemaker:*:*:human-loop/*",
"arn:aws:sagemaker:*:*:human-task-ui/*",
"arn:aws:sagemaker:*:*:hyper-parameter-tuning-job/*",
"arn:aws:sagemaker:*:*:image/*",
"arn:aws:sagemaker:*:*:image-version/*/*",
"arn:aws:sagemaker:*:*:inference-recommendations-job/*",
"arn:aws:sagemaker:*:*:labeling-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:model-bias-job-definition/*",
"arn:aws:sagemaker:*:*:model-explainability-job-definition/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-quality-job-definition/*",
"arn:aws:sagemaker:*:*:monitoring-schedule/*",
"arn:aws:sagemaker:*:*:notebook-instance/*",
"arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:pipeline/*/execution/*",
"arn:aws:sagemaker:*:*:processing-job/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:transform-job/*",
"arn:aws:sagemaker:*:*:workforce/*",
"arn:aws:sagemaker:*:*:workteam/*"
]
},
{
"Sid" : "AmazonSageMakerLambdaPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
},
{
"Sid" : "AmazonSageMakerLambdaLogPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
},
{
"Sid" : "AmazonSageMakerLambdaCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:StartBuild",
"codebuild:BatchGetBuilds"
],
"Resource": "arn:aws:codebuild:*:*:project/sagemaker-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:project-name": "*"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新了 S AWS ervice Catalog AWS 托管策略
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI AWS 托管策略更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy):更新策略 | 10 | 已更新`codestar-connections:PassConnection`和`codeconnections:PassConnection`权限。 | 2025年9月27日 |
| [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy):更新策略 | 3 | 已更新`codestar-connections:UseConnection`和`codeconnections:UseConnection`权限。 | 2025年9月27日 |
| [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy):更新策略 | 3 | 已更新`codestar-connections:UseConnection`和`codeconnections:UseConnection`权限。 | 2025年9月27日 |
| [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy):更新策略 | 9 | 添加 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 权限。 | 2024 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 7 | 将策略回滚到版本 7 (v7)。删除 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 权限。 | 2024 年 6 月 12 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 8 | 添加 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy):更新策略 | 2 | 添加 `codestar-connections:UseConnection` 和 `codeconnections:UseConnection` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy):更新策略 | 2 | 添加 `cloudformation:TagResource`、`cloudformation:UntagResource`、`codestar-connections:UseConnection` 和 `codeconnections:UseConnection` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy):更新策略 | 2 | 添加 `codebuild:StartBuild` 和 `codebuild:BatchGetBuilds` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | 初始策略 | 2023 年 8 月 1 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy) | 1 | 初始策略 | 2023 年 8 月 1 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy) | 1 | 初始策略 | 2023 年 8 月 1 日 |
| [AmazonSageMakerServiceCatalogProductsGlueServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy):更新策略 | 2 | 为 `glue:GetUserDefinedFunctions` 添加权限。 | 2022 年 8 月 26 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 7 | 为 `sagemaker:AddTags` 添加权限。 | 2022 年 8 月 2 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 6 | 为 `lambda:TagResource` 添加权限。 | 2022 年 7 月 14 日 |
| AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策 | 1 | 初始策略 | 2022 年 4 月 22 日 |
| [AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | 初始策略 | 2022 年 3 月 24 日 |
| [AmazonSageMakerServiceCatalogProductsCloudformationServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy) | 1 | 初始策略 | 2022 年 3 月 24 日 |
| AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy | 1 | 初始策略 | 2022 年 3 月 24 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 5 | 为 `ecr-idp:TagResource` 添加权限。 | 2022 年 3 月 21 日 |
| AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy | 1 | 初始策略 | 2022 年 2 月 22 日 |
| [AmazonSageMakerServiceCatalogProductsEventsServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy) | 1 | 初始策略 | 2022 年 2 月 22 日 |
| [AmazonSageMakerServiceCatalogProductsFirehoseServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy) | 1 | 初始策略 | 2022 年 2 月 22 日 |
| AmazonSageMakerServiceCatalogProductsGlueServiceRole政策 | 1 | 初始策略 | 2022 年 2 月 22 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 4 | 为 `cognito-idp:TagResource` 和 `s3:PutBucketCORS` 添加权限。 | 2022 年 2 月 16 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 3 | 为 `sagemaker` 添加新权限。 创建、读取、更新和删除 SageMaker 图片。 | 2021 年 9 月 15 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 2 | 为 `sagemaker` 和 `codestar-connections` 添加权限。 创建、读取、更新和删除代码存储库。 将 AWS CodeStar 连接传递给 AWS CodePipeline。 | 2021 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | 1 | 初始策略 | 2020 年 11 月 27 日 |
## SageMaker AWS 托管策略的 AI 更新
查看自该服务开始跟踪这些更改以来, SageMaker AI AWS 托管策略更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) – 对现有策略的更新 | 27 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/sagemaker/latest/dg/security-iam-awsmanpol.html) | 2024 年 12 月 4 日 |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) – 对现有策略的更新 | 26 | 添加 `sagemaker:AddTags` 权限 | 2024 年 3 月 29 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 25 | 添加 `sagemaker:CreateApp`、`sagemaker:DescribeApp`、`sagemaker:DeleteApp`、`sagemaker:CreateSpace`、`sagemaker:UpdateSpace`、`sagemaker:DeleteSpace`、`s3express:CreateSession`、`s3express:CreateBucket` 和 `s3express:ListAllMyDirectoryBuckets` 权限。 | 2023 年 11 月 30 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 24 | 添加 `sagemaker-geospatial:*`、`sagemaker:AddTags`、`sagemaker-ListTags`、`sagemaker-DescribeSpace` 和 `sagemaker:ListSpaces` 权限。 | 2022 年 11 月 30 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 23 | 添加 `glue:UpdateTable`。 | 2022 年 6 月 29 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 22 | 添加 `cloudformation:ListStackResources`。 | 2022 年 5 月 1 日 |
| [AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly) – 对现有策略的更新 | 11 | 添加 `sagemaker:QueryLineage`、`sagemaker:GetLineageGroupPolicy`、`sagemaker:BatchDescribeModelPackage` 和 `sagemaker:GetModelPackageGroupPolicy` 权限。 | 2021 年 12 月 1 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 21 | 为启用了异步推理的端点添加 `sns:Publish` 权限。 | 2021 年 9 月 8 日 |
| AmazonSageMakerFullAccess -更新现有政策 | 20 | 更新 `iam:PassRole` 资源和权限。 | 2021 年 7 月 15 日 |
| AmazonSageMakerReadOnly -更新现有政策 | 10 | 为 AI 功能商店`BatchGetRecord`添加了新 AP SageMaker I。 | 2021 年 6 月 10 日 |
| | | SageMaker AI 开始跟踪其 AWS 托管策略的更改。 | 2021 年 6 月 1 日 |