本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS SageMaker 筆記本的受管政策
這些 AWS 受管政策新增使用 SageMaker 筆記本所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy)
+ [Amazon SageMaker AI 更新 SageMaker AI 筆記本受管政策](#security-iam-awsmanpol-notebooks-updates)
## AWS 受管政策:AmazonSageMakerNotebooksServiceRolePolicy
此 AWS 受管政策會授予使用 Amazon SageMaker Notebooks 時通常需要的許可。政策會新增至您加入 Amazon SageMaker Studio Classic 時所建立的 `AWSServiceRoleForAmazonSageMakerNotebooks`。如需關於服務連結角色詳細資訊,請參閱[服務連結角色](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service-linked)。如需詳細資訊,請參閱 [AmazonSageMakerNotebooksServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerNotebooksServiceRolePolicy.html)
**許可詳細資訊**
此政策包含以下許可。
+ `elasticfilesystem` - 讓主體建立和刪除 Amazon Elastic File System (EFS) 檔案系統、存取點和掛載目標。僅限於標記了 *ManagedByAmazonSageMakerResource *的金鑰。讓主體描述所有 EFS 檔案系統、存取點和掛載目標。讓主體建立或覆寫 EFS 存取點和裝載目標的標籤。
+ `ec2` - 讓主體為 Amazon Elastic Compute Cloud (EC2) 執行個體建立網路介面和安全群組。也讓主體建立和覆寫這些資源的標籤。
+ `sso` - 讓主體將受管執行個體新增至 AWS IAM Identity Center中並刪除。
+ `sagemaker` - 允許主體建立和讀取 SageMaker AI 使用者設定檔和 SageMaker AI 空間;刪除 SageMaker AI 空間和 SageMaker AI 應用程式;以及新增和列出標籤。
+ `fsx` - 允許主體描述 Amazon FSx for Lustre 檔案系統,以及使用中繼資料將其掛載在筆記本上。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowFSxDescribe",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowSageMakerDeleteApp",
"Effect": "Allow",
"Action": [
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*"
},
{
"Sid": "AllowEFSAccessPointCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateAccessPoint",
"Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*",
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSAccessPointDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DeleteAccessPoint"
],
"Resource": "arn:aws:elasticfilesystem:*:*:access-point/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateFileSystem",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSMountWithDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSDescribe",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},
{
"Sid": "AllowEFSTagging",
"Effect": "Allow",
"Action": "elasticfilesystem:TagResource",
"Resource": [
"arn:aws:elasticfilesystem:*:*:access-point/*",
"arn:aws:elasticfilesystem:*:*:file-system/*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEC2Tagging",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "AllowEC2Operations",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Sid": "AllowEC2AuthZ",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowIdcOperations",
"Effect": "Allow",
"Action": [
"sso:CreateManagedApplicationInstance",
"sso:DeleteManagedApplicationInstance",
"sso:GetManagedApplicationInstance"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerProfileCreation",
"Effect": "Allow",
"Action": [
"sagemaker:CreateUserProfile",
"sagemaker:DescribeUserProfile"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:DescribeSpace",
"sagemaker:DeleteSpace",
"sagemaker:ListTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*"
},
{
"Sid": "AllowSagemakerAddTagsForAppManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*",
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker AI 筆記本受管政策
檢視自此服務開始追蹤 Amazon SageMaker AI AWS 受管政策更新以來的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) - 更新現有政策 | 10 | 新增 `fsx:DescribeFileSystems` 許可。 | 2024 年 11 月 14 日 |
| [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) - 更新現有政策 | 9 | 新增 `sagemaker:DeleteApp` 許可。 | 2024 年 7 月 24 日 |
| AmazonSageMakerNotebooksServiceRolePolicy - 更新現有政策 | 8 | 新增 `sagemaker:CreateSpace`、`sagemaker:DescribeSpace`、`sagemaker:DeleteSpace`、`sagemaker:ListTags` 和 `sagemaker:AddTags` 許可。 | 2024 年 5 月 22 日 |
| AmazonSageMakerNotebooksServiceRolePolicy - 更新現有政策 | 7 | 新增 `elasticfilesystem:TagResource` 許可。 | 2023 年 3 月 9 日 |
| AmazonSageMakerNotebooksServiceRolePolicy - 更新現有政策 | 6 | 新增 `elasticfilesystem:CreateAccessPoint`、`elasticfilesystem:DeleteAccessPoint` 和 `elasticfilesystem:DescribeAccessPoints` 許可。 | 2023 年 1 月 12 日 |
| | | SageMaker AI 開始追蹤其 AWS 受管政策的變更。 | 2021 年 6 月 1 日 |