本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# AWS 模型登錄檔的受管政策
<a name="security-iam-awsmanpol-model-registry"></a>

這些 AWS 受管政策會新增使用模型登錄所需的許可。這些政策可在您的帳戶中使用， AWS 並由從 Amazon SageMaker AI 主控台建立的執行角色使用。

**Topics**
+ [AWS 受管政策：AmazonSageMakerModelRegistryFullAccess](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess)
+ [Amazon SageMaker AI 更新模型註冊庫受管政策](#security-iam-awsmanpol-model-registry-updates)

## AWS 受管政策：AmazonSageMakerModelRegistryFullAccess
<a name="security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess"></a>

此 AWS 受管政策會授予使用 Amazon SageMaker AI 網域內所有模型登錄檔功能所需的許可。設定 Model Registry 設定以啟用 Model Registry 許可時，此政策會附加至執行角色。

此政策包含以下許可。
+ `ecr` - 讓主體擷取關於 Amazon Elastic Container Registry (Amazon ECR) 映像的資訊，包括中繼資料。
+ `iam` - 允許主體將執行角色傳遞至 Amazon SageMaker AI 服務。
+ `resource-groups` – 允許主體建立、列出、標記和刪除 AWS Resource Groups。
+ `s3` - 讓主體從存放模型版本的 Amazon Simple Storage Service (Amazon S3) 儲存貯體擷取物件。可擷取的物件僅限於名稱包含字串 `"sagemaker"` 的物件 (不區分大小寫)。
+ `sagemaker` - 允許主體使用 SageMaker 模型註冊庫來編目、管理及部署模型。
+ `kms` – 僅允許 SageMaker AI 服務主體新增授予、產生資料金鑰、解密和讀取 AWS KMS 金鑰，以及僅允許標記為「Sagemaker」使用的金鑰。

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "AmazonSageMakerModelRegistrySageMakerReadPermission",
      "Effect": "Allow",
      "Action": [
        "sagemaker:DescribeAction",
        "sagemaker:DescribeInferenceRecommendationsJob",
        "sagemaker:DescribeModelPackage",
        "sagemaker:DescribeModelPackageGroup",
        "sagemaker:DescribePipeline",
        "sagemaker:DescribePipelineExecution",
        "sagemaker:ListAssociations",
        "sagemaker:ListArtifacts",
        "sagemaker:ListModelMetadata",
        "sagemaker:ListModelPackages",
        "sagemaker:Search",
        "sagemaker:GetSearchSuggestions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistrySageMakerWritePermission",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddTags",
        "sagemaker:CreateModel",
        "sagemaker:CreateModelPackage",
        "sagemaker:CreateModelPackageGroup",
        "sagemaker:CreateEndpoint",
        "sagemaker:CreateEndpointConfig",
        "sagemaker:CreateInferenceRecommendationsJob",
        "sagemaker:DeleteModelPackage",
        "sagemaker:DeleteModelPackageGroup",
        "sagemaker:DeleteTags",
        "sagemaker:UpdateModelPackage"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryS3GetPermission",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*SageMaker*",
        "arn:aws:s3:::*Sagemaker*",
        "arn:aws:s3:::*sagemaker*"
      ]
    },
    {
      "Sid": "AmazonSageMakerModelRegistryS3ListPermission",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryECRReadPermission",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:DescribeImages"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryIAMPassRolePermission",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "sagemaker.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AmazonSageMakerModelRegistryTagReadPermission",
      "Effect": "Allow",
      "Action": [
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupGetPermission",
      "Effect": "Allow",
      "Action": [
        "resource-groups:GetGroupQuery"
      ],
      "Resource": "arn:aws:resource-groups:*:*:group/*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupListPermission",
      "Effect": "Allow",
      "Action": [
        "resource-groups:ListGroupResources"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupWritePermission",
      "Effect": "Allow",
      "Action": [
        "resource-groups:CreateGroup",
        "resource-groups:Tag"
      ],
      "Resource": "arn:aws:resource-groups:*:*:group/*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": "sagemaker:collection"
        }
      }
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupDeletePermission",
      "Effect": "Allow",
      "Action": "resource-groups:DeleteGroup",
      "Resource": "arn:aws:resource-groups:*:*:group/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/sagemaker:collection": "true"
        }
      }
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceKMSPermission",
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:*:*:key/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/sagemaker" : "true"
        },
        "StringLike": {
          "kms:ViaService": "sagemaker.*.amazonaws.com"
        }
      }
    }
  ]
}
```

------

## Amazon SageMaker AI 更新模型註冊庫受管政策
<a name="security-iam-awsmanpol-model-registry-updates"></a>

檢視自此服務開始追蹤這些變更以來，模型登錄檔受 AWS 管政策更新的詳細資訊。如需有關此頁面變更的自動提醒，請訂閱 SageMaker AI [文件歷史記錄頁面](doc-history.md)上的 RSS 摘要。


| 政策 | 版本 | 變更 | Date | 
| --- | --- | --- | --- | 
|  [AmazonSageMakerModelRegistryFullAccess](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess) - 更新現有政策 | 2 |  新增 `kms:CreateGrant`、`kms:DescribeKey`、`kms:GenerateDataKey` 和 `kms:Decrypt` 許可。  | 2024 年 6 月 6 日 | 
| AmazonSageMakerModelRegistryFullAccess - 新政策 | 1 |  初始政策  | 2023 年 4 月 12 日 |