本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Amazon SageMaker AI 的 受管政策
若要新增許可給使用者、群組和角色,使用 AWS 受管政策比自行撰寫政策更容易。建立 [IAM 客戶受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。若要快速開始使用,您可以使用我們的 AWS 受管政策。這些政策涵蓋常見的使用案例,可在您的帳戶中使用 AWS 。如需 AWS 受管政策的詳細資訊,請參閱《*IAM 使用者指南*》中的 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
AWS 服務會維護和更新 AWS 受管政策。您無法變更 AWS 受管政策中的許可。服務偶爾會在 AWS 受管政策中新增其他許可以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新操作可用時,服務很可能會更新 AWS 受管政策。服務不會從 AWS 受管政策移除許可,因此政策更新不會破壞您現有的許可。
此外, AWS 支援跨多個 服務之任務函數的受管政策。例如, `ReadOnlyAccess` AWS 受管政策提供所有 AWS 服務和資源的唯讀存取權。當服務啟動新功能時, 會為新操作和資源 AWS 新增唯讀許可。如需任務職能政策的清單和說明,請參閱 *IAM 使用者指南*中[有關任務職能的AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
**重要**
我們建議您使用允許您執行使用案例的最受限政策。
下列 AWS 受管政策是 Amazon SageMaker AI 特有的,您可以連接到您帳戶中的使用者:
+ **`AmazonSageMakerFullAccess`** - 授予 Amazon SageMaker AI 和 SageMaker AI 地理空間資源以及所支援操作的完整存取權。這不提供不受限制的 Amazon S3 存取,但是支援使用特定 `sagemaker` 標籤的儲存貯體與物件。此政策允許將所有 IAM 角色傳遞至 Amazon SageMaker AI,但僅允許將其中具有「AmazonSageMaker」的 IAM 角色傳遞至 AWS Glue AWS Step Functions、 和 AWS RoboMaker 服務。
+ **`AmazonSageMakerReadOnly`** - 允許對 Amazon SageMaker AI 資源進行唯讀存取。
下列 AWS 受管政策可以連接到您帳戶中的使用者,但不建議使用:
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator) – 為所有 AWS 服務與帳戶中的所有資源授予所有操作許可。
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist) – 授予各種許可來涵蓋大部分的資料科學家遇到的使用案例 (主要用於分析與商用智慧)。
您可以透過登入 IAM; 主控台並搜尋以檢閱上述許可政策。
您也可以建立自己的自訂 IAM 政策,以允許在您需要 Amazon SageMaker AI 動作和資源時使用它們的許可。您可以將這些自訂政策連接至需要這些政策的 使用者或群組。
**Topics**
+ [AWS 受管政策:AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess)
+ [AWS 受管政策:AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly)
+ [AWS Amazon SageMaker Canvas 的 受管政策](security-iam-awsmanpol-canvas.md)
+ [AWS Amazon SageMaker Feature Store 的 受管政策](security-iam-awsmanpol-feature-store.md)
+ [AWS Amazon SageMaker 地理空間的 受管政策](security-iam-awsmanpol-geospatial.md)
+ [AWS Amazon SageMaker Ground Truth 的受管政策](security-iam-awsmanpol-ground-truth.md)
+ [AWS Amazon SageMaker HyperPod 的 受管政策](security-iam-awsmanpol-hyperpod.md)
+ [AWS SageMaker AI 模型控管的受管政策](security-iam-awsmanpol-governance.md)
+ [AWS 模型登錄檔的受管政策](security-iam-awsmanpol-model-registry.md)
+ [AWS SageMaker 筆記本的受管政策](security-iam-awsmanpol-notebooks.md)
+ [AWS Amazon SageMaker 合作夥伴 AI 應用程式的 受管政策](security-iam-awsmanpol-partner-apps.md)
+ [AWS SageMaker 管道的受管政策](security-iam-awsmanpol-pipelines.md)
+ [AWS SageMaker 訓練計畫的 受管政策](security-iam-awsmanpol-training-plan.md)
+ [AWS SageMaker 專案和 JumpStart 的受管政策](security-iam-awsmanpol-sc.md)
+ [AWS 受管政策的 SageMaker AI 更新](#security-iam-awsmanpol-updates)
## AWS 受管政策:AmazonSageMakerFullAccess
此政策授予管理許可,允許對所有 Amazon SageMaker AI 和 SageMaker AI 地理空間資源以及操作進行主體完整存取。該策略還提供對相關服務的選擇存取許可。此政策允許將所有 IAM 角色傳遞至 Amazon SageMaker AI,但僅允許將其中具有「AmazonSageMaker」的 IAM 角色傳遞至 AWS Glue AWS Step Functions和 AWS RoboMaker 服務。此政策不包含建立 Amazon SageMaker AI 網域的許可。如需建立領域所需政策的資訊,請參閱[完成 Amazon SageMaker AI 先決條件](gs-set-up.md)。
**許可詳細資訊**
此政策包含以下許可。
+ `application-autoscaling` - 可讓主體自動擴展 SageMaker AI 即時推論端點。
+ `athena` – 允許主體從中查詢資料目錄、資料庫和資料表中繼資料的清單 Amazon Athena。
+ `aws-marketplace` – 允許主體檢視 AWS AI Marketplace 訂閱。如果您想要存取 AWS Marketplace中訂閱的 SageMaker AI 軟體,則需要此許可。
+ `cloudformation` – 允許主體取得使用 SageMaker AI JumpStart 解決方案和管道的 AWS CloudFormation 範本。SageMaker AI JumpStart 會建立執行端對端機器學習解決方案所需的資源,將 SageMaker AI 與其他 AWS 服務結合。SageMaker AI 管道會建立由 Service Catalog 支援的新專案。
+ `cloudwatch` - 允許主體張貼 CloudWatch 指標、與警示互動,以及將日誌上傳到您的帳戶中的 CloudWatch Logs。
+ `codebuild` – 允許主體存放 SageMaker AI 管道和專案的 AWS CodeBuild 成品。
+ `codecommit` – 與 SageMaker AI 筆記本執行個體 AWS CodeCommit 整合時需要。
+ `cognito-idp` - Amazon SageMaker Ground Truth需要用來定義您的私有人力資源和工作團隊。
+ `ec2` - 需要此許可,SageMaker AI 才能在您為 SageMaker AI 任務、模型、端點和筆記本執行個體指定 Amazon VPC 時,管理 Amazon EC2 資源和網路介面。
+ `ecr` - 需要此許可,才能為 Amazon SageMaker Studio Classic (自訂映像)、訓練、處理、批次推論和推論端點提取和存放 Docker 成品。在 SageMaker AI 中使用您自己的容器時也需要此許可。需要 SageMaker JumpStart AI 解決方案的其他許可,才能代表使用者建立和移除自訂映像。
+ `elasticfilesystem` - 讓主體存取 Amazon Elastic File System。需要此許可,SageMaker AI 才能使用 Amazon Elastic File System 中的資料來源來訓練機器學習模型。
+ `fsx` – 讓主體存取 Amazon FSx。需要此許可,SageMaker AI 才能使用 Amazon FSx 中的資料來源來訓練機器學習模型。
+ `glue` - 需要此許可,才能從 SageMaker AI 筆記本執行個體內預先處理推論管道。
+ `groundtruthlabeling` - 用於 Ground Truth 標籤工作。`groundtruthlabeling` 端點是由 Ground Truth 主控台存取。
+ `iam` - 需要此許可,才能授予 SageMaker AI 主控台存取可用 IAM 角色的權限,以及建立服務連結角色。
+ `kms` – 需要讓 SageMaker AI AWS KMS 主控台存取可用的 AWS KMS 金鑰,並為任務和端點中的任何指定別名擷取這些金鑰。
+ `lambda` - 讓主體調用並取得 AWS Lambda 函式清單。
+ `logs` - 需要此許可,才能允許 SageMaker AI 任務和端點發佈日誌串流。
+ `redshift` - 讓主體存取 Amazon Redshift 叢集憑證。
+ `redshift-data` - 讓主體使用來自 Amazon Redshift 的資料執行、描述和取消陳述式;取得陳述式結果,以及列出結構描述和資料表。
+ `robomaker` – 允許主體擁有建立、取得描述和 delete AWS RoboMaker 模擬應用程式和任務的完整存取權。在筆記本執行個體上執行強化學習範例時也需要。
+ `s3, s3express` - 允許主體完整存取與 SageMaker AI 相關的 Amazon S3 和 Amazon S3 Express 資源,但不能存取所有的 Amazon S3 或 Amazon S3 Express。
+ `sagemaker` - 允許主體在 SageMaker AI 使用者設定檔上列出標籤,並將標籤新增至 SageMaker AI 應用程式和空間。僅允許存取 sagemaker:WorkteamType "private-crowd" 或 "vendor-crowd" 的 SageMaker AI 流程定義。允許在可存取訓練計畫功能的所有 AWS 區域中,使用和描述 SageMaker AI 訓練計畫和 SageMaker 訓練任務和 SageMaker HyperPod 叢集中的預留容量。
+ `sagemaker` 和 `sagemaker-geospatial` - 允許主體對 SageMaker AI 網域和使用者設定檔進行唯讀存取。
+ `secretsmanager` - 讓主體完整存取 AWS Secrets Manager。主體可以安全地加密、存放與擷取資料庫及其他服務的憑證。具有使用 GitHub 的 SageMaker AI 程式碼儲存庫的 SageMaker AI 筆記本執行個體也需要此許可。
+ `servicecatalog` - 讓主體使用 Service Catalog。主體可以建立、取得、更新或終止佈建產品的清單,例如使用 AWS 資源部署的伺服器、資料庫、網站或應用程式。SageMaker AI JumpStart 和專案需要此許可,才能尋找和讀取服務目錄產品並啟動使用者中的 AWS 資源。
+ `sns` - 允許主體取得 Amazon SNS 主題清單。啟用非同步推論的端點需要此功能,才能通知使用者其推論已完成。
+ `states` - 需要此許可,SageMaker AI JumpStart 和 Pipelines 才能使用服務目錄來建立步驟函式資源。
+ `tag` - 需要此許可,SageMaker AI Pipelines 才能在 Studio Classic 中呈現。Studio Classic 需要使用特定 `sagemaker:project-id` 標籤金鑰標記的資源。此動作需要 `tag:GetResources` 許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllNonAdminSageMakerActions",
"Effect": "Allow",
"Action": [
"sagemaker:*",
"sagemaker-geospatial:*"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:space/*",
"arn:aws:sagemaker:*:*:partner-app/*",
"arn:aws:sagemaker:*:*:flow-definition/*",
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowAddTagsForSpace",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:space/*"
],
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
},
{
"Sid": "AllowAddTagsForApp",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:app/*"
]
},
{
"Sid": "AllowUseOfTrainingPlanResources",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateCluster",
"sagemaker:UpdateCluster",
"sagemaker:DescribeTrainingPlan"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowStudioActions",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:DescribeSpace",
"sagemaker:ListSpaces",
"sagemaker:DescribeApp",
"sagemaker:ListApps"
],
"Resource": "*"
},
{
"Sid": "AllowAppActionsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "AllowAppActionsForSharedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Shared"
]
}
}
},
{
"Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private",
"Shared"
]
}
}
},
{
"Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private"
]
}
}
},
{
"Sid": "AllowFlowDefinitionActions",
"Effect": "Allow",
"Action": "sagemaker:*",
"Resource": [
"arn:aws:sagemaker:*:*:flow-definition/*"
],
"Condition": {
"StringEqualsIfExists": {
"sagemaker:WorkteamType": [
"private-crowd",
"vendor-crowd"
]
}
}
},
{
"Sid": "AllowAWSServiceActions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:RegisterScalableTarget",
"aws-marketplace:ViewSubscriptions",
"cloudformation:GetTemplateSummary",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutMetricData",
"codecommit:BatchGetRepositories",
"codecommit:CreateRepository",
"codecommit:GetRepository",
"codecommit:List*",
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:CreateGroup",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:List*",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateVpcEndpoint",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CreateRepository",
"ecr:Describe*",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:StartImageScan",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"fsx:DescribeFileSystems",
"glue:CreateJob",
"glue:DeleteJob",
"glue:GetJob*",
"glue:GetTable*",
"glue:GetWorkflowRun",
"glue:ResetJobBookmark",
"glue:StartJobRun",
"glue:StartWorkflowRun",
"glue:UpdateJob",
"groundtruthlabeling:*",
"iam:ListRoles",
"kms:DescribeKey",
"kms:ListAliases",
"lambda:ListFunctions",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery",
"robomaker:CreateSimulationApplication",
"robomaker:DescribeSimulationApplication",
"robomaker:DeleteSimulationApplication",
"robomaker:CreateSimulationJob",
"robomaker:DescribeSimulationJob",
"robomaker:CancelSimulationJob",
"secretsmanager:ListSecrets",
"servicecatalog:Describe*",
"servicecatalog:List*",
"servicecatalog:ScanProvisionedProducts",
"servicecatalog:SearchProducts",
"servicecatalog:SearchProvisionedProducts",
"sns:ListTopics",
"tag:GetResources"
],
"Resource": "*"
},
{
"Sid": "AllowECRActions",
"Effect": "Allow",
"Action": [
"ecr:SetRepositoryPolicy",
"ecr:CompleteLayerUpload",
"ecr:BatchDeleteImage",
"ecr:UploadLayerPart",
"ecr:DeleteRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:DeleteRepository",
"ecr:PutImage"
],
"Resource": [
"arn:aws:ecr:*:*:repository/*sagemaker*"
]
},
{
"Sid": "AllowCodeCommitActions",
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": [
"arn:aws:codecommit:*:*:*sagemaker*",
"arn:aws:codecommit:*:*:*SageMaker*",
"arn:aws:codecommit:*:*:*Sagemaker*"
]
},
{
"Sid": "AllowCodeBuildActions",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker*",
"arn:aws:codebuild:*:*:build/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowStepFunctionsActions",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StartExecution",
"states:StopExecution",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*:*:statemachine:*sagemaker*",
"arn:aws:states:*:*:execution:*sagemaker*:*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid": "AllowReadOnlySecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowServiceCatalogProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:ProvisionProduct"
],
"Resource": "*"
},
{
"Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:TerminateProvisionedProduct",
"servicecatalog:UpdateProvisionedProduct"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"servicecatalog:userLevel": "self"
}
}
},
{
"Sid": "AllowS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*",
"arn:aws:s3:::*aws-glue*"
]
},
{
"Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
},
{
"Sid": "AllowS3BucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketCors",
"s3:PutBucketCors"
],
"Resource": "*"
},
{
"Sid": "AllowS3BucketACL",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowLambdaInvokeFunction",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*",
"arn:aws:lambda:*:*:function:*LabelingFunction*"
]
},
{
"Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateServiceLinkedRoleForRobomaker",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "robomaker.amazonaws.com"
}
}
},
{
"Sid": "AllowSNSActions",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:CreateTopic",
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "AllowPassRoleForSageMakerRoles",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*AmazonSageMaker*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"glue.amazonaws.com",
"robomaker.amazonaws.com",
"states.amazonaws.com"
]
}
}
},
{
"Sid": "AllowPassRoleToSageMaker",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "AllowAthenaActions",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowGlueCreateTable",
"Effect": "Allow",
"Action": [
"glue:CreateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueUpdateTable",
"Effect": "Allow",
"Action": [
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore"
]
},
{
"Sid": "AllowGlueDeleteTable",
"Effect": "Allow",
"Action": [
"glue:DeleteTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetTablesAndDatabases",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables"
],
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetAndCreateDatabase",
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:GetDatabase"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore",
"arn:aws:glue:*:*:database/sagemaker_processing",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/sagemaker_data_wrangler"
]
},
{
"Sid": "AllowRedshiftDataActions",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowRedshiftGetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "AllowListTagsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:user-profile/*"
]
},
{
"Sid": "AllowCloudformationListStackResources",
"Effect": "Allow",
"Action": [
"cloudformation:ListStackResources"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
},
{
"Sid": "AllowS3ExpressObjectActions",
"Effect": "Allow",
"Action": [
"s3express:CreateSession"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*",
"arn:aws:s3express:*:*:bucket/*aws-glue*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressCreateBucketActions",
"Effect": "Allow",
"Action": [
"s3express:CreateBucket"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressListBucketActions",
"Effect": "Allow",
"Action": [
"s3express:ListAllMyDirectoryBuckets"
],
"Resource": "*"
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerReadOnly
此政策透過 AWS 管理主控台 和 SDK 授予 Amazon SageMaker AI 的唯讀存取權。
**許可詳細資訊**
此政策包含以下許可。
+ `application-autoscaling` - 允許使用者瀏覽可擴展 SageMaker AI 即時推論端點的描述。
+ `aws-marketplace` – 允許使用者檢視 AWS AI Marketplace 訂閱。
+ `cloudwatch` - 可讓使用者接收 CloudWatch 警示。
+ `cognito-idp` - Amazon SageMaker Ground Truth 需要用來瀏覽描述與您的私有人力資源和工作團隊清單。
+ `ecr` - 用於讀取 Docker 成品供訓練和推論所用。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:Describe*",
"sagemaker:List*",
"sagemaker:BatchGetMetrics",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetSearchSuggestions",
"sagemaker:BatchGetRecord",
"sagemaker:GetRecord",
"sagemaker:Search",
"sagemaker:QueryLineage",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:GetModelPackageGroupPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"aws-marketplace:ViewSubscriptions",
"cloudwatch:DescribeAlarms",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListUserPoolClients",
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"cognito-idp:ListUsersInGroup",
"ecr:Describe*"
],
"Resource": "*"
}
]
}
```
------
# AWS Amazon SageMaker Canvas 的 受管政策
這些 AWS 受管政策新增使用 Amazon SageMaker Canvas 所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerCanvasFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess)
+ [AWS 受管政策:AmazonSageMakerCanvasDataPrepFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess)
+ [AWS 受管政策:AmazonSageMakerCanvasDirectDeployAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess)
+ [AWS 受管政策:AmazonSageMakerCanvasAIServicesAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess)
+ [AWS 受管政策:AmazonSageMakerCanvasBedrockAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess)
+ [AWS 受管政策:AmazonSageMakerCanvasForecastAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess)
+ [AWS 受管政策:AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy)
+ [AWS 受管政策:AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess)
+ [Amazon SageMaker AI 更新 Amazon SageMaker Canvas 受管政策](#security-iam-awsmanpol-canvas-updates)
## AWS 受管政策:AmazonSageMakerCanvasFullAccess
此政策授與許可,可透過 AWS 管理主控台 和 SDK 完整存取 Amazon SageMaker Canvas。此政策也提供相關服務的選取存取權 【例如,Amazon Simple Storage Service (Amazon S3)、 AWS Identity and Access Management (IAM)、Amazon Virtual Private Cloud (Amazon VPC)、Amazon Elastic Container Registry (Amazon ECR)、Amazon CloudWatch Logs、Amazon Redshift AWS Secrets Manager、Amazon SageMaker Autopilot、SageMaker Model Registry 和 Amazon Forecast】。
此政策旨在協助客戶嘗試並開始使用 SageMaker Canvas 的所有功能。為了獲得更精細的控制,我們建議客戶在移至生產工作負載時建立自己的範圍縮減版本。如需詳細資訊,請參閱 [IAM 政策類型:如何以及何時使用它們](https://aws.amazon.com/blogs/security/iam-policy-types-how-and-when-to-use-them/)。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `sagemaker` - 允許主體在 ARN 包含 "Canvas"、"canvas" 或 "model-compilation-" 的資源上建立和託管 SageMaker AI 模型。此外,使用者可以將其 SageMaker Canvas 模型註冊到相同 AWS 帳戶中的 SageMaker AI 模型登錄檔。也允許主體建立和管理 SageMaker 訓練、轉換和 AutoML 任務。
+ `application-autoscaling` - 允許主體自動擴展 SageMaker AI 推論端點。
+ `athena` - 允許主體從 Amazon Athena 中查詢資料目錄、資料庫和資料表中繼資料的清單,以及存取目錄中的資料表。
+ `cloudwatch` - 允許主體建立和管理 Amazon CloudWatch 警示。
+ `ec2` - 讓主體建立 Amazon VPC 端點。
+ `ecr` - 讓主體取得容器映像的相關資訊。
+ `emr-serverless` - 允許主體建立和管理 Amazon EMR Serverless 應用程式和任務執行。也允許主體標記 SageMaker Canvas 資源。
+ `forecast` - 讓主體使用 Amazon Forecast。
+ `glue` – 允許主體擷取 AWS Glue 目錄中的資料表、資料庫和分割區。
+ `iam` - 允許主體將 IAM 角色傳遞至 Amazon SageMaker AI、Amazon Forecast 和 Amazon EMR Serverless。也允許主體建立服務連結角色。
+ `kms` – 允許主體讀取以 標記的 AWS KMS 金鑰`Source:SageMakerCanvas`。
+ `logs` - 允許主體從訓練任務和端點發佈日誌。
+ `quicksight` – 允許主體列出快速帳戶中的命名空間。
+ `rds` - 讓主體傳回佈建 Amazon RDS 執行個體的相關資訊。
+ `redshift` - 如果該使用者存在,則讓主體取得任何 Amazon Redshift 叢集上 “sagemaker\$1access\$1” dbuser 的憑證。
+ `redshift-data` - 讓主體使用 Amazon Redshift 資料 API 在 Amazon edshift 上執行查詢。此僅提供對 Redshift 資料 API 本身的存取,而不會直接提供對 Amazon Redshift 叢集的存取許可。如需詳細資訊,請參閱[使用 Amazon Redshift 資料 API](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api.html)。
+ `s3` - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包括 “SageMaker”、“Sagemaker” 或 “sagemaker” 的物件。此外,也讓主體從特定區域中 ARN 以 “jumpstart-cache-prod-” 開頭的 Amazon S3 儲存貯體中擷取物件。
+ `secretsmanager` - 讓主體儲存客戶認證,以便使用 Secrets Manager 連接至 Snowflake 資料庫。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerUserDetailsAndPackageOperations",
"Effect": "Allow",
"Action": [
"sagemaker:DescribeDomain",
"sagemaker:DescribeUserProfile",
"sagemaker:ListTags",
"sagemaker:ListModelPackages",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListEndpoints"
],
"Resource": "*"
},
{
"Sid": "SageMakerPackageGroupOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelPackage"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*"
]
},
{
"Sid": "SageMakerTrainingOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateAutoMLJobV2",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeAutoMLJobV2",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:AddTags",
"sagemaker:DeleteApp"
],
"Resource": [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*",
"arn:aws:sagemaker:*:*:*model-compilation-*"
]
},
{
"Sid": "SageMakerHostingOperations",
"Effect": "Allow",
"Action": [
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:InvokeEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:InvokeEndpointAsync"
],
"Resource": [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*"
]
},
{
"Sid": "EC2VPCOperation",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServices"
],
"Resource": "*"
},
{
"Sid": "ECROperations",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Sid": "IAMGetOperations",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/*"
},
{
"Sid": "IAMPassOperation",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "LoggingOperation",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
},
{
"Sid": "S3Operations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:GetBucketCors",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "ReadSageMakerJumpstartArtifacts",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::jumpstart-cache-prod-us-west-2/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-1/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-2/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*"
]
},
{
"Sid": "S3ListOperations",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "GlueOperations",
"Effect": "Allow",
"Action": "glue:SearchTables",
"Resource": [
"arn:aws:glue:*:*:table/*/*",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:catalog"
]
},
{
"Sid": "SecretsManagerARNBasedOperation",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:PutResourcePolicy"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid": "SecretManagerTagBasedOperation",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/SageMaker": "true"
}
}
},
{
"Sid": "RedshiftOperations",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables",
"redshift-data:DescribeTable"
],
"Resource": "*"
},
{
"Sid": "RedshiftGetCredentialsOperation",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "ForecastOperations",
"Effect": "Allow",
"Action": [
"forecast:CreateExplainabilityExport",
"forecast:CreateExplainability",
"forecast:CreateForecastEndpoint",
"forecast:CreateAutoPredictor",
"forecast:CreateDatasetImportJob",
"forecast:CreateDatasetGroup",
"forecast:CreateDataset",
"forecast:CreateForecast",
"forecast:CreateForecastExportJob",
"forecast:CreatePredictorBacktestExportJob",
"forecast:CreatePredictor",
"forecast:DescribeExplainabilityExport",
"forecast:DescribeExplainability",
"forecast:DescribeAutoPredictor",
"forecast:DescribeForecastEndpoint",
"forecast:DescribeDatasetImportJob",
"forecast:DescribeDataset",
"forecast:DescribeForecast",
"forecast:DescribeForecastExportJob",
"forecast:DescribePredictorBacktestExportJob",
"forecast:GetAccuracyMetrics",
"forecast:InvokeForecastEndpoint",
"forecast:GetRecentForecastContext",
"forecast:DescribePredictor",
"forecast:TagResource",
"forecast:DeleteResourceTree"
],
"Resource": [
"arn:aws:forecast:*:*:*Canvas*"
]
},
{
"Sid": "RDSOperation",
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
},
{
"Sid": "IAMPassOperationForForecast",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "forecast.amazonaws.com"
}
}
},
{
"Sid": "AutoscalingOperations",
"Effect": "Allow",
"Action": [
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget"
],
"Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*",
"Condition": {
"StringEquals": {
"application-autoscaling:service-namespace": "sagemaker",
"application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount"
}
}
},
{
"Sid": "AsyncEndpointOperations",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"sagemaker:DescribeEndpointConfig"
],
"Resource": "*"
},
{
"Sid": "DescribeScalingOperations",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalingActivities"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerCloudWatchUpdate",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": [
"arn:aws:cloudwatch:*:*:alarm:TargetTracking*"
],
"Condition": {
"StringEquals": {
"aws:CalledViaLast": "application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AutoscalingSageMakerEndpointOperation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AthenaOperation",
"Action": [
"athena:ListTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "GlueOperation",
"Action": [
"glue:GetDatabases",
"glue:GetPartitions",
"glue:GetTables"
],
"Effect": "Allow",
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "QuicksightOperation",
"Action": [
"quicksight:ListNamespaces"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowUseOfKeyInAccount",
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Source": "SageMakerCanvas",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessCreateApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:CreateApplication",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListApplications",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessApplicationOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:UpdateApplication",
"emr-serverless:StopApplication",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessStartJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:StartJobRun",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListJobRuns",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessJobRunOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessTagResourceOperation",
"Effect": "Allow",
"Action": "emr-serverless:TagResource",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "IAMPassOperationForEMRServerless",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
## AWS 受管政策:AmazonSageMakerCanvasDataPrepFullAccess
此政策授與許可,允許完整存取 Amazon SageMaker Canvas 的資料準備功能。此政策也為與資料準備功能整合的服務提供最低權限許可 【例如,Amazon Simple Storage Service (Amazon S3)、 AWS Identity and Access Management (IAM)、Amazon EMR、Amazon EventBridge、Amazon Redshift、 AWS Key Management Service (AWS KMS) 和 AWS Secrets Manager】。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `sagemaker` - 允許主體存取處理任務、訓練任務、推論管道、AutoML 任務和特徵群組。
+ `athena` - 允許主體從 Amazon Athena 中查詢資料目錄、資料庫和資料表中繼資料的清單。
+ `elasticmapreduce` - 允許主體讀取和列出 Amazon EMR 叢集。
+ `emr-serverless` - 允許主體建立和管理 Amazon EMR Serverless 應用程式和任務執行。也允許主體標記 SageMaker Canvas 資源。
+ `events` - 允許主體為排程任務建立、讀取、更新目標,以及將目標新增至 Amazon EventBridge 規則。
+ `glue` – 允許主體從 AWS Glue 目錄中的資料庫取得和搜尋資料表。
+ `iam` - 允許主體將 IAM 角色傳遞至 Amazon SageMaker AI、EventBridge 和 Amazon EMR Serverless。也允許主體建立服務連結角色。
+ `kms` – 允許主體擷取存放在任務和端點中的別名,並存取相關聯的 KMS AWS KMS 金鑰。
+ `logs` - 允許主體從訓練任務和端點發佈日誌。
+ `redshift` - 允許主體取得憑證來存取 Amazon Redshift 叢集。
+ `redshift-data` - 允許主體執行、取消、描述、列出和取得 Amazon Redshift 查詢的結果。也允許主體列出 Amazon Redshift 結構描述和資料表。
+ `s3` - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件限制為名稱包括 "SageMaker"、"Sagemaker" 或 "sagemaker",或以 "SageMaker" 標記的物件,不區分大小寫。
+ `secretsmanager` - 允許主體使用 Secrets Manager 存放和擷取客戶資料庫憑證。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerListFeatureGroupOperation",
"Effect": "Allow",
"Action": "sagemaker:ListFeatureGroups",
"Resource": "*"
},
{
"Sid": "SageMakerFeatureGroupOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateFeatureGroup",
"sagemaker:DescribeFeatureGroup"
],
"Resource": "arn:aws:sagemaker:*:*:feature-group/*"
},
{
"Sid": "SageMakerProcessingJobOperations",
"Effect": "Allow",
"Action": [
"sagemaker:CreateProcessingJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
},
{
"Sid": "SageMakerProcessingJobListOperation",
"Effect": "Allow",
"Action": "sagemaker:ListProcessingJobs",
"Resource": "*"
},
{
"Sid": "SageMakerPipelineOperations",
"Effect": "Allow",
"Action": [
"sagemaker:DescribePipeline",
"sagemaker:CreatePipeline",
"sagemaker:UpdatePipeline",
"sagemaker:DeletePipeline",
"sagemaker:StartPipelineExecution",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:DescribePipelineExecution"
],
"Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
},
{
"Sid": "KMSListOperations",
"Effect": "Allow",
"Action": "kms:ListAliases",
"Resource": "*"
},
{
"Sid": "KMSOperations",
"Effect": "Allow",
"Action": "kms:DescribeKey",
"Resource": "arn:aws:kms:*:*:key/*"
},
{
"Sid": "S3Operations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3GetObjectOperation",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3ListOperations",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "IAMListOperations",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
},
{
"Sid": "IAMGetOperations",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::*:role/*"
},
{
"Sid": "IAMPassOperation",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"sagemaker.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Sid": "EventBridgePutOperation",
"Effect": "Allow",
"Action": [
"events:PutRule"
],
"Resource": "arn:aws:events:*:*:rule/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true"
}
}
},
{
"Sid": "EventBridgeOperations",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:PutTargets"
],
"Resource": "arn:aws:events:*:*:rule/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
}
}
},
{
"Sid": "EventBridgeTagBasedOperations",
"Effect": "Allow",
"Action": [
"events:TagResource"
],
"Resource": "arn:aws:events:*:*:rule/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true",
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
}
}
},
{
"Sid": "EventBridgeListTagOperation",
"Effect": "Allow",
"Action": "events:ListTagsForResource",
"Resource": "*"
},
{
"Sid": "GlueOperations",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:SearchTables"
],
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "EMROperations",
"Effect": "Allow",
"Action": [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups"
],
"Resource": "arn:aws:elasticmapreduce:*:*:cluster/*"
},
{
"Sid": "EMRListOperation",
"Effect": "Allow",
"Action": "elasticmapreduce:ListClusters",
"Resource": "*"
},
{
"Sid": "AthenaListDataCatalogOperation",
"Effect": "Allow",
"Action": "athena:ListDataCatalogs",
"Resource": "*"
},
{
"Sid": "AthenaQueryExecutionOperations",
"Effect": "Allow",
"Action": [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": "arn:aws:athena:*:*:workgroup/*"
},
{
"Sid": "AthenaDataCatalogOperations",
"Effect": "Allow",
"Action": [
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": "arn:aws:athena:*:*:datacatalog/*"
},
{
"Sid": "RedshiftOperations",
"Effect": "Allow",
"Action": [
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult"
],
"Resource": "*"
},
{
"Sid": "RedshiftArnBasedOperations",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource": "arn:aws:redshift:*:*:cluster:*"
},
{
"Sid": "RedshiftGetCredentialsOperation",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "SecretsManagerARNBasedOperation",
"Effect": "Allow",
"Action": "secretsmanager:CreateSecret",
"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
},
{
"Sid": "SecretManagerTagBasedOperation",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SageMaker": "true",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "RDSOperation",
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
},
{
"Sid": "LoggingOperation",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
},
{
"Sid": "EMRServerlessCreateApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:CreateApplication",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListApplicationOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListApplications",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessApplicationOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:UpdateApplication",
"emr-serverless:GetApplication"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessStartJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:StartJobRun",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessListJobRunOperation",
"Effect": "Allow",
"Action": "emr-serverless:ListJobRuns",
"Resource": "arn:aws:emr-serverless:*:*:/applications/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessJobRunOperations",
"Effect": "Allow",
"Action": [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "EMRServerlessTagResourceOperation",
"Effect": "Allow",
"Action": "emr-serverless:TagResource",
"Resource": "arn:aws:emr-serverless:*:*:/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/sagemaker:is-canvas-resource": "True",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "IAMPassOperationForEMRServerless",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
## AWS 受管政策:AmazonSageMakerCanvasDirectDeployAccess
此政策授予 Amazon SageMaker Canvas 建立和管理 Amazon SageMaker AI 端點所需的許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `sagemaker` - 允許主體者使用以 "Canvas" 或 "canvas" 開頭的 ARN 資源名稱來建立和管理 SageMaker AI 端點。
+ `cloudwatch` – 允許主體擷取 Amazon CloudWatch 統計資料。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerEndpointPerms",
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:InvokeEndpoint",
"sagemaker:UpdateEndpoint"
],
"Resource": [
"arn:aws:sagemaker:*:*:Canvas*",
"arn:aws:sagemaker:*:*:canvas*"
]
},
{
"Sid": "ReadCWInvocationMetrics",
"Effect": "Allow",
"Action": "cloudwatch:GetMetricData",
"Resource": "*"
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerCanvasAIServicesAccess
此政策授予 Amazon SageMaker Canvas 使用 Amazon Textract、Amazon Rekognition、Amazon Comprehend 和 Amazon Bedrock 的許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `textract` - 讓主體使用 Amazon Textract 偵測影像中的文件、費用和身分。
+ `rekognition` - 讓主體使用 Amazon Rekognition 偵測影像中的標籤和文字。
+ `comprehend` - 讓主體使用 Amazon Comprehend 偵測文字文件中的情緒和優勢語言,以及具名和個人身分識別資訊 (PII) 實體。
+ `bedrock` - 讓主體使用 Amazon Bedrock 列出和調用基礎模型。
+ `iam` - 允許主體將 IAM 角色傳遞至 Amazon Bedrock。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Textract",
"Effect": "Allow",
"Action": [
"textract:AnalyzeDocument",
"textract:AnalyzeExpense",
"textract:AnalyzeID",
"textract:StartDocumentAnalysis",
"textract:StartExpenseAnalysis",
"textract:GetDocumentAnalysis",
"textract:GetExpenseAnalysis"
],
"Resource": "*"
},
{
"Sid": "Rekognition",
"Effect": "Allow",
"Action": [
"rekognition:DetectLabels",
"rekognition:DetectText"
],
"Resource": "*"
},
{
"Sid": "Comprehend",
"Effect": "Allow",
"Action": [
"comprehend:BatchDetectDominantLanguage",
"comprehend:BatchDetectEntities",
"comprehend:BatchDetectSentiment",
"comprehend:DetectPiiEntities",
"comprehend:DetectEntities",
"comprehend:DetectSentiment",
"comprehend:DetectDominantLanguage"
],
"Resource": "*"
},
{
"Sid": "Bedrock",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:ListFoundationModels",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": "*"
},
{
"Sid": "CreateBedrockResourcesPermission",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelCustomizationJob",
"bedrock:CreateProvisionedModelThroughput",
"bedrock:TagResource"
],
"Resource": [
"arn:aws:bedrock:*:*:model-customization-job/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:provisioned-model/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"SageMaker",
"Canvas"
]
},
"StringEquals": {
"aws:RequestTag/SageMaker": "true",
"aws:RequestTag/Canvas": "true",
"aws:ResourceTag/SageMaker": "true",
"aws:ResourceTag/Canvas": "true"
}
}
},
{
"Sid": "GetStopAndDeleteBedrockResourcesPermission",
"Effect": "Allow",
"Action": [
"bedrock:GetModelCustomizationJob",
"bedrock:GetCustomModel",
"bedrock:GetProvisionedModelThroughput",
"bedrock:StopModelCustomizationJob",
"bedrock:DeleteProvisionedModelThroughput"
],
"Resource": [
"arn:aws:bedrock:*:*:model-customization-job/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:provisioned-model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/SageMaker": "true",
"aws:ResourceTag/Canvas": "true"
}
}
},
{
"Sid": "FoundationModelPermission",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelCustomizationJob"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/*"
]
},
{
"Sid": "BedrockFineTuningPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock.amazonaws.com"
}
}
}
]
}
```
## AWS 受管政策:AmazonSageMakerCanvasBedrockAccess
此政策授予使用 Amazon SageMaker Canvas 搭配 Amazon Bedrock 通常所需的許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `s3` - 允許主體從 Amazon S3 儲存貯體的 "sagemaker-\$1/Canvas" 目錄新增和擷取物件。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3CanvasAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/Canvas",
"arn:aws:s3:::sagemaker-*/Canvas/*"
]
},
{
"Sid": "S3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerCanvasForecastAccess
此政策授予搭配使用 Amazon SageMaker Canvas 與 Amazon Forecast 經常所需的許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `s3` - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱以 “sagemaker-” 開頭的物件。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/Canvas",
"arn:aws:s3:::sagemaker-*/canvas"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy
此政策針對 Amazon SageMaker Canvas 用於大型資料處理 AWS 的服務,將許可授予 Amazon EMR Serverless,例如 Amazon S3。 Amazon S3 Amazon SageMaker
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `s3` - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件限制為名稱包括 "SageMaker" 或 "sagemaker",或以 "SageMaker" 標記的物件,不區分大小寫。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3Operations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3GetObjectOperation",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "S3ListOperations",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerCanvasSMDataScienceAssistantAccess
此政策授予 Amazon SageMaker Canvas 中使用者開始與 Amazon Q Developer 對話的許可。此特徵需要 Amazon Q Developer 和 SageMaker AI 資料科學助理服務的許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `q` - 允許主體將提示傳送至 Amazon Q Developer。
+ `sagemaker-data-science-assistant` – 允許主體將提示傳送至 SageMaker Canvas 資料科學助理服務。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerDataScienceAssistantAccess",
"Effect": "Allow",
"Action": [
"sagemaker-data-science-assistant:SendConversation"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AmazonQDeveloperAccess",
"Effect": "Allow",
"Action": [
"q:SendMessage",
"q:StartConversation"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新 Amazon SageMaker Canvas 受管政策
檢視自此服務開始追蹤這些變更以來,SageMaker Canvas AWS 受管政策更新的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) - 更新現有政策 | 2 | 新增 `q:StartConversation` 許可。 | 2025 年 1 月 14 日 |
| [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) – 新政策 | 1 | 初始政策 | 2024 年 12 月 4 日 |
| [AmazonSageMakerCanvasDataPrepFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess) - 更新現有政策 | 4 | 將資源新增至 `IAMPassOperationForEMRServerless` 許可。 | 2024 年 8 月 16 日 |
| [AmazonSageMakerCanvasFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess) - 更新現有政策 | 11 | 將資源新增至 `IAMPassOperationForEMRServerless` 許可。 | 2024 年 8 月 15 日 |
| [AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy) – 新政策 | 1 | 初始政策 | 2024 年 7 月 26 日 |
| AmazonSageMakerCanvasDataPrepFullAccess - 更新現有政策 | 3 | 新增 `emr-serverless:CreateApplication`、`emr-serverless:ListApplications`、`emr-serverless:UpdateApplication`、`emr-serverless:GetApplication`、`emr-serverless:StartJobRun`、`emr-serverless:ListJobRuns`、`emr-serverless:GetJobRun`、`emr-serverless:CancelJobRun` 和 `emr-serverless:TagResource` 許可。 | 2024 年 7 月 18 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 10 | 新增 `application-autoscaling:DescribeScalingActivities`、`iam:PassRole` `kms:DescribeKey` 和 `quicksight:ListNamespaces` 許可。 新增 `sagemaker:CreateTrainingJob`、`sagemaker:CreateTransformJob`、`sagemaker:DescribeTrainingJob`、`sagemaker:DescribeTransformJob`、`sagemaker:StopAutoMLJob`、`sagemaker:StopTrainingJob` 和 `sagemaker:StopTransformJob` 許可。 新增 `athena:ListTableMetadata`、`athena:ListDataCatalogs` 和 `athena:ListDatabases` 許可。 新增 `glue:GetDatabases`、`glue:GetPartitions` 和 `glue:GetTables` 許可。 新增 `emr-serverless:CreateApplication`、`emr-serverless:ListApplications`、`emr-serverless:UpdateApplication`、`emr-serverless:StopApplication`、`emr-serverless:GetApplication`、`emr-serverless:StartApplication`、`emr-serverless:StartJobRun`、`emr-serverless:ListJobRuns`、`emr-serverless:GetJobRun`、`emr-serverless:CancelJobRun` 和 `emr-serverless:TagResource` 許可。 | 2024 年 7 月 9 日 |
| [AmazonSageMakerCanvasBedrockAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess) – 新政策 | 1 | 初始政策 | 2024 年 2 月 2 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 9 | 新增 `sagemaker:ListEndpoints` 許可。 | 2024 年 1 月 24 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 8 | 新增 `sagemaker:UpdateEndpointWeightsAndCapacities`、`sagemaker:DescribeEndpointConfig`、`sagemaker:InvokeEndpointAsync`、`athena:ListDataCatalogs`、`athena:GetQueryExecution`、`athena:GetQueryResults`、`athena:StartQueryExecution`、`athena:StopQueryExecution`、`athena:ListDatabases`、`cloudwatch:DescribeAlarms`、`cloudwatch:PutMetricAlarm`、`cloudwatch:DeleteAlarms` 和 `iam:CreateServiceLinkedRole` 許可。 | 2023 年 12 月 8 日 |
| AmazonSageMakerCanvasDataPrepFullAccess - 更新現有政策 | 2 | 小更新以強制執行先前政策第 1 版的意圖;未新增或刪除任何許可。 | 2023 年 12 月 7 日 |
| [AmazonSageMakerCanvasAIServicesAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess) - 更新現有政策 | 3 | 新增 `bedrock:InvokeModelWithResponseStream`、`bedrock:GetModelCustomizationJob`、`bedrock:StopModelCustomizationJob`、`bedrock:GetCustomModel`、`bedrock:GetProvisionedModelThroughput`、`bedrock:DeleteProvisionedModelThroughput`、`bedrock:TagResource`、`bedrock:CreateModelCustomizationJob`、`bedrock:CreateProvisionedModelThroughput` 和 `iam:PassRole` 許可。 | 2023 年 11 月 29 日 |
| AmazonSageMakerCanvasDataPrepFullAccess - 新政策 | 1 | 初始政策 | 2023 年 10 月 26 日 |
| [AmazonSageMakerCanvasDirectDeployAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess) – 新政策 | 1 | 初始政策 | 2023 年 10 月 6 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 7 | 新增 `sagemaker:DeleteEndpointConfig`、`sagemaker:DeleteModel` 和 `sagemaker:InvokeEndpoint` 許可。也會為特定區域中的 JumpStart 資源新增 `s3:GetObject` 許可。 | 2023 年 9 月 29 日 |
| AmazonSageMakerCanvasAIServicesAccess - 更新現有政策 | 2 | 新增 `bedrock:InvokeModel`和 `bedrock:ListFoundationModels` 許可。 | 2023 年 9 月 29 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 6 | 新增 `rds:DescribeDBInstances` 許可。 | 2023 年 8 月 29 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 5 | 新增 `application-autoscaling:PutScalingPolicy`和 `application-autoscaling:RegisterScalableTarget` 許可。 | 2023 年 7 月 24 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 4 | 新增 `sagemaker:CreateModelPackage`、`sagemaker:CreateModelPackageGroup`、`sagemaker:DescribeModelPackage`、`sagemaker:DescribeModelPackageGroup`、`sagemaker:ListModelPackages` 和 `sagemaker:ListModelPackageGroups` 許可。 | 2023 年 5 月 4 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 3 | 新增 `sagemaker:CreateAutoMLJobV2`、`sagemaker:DescribeAutoMLJobV2` 和 `glue:SearchTables` 許可。 | 2023 年 3 月 24 日 |
| AmazonSageMakerCanvasAIServicesAccess - 新政策 | 1 | 初始政策 | 2023 年 3 月 23 日 |
| AmazonSageMakerCanvasFullAccess - 更新現有政策 | 2 | 新增 `forecast:DeleteResourceTree` 許可。 | 2022 年 12 月 6 日 |
| AmazonSageMakerCanvasFullAccess - 新政策 | 1 | 初始政策 | 2022 年 9 月 8 日 |
| [AmazonSageMakerCanvasForecastAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) – 新政策 | 1 | 初始政策 | 2022 年 8 月 24 日 |
# AWS Amazon SageMaker Feature Store 的 受管政策
這些 AWS 受管政策會新增使用特徵商店所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerFeatureStoreAccess](#security-iam-awsmanpol-AmazonSageMakerFeatureStoreAccess)
+ [Amazon SageMaker AI 更新 Amazon SageMaker Feature Store 受管政策](#security-iam-awsmanpol-feature-store-updates)
## AWS 受管政策:AmazonSageMakerFeatureStoreAccess
此政策授予為 Amazon SageMaker Feature Store 特徵群組啟用離線儲存所需的許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `s3` - 讓主體將資料寫入離線儲存 Amazon S3 儲存貯體。這些儲存貯體僅限於名稱包括 “SageMaker”、“Sagemaker” 或 “sagemaker” 的物件。
+ `s3` - 讓主體讀取離線儲存 S3 儲存貯體 `metadata` 資料夾中維護的現有清單檔案。
+ `glue` – 允許主體讀取和更新 Glue AWS 資料表。這些許可僅限於 `sagemaker_featurestore` 資料夾中的資料表。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*/metadata/*",
"arn:aws:s3:::*Sagemaker*/metadata/*",
"arn:aws:s3:::*sagemaker*/metadata/*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore",
"arn:aws:glue:*:*:table/sagemaker_featurestore/*"
]
}
]
}
```
------
## Amazon SageMaker AI 更新 Amazon SageMaker Feature Store 受管政策
檢視自此服務開始追蹤這些變更以來, Feature Store 受 AWS 管政策更新的詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 SageMaker AI [文件歷史記錄頁面](doc-history.md)上的 RSS 摘要。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerFeatureStoreAccess](#security-iam-awsmanpol-AmazonSageMakerFeatureStoreAccess) - 更新現有政策 | 3 | 新增 `s3:GetObject`、`glue:GetTable` 和 `glue:UpdateTable` 許可。 | 2022 年 12 月 5 日 |
| AmazonSageMakerFeatureStoreAccess - 更新現有政策 | 2 | 新增 `s3:PutObjectAcl` 許可。 | 2021 年 2 月 23 日 |
| AmazonSageMakerFeatureStoreAccess - 新政策 | 1 | 初始政策 | 2020 年 12 月 1 日 |
# AWS Amazon SageMaker 地理空間的 受管政策
這些 AWS 受管政策新增使用 SageMaker 地理空間所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerGeospatialFullAccess](#security-iam-awsmanpol-AmazonSageMakerGeospatialFullAccess)
+ [AWS 受管政策:AmazonSageMakerGeospatialExecutionRole](#security-iam-awsmanpol-AmazonSageMakerGeospatialExecutionRole)
+ [Amazon SageMaker AI 更新 Amazon SageMaker 地理空間受管政策](#security-iam-awsmanpol-geospatial-updates)
## AWS 受管政策:AmazonSageMakerGeospatialFullAccess
此政策授與許可,可透過 AWS 管理主控台 和 SDK 完整存取 Amazon SageMaker 地理空間。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `sagemaker-geospatial` - 讓主體完整存取完整的 SageMaker 地理空間資源。
+ `iam` - 讓主體將 IAM 角色傳遞給 SageMaker 地理空間。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sagemaker-geospatial:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"sagemaker-geospatial.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerGeospatialExecutionRole
此政策授予使用 SageMaker 地理空間所需的常見許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `s3` - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包括 “SageMaker”、“Sagemaker” 或 “sagemaker” 的物件。
+ `sagemaker-geospatial` - 讓主體透過 `GetEarthObservationJob` API 存取地球觀察任務。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": "sagemaker-geospatial:GetEarthObservationJob",
"Resource": "arn:aws:sagemaker-geospatial:*:*:earth-observation-job/*"
},
{
"Effect": "Allow",
"Action": "sagemaker-geospatial:GetRasterDataCollection",
"Resource": "arn:aws:sagemaker-geospatial:*:*:raster-data-collection/*"
}
]
}
```
------
## Amazon SageMaker AI 更新 Amazon SageMaker 地理空間受管政策
檢視自此服務開始追蹤這些變更以來SageMaker 地理空間的 AWS 受管政策更新詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerGeospatialExecutionRole](#security-iam-awsmanpol-AmazonSageMakerGeospatialExecutionRole) - 更新的政策 | 2 | 新增 `sagemaker-geospatial:GetRasterDataCollection` 許可。 | 2023 年 5 月 10 日 |
| [AmazonSageMakerGeospatialFullAccess](#security-iam-awsmanpol-AmazonSageMakerGeospatialFullAccess) – 新政策 | 1 | 初始政策 | 2022 年 11 月 30 日 |
| AmazonSageMakerGeospatialExecutionRole - 新政策 | 1 | 初始政策 | 2022 年 11 月 30 日 |
# AWS Amazon SageMaker Ground Truth 的受管政策
這些 AWS 受管政策新增使用 SageMaker AI Ground Truth 所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution)
+ [Amazon SageMaker AI 更新 SageMaker AI Ground Truth 受管政策](#security-iam-awsmanpol-groundtruth-updates)
## AWS 受管政策:AmazonSageMakerGroundTruthExecution
此 AWS 受管政策會授予使用 SageMaker AI Ground Truth 所需的許可。
**許可詳細資訊**
此政策包含以下許可。
+ `lambda` - 讓主體調用名稱包含 “sagemaker” (不區分大小寫)、“GtRecipe” 或 “LabelingFunction” 的 Lambda 函式。
+ `s3` - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於不區分大小寫,且包含 “groundtruth” 或 “sagemaker” 的名稱,或以 “SageMaker” 標記的物件。
+ `cloudwatch` - 讓主體張貼 CloudWatch 指標。
+ `logs` - 讓主體建立和存取日誌串流,以及張貼日誌事件。
+ `sqs` - 讓主體建立 Amazon SQS 佇列,並傳送和接收 Amazon SQS 訊息。這些許可僅限於名稱包含 “GroundTruth” 的佇列。
+ `sns` - 讓主體訂閱並發佈訊息至不區分大小寫名稱包含 “groundtruth” 或 “sagemaker” 的 Amazon SNS 主題。
+ `ec2` - 讓主體建立、描述和刪除其 VPC 端點服務名稱包含 “sagemaker-task-resources” 或 “labeling” 的 Amazon VPC 端點。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CustomLabelingJobs",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*GtRecipe*",
"arn:aws:lambda:*:*:function:*LabelingFunction*",
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*GroundTruth*",
"arn:aws:s3:::*Groundtruth*",
"arn:aws:s3:::*groundtruth*",
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "StreamingQueue",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:SetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:*GroundTruth*"
},
{
"Sid": "StreamingTopicSubscribe",
"Effect": "Allow",
"Action": "sns:Subscribe",
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
],
"Condition": {
"StringEquals": {
"sns:Protocol": "sqs"
},
"StringLike": {
"sns:Endpoint": "arn:aws:sqs:*:*:*GroundTruth*"
}
}
},
{
"Sid": "StreamingTopic",
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "StreamingTopicUnsubscribe",
"Effect": "Allow",
"Action": [
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "WorkforceVPC",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:VpceServiceName": [
"*sagemaker-task-resources*",
"aws.sagemaker*labeling*"
]
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker AI Ground Truth 受管政策
檢視自此服務開始追蹤 Amazon SageMaker AI Ground Truth AWS 受管政策更新以來的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution) - 更新現有政策 | 3 | 新增 `ec2:CreateVpcEndpoint`、`ec2:DescribeVpcEndpoints` 和 `ec2:DeleteVpcEndpoints` 許可。 | 2022 年 4 月 29 日 |
| AmazonSageMakerGroundTruthExecution - 更新現有政策 | 2 | 移除 `sqs:SendMessageBatch` 許可。 | 2022 年 4 月 11 日 |
| AmazonSageMakerGroundTruthExecution - 新政策 | 1 | 初始政策 | 2020 年 7 月 20 日 |
# AWS Amazon SageMaker HyperPod 的 受管政策
下列 AWS 受管政策新增使用 Amazon SageMaker HyperPod 所需的許可。這些政策可在您的帳戶中使用 AWS ,並由從 SageMaker AI 主控台或 HyperPod 服務連結角色建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerHyperPodTrainingOperatorAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodTrainingOperatorAccess.md)
+ [AWS 受管政策:AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md)
+ [AWS 受管政策:AmazonSageMakerHyperPodServiceRolePolicy](security-iam-awsmanpol-AmazonSageMakerHyperPodServiceRolePolicy.md)
+ [AWS 受管政策:AmazonSageMakerClusterInstanceRolePolicy](security-iam-awsmanpol-AmazonSageMakerClusterInstanceRolePolicy.md)
+ [Amazon SageMaker AI 更新 SageMaker HyperPod 受管政策](#security-iam-awsmanpol-hyperpod-updates)
# AWS 受管政策:AmazonSageMakerHyperPodTrainingOperatorAccess
此政策提供設定 SageMaker HyperPod 訓練運算子所需的管理許可。它可讓您存取 SageMaker HyperPod 和 Amazon EKS 附加元件。此政策包含描述您帳戶中 SageMaker HyperPod 資源的許可。
**許可詳細資訊**
此政策包含以下許可:
+ `sagemaker:DescribeClusterNode` - 允許使用者傳回 HyperPod 叢集的相關資訊。
若要檢視此政策的許可,請參閱《 AWS 受管政策參考》中的 [AmazonSageMakerHyperPodTrainingOperatorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerHyperPodTrainingOperatorAccess.html)。
# AWS 受管政策:AmazonSageMakerHyperPodObservabilityAdminAccess
此政策提供設定 Amazon SageMaker HyperPod 可觀測性所需的管理權限。它可讓您存取 Amazon Managed Service for Prometheus、Amazon Managed Grafana 和 Amazon Elastic Kubernetes Service 附加元件。此政策也包含透過 ServiceAccountTokens 在您帳戶中的所有 Amazon Managed Grafana 工作區中廣泛存取 Grafana HTTP API。
**許可詳細資訊**
下列清單提供此政策中所包含許可的概觀。
+ `prometheus` - 建立和管理 Amazon Managed Service for Prometheus 工作區和規則群組
+ `grafana` - 建立和管理 Amazon Managed Grafana 工作區和服務帳戶
+ `eks` - 建立和管理 `amazon-sagemaker-hyperpod-observability` Amazon EKS 附加元件
+ `iam` - 將特定 IAM 服務角色傳遞至 Amazon Managed Grafana 和 Amazon EKS
+ `sagemaker` - 列出和描述 SageMaker HyperPod 叢集
+ `sso` - 建立和管理用於 Amazon Managed Grafana 設定的 IAM Identity Center 應用程式執行個體
+ `tag` - 標記 Amazon Managed Service for Prometheus、Amazon Managed Grafana 和 Amazon EKS 附加元件資源
若要檢視政策 JSON,請參閱 [AmazonSageMakerHyperPodObservabilityAdminAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerHyperPodObservabilityAdminAccess.html)。
# AWS 受管政策:AmazonSageMakerHyperPodServiceRolePolicy
SageMaker HyperPod 會建立並使用名為 `AWSServiceRoleForSageMakerHyperPod` 的服務連結角色,搭配連接至該角色的 `AmazonSageMakerHyperPodServiceRolePolicy`。此政策會將 Amazon SageMaker HyperPod 許可授予相關 AWS 服務,例如 Amazon EKS 和 Amazon CloudWatch。
服務連結角色可讓設定 SageMaker HyperPod 更為簡單,因為您不必手動新增必要的許可。SageMaker HyperPod 定義其服務連結角色的許可,除非另有定義,否則僅有 SageMaker HyperPod 可以擔任其角色。定義的許可包括信任政策和許可政策,且該許可政策無法附加至其他 IAM 實體。
您必須先刪除服務連結角色的相關資源,才能將其刪除。這會保護您的 SageMaker HyperPod 資源,避免您不小心移除資源的存取許可。
如需有關支援服務連結角色的其他 服務的資訊,請參閱[AWS 使用 IAM 的服務](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html),並在**服務連結角色**欄中尋找具有**是**的服務。選擇具有連結的**是**,以檢視該服務的服務連結角色文件。
`AmazonSageMakerHyperPodServiceRolePolicy` 允許 SageMaker HyperPod 代表您對指定的資源完成下列動作。
**許可詳細資訊**
此服務連結角色政策包含下列許可。
+ `eks` - 允許主體讀取 Amazon Elastic Kubernetes Service (EKS) 叢集資訊。
+ `logs` - 允許主體將 Amazon CloudWatch 日誌串流發布至 `/aws/sagemaker/Clusters`。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EKSClusterDescribePermissions",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogGroupPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CloudWatchLogStreamPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
您必須設定許可,以允許您的使用者、群組或角色建立、編輯或刪除服務連結角色。如需詳細資訊,請參閱 *IAM 使用者指南*中的[服務連結角色許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions)。
## 為 SageMaker HyperPod 建立服務連結角色
您不需要手動建立服務連結角色,當您使用 SageMaker AI 主控台、 AWS CLI或 AWS SDKs 建立 SageMaker HyperPod 叢集時,SageMaker HyperPod 會為您建立服務連結角色。
如果您刪除此服務連結角色,但需要再次建立它,您可以在帳戶中使用相同程序 (建立新的 SageMaker HyperPod 叢集) 重新建立角色。
## 編輯 SageMaker HyperPod 的服務連結角色
SageMaker HyperPod 不允許您編輯 `AWSServiceRoleForSageMakerHyperPod` 服務連結角色。因為有各種實體可能會參考服務連結角色,所以您無法在建立角色之後變更角色名稱。然而,您可使用 IAM 來編輯角色描述。如需詳細資訊,請參閱《*IAM 使用者指南*》中的[編輯服務連結角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role)。
## 刪除 SageMaker HyperPod 的服務連結角色
若您不再使用需要服務連結角色的功能或服務,我們建議您刪除該角色。如此一來,您就沒有未主動監控或維護的未使用實體。然而,在手動刪除服務連結角色之前,您必須先清除資源。
**使用服務連結角色刪除 SageMaker HyperPod 叢集資源**
使用下列其中一個選項來刪除 SageMaker HyperPod 叢集資源。
+ 使用 SageMaker AI 主控台[刪除 SageMaker HyperPod 叢集](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-operate-slurm-console-ui.html#sagemaker-hyperpod-operate-slurm-console-ui-delete-cluster)
+ 使用 [刪除 SageMaker HyperPod 叢集](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-operate-slurm-cli-command.html#sagemaker-hyperpod-operate-slurm-cli-command-delete-cluster) AWS CLI
**注意**
如果 SageMaker HyperPod 服務在您嘗試刪除資源時正在使用該角色,刪除可能會失敗。若此情況發生,請等待數分鐘後並再次嘗試操作。
**使用 IAM 手動刪除服務連結角色**
使用 IAM 主控台 AWS CLI、 或 AWS API 來刪除`AWSServiceRoleForSageMakerHyperPod`服務連結角色。如需詳細資訊,請參閱《*IAM 使用者指南*》中的[刪除服務連結角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role)。
## SageMaker HyperPod 服務連結角色支援的區域
SageMaker HyperPod 支援在所有提供服務的區域中使用服務連結角色。如需詳細資訊,請參閱 [SageMaker HyperPod 的先決條件](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-prerequisites.html)。
# AWS 受管政策:AmazonSageMakerClusterInstanceRolePolicy
此政策授予使用 Amazon SageMaker HyperPod 筆記本通常所需的許可。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `cloudwatch` - 允許主體張貼 Amazon CloudWatch 指標。
+ `logs` - 允許主體發佈 CloudWatch 日誌串流。
+ `s3` - 允許主體在您的帳戶中從 Amazon S3 儲存貯體列出和擷取生命週期指令碼檔案。這些儲存貯體限制為名稱以 "sagemaker-" 開頭的物件。
+ `ssmmessages` - 允許主體開啟 AWS Systems Manager的連線。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Sid" : "CloudwatchLogStreamPublishPermissions",
"Effect" : "Allow",
"Action" : [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:DescribeLogStreams"
],
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*"
]
},
{
"Sid" : "CloudwatchLogGroupCreationPermissions",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup"
],
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*"
]
},
{
"Sid" : "CloudwatchPutMetricDataAccess",
"Effect" : "Allow",
"Action" : [
"cloudwatch:PutMetricData"
],
"Resource" : [
"*"
],
"Condition" : {
"StringEquals" : {
"cloudwatch:namespace" : "/aws/sagemaker/Clusters"
}
}
},
{
"Sid" : "DataRetrievalFromS3BucketPermissions",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:GetObject"
],
"Resource" : [
"arn:aws:s3:::sagemaker-*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SSMConnectivityPermissions",
"Effect" : "Allow",
"Action" : [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource" : "*"
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker HyperPod 受管政策
檢視自此服務開始追蹤這些變更以來SageMaker HyperPod AWS 受管政策更新的詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 SageMaker AI [文件歷史記錄頁面](doc-history.md)上的 RSS 摘要。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerHyperPodTrainingOperatorAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodTrainingOperatorAccess.md) – 新政策 | 1 | 初始政策 | 2025 年 8 月 22 日 |
| [AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md) - 更新的政策 | 2 | 已更新政策以修正角色範圍縮減以包含 `service-role` 字首。也已新增端對端管理動作所需 `eks:DeletePodIdentityAssociation` 和 `eks:UpdatePodIdentityAssociation` 的許可。 | 2025 年 8 月 19 日 |
| [AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md) – 新政策 | 1 | 初始政策 | 2025 年 7 月 10 日 |
| [AmazonSageMakerHyperPodServiceRolePolicy](security-iam-awsmanpol-AmazonSageMakerHyperPodServiceRolePolicy.md) – 新政策 | 1 | 初始政策 | 2024 年 9 月 9 日 |
| [AmazonSageMakerClusterInstanceRolePolicy](security-iam-awsmanpol-AmazonSageMakerClusterInstanceRolePolicy.md) – 新政策 | 1 | 初始政策 | 2023 年 11 月 29 日 |
# AWS SageMaker AI 模型控管的受管政策
此 AWS 受管政策新增使用 SageMaker AI 模型控管所需的許可。此政策可在您的帳戶中使用 AWS ,並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerModelGovernanceUseAccess](#security-iam-awsmanpol-governance-AmazonSageMakerModelGovernanceUseAccess)
+ [Amazon SageMaker AI 更新 SageMaker AI 模型治理受管政策](#security-iam-awsmanpol-governance-updates)
## AWS 受管政策:AmazonSageMakerModelGovernanceUseAccess
此 AWS 受管政策會授予使用所有 Amazon SageMaker AI 控管功能所需的許可。此政策可在您的帳戶中使用 AWS 。
此政策包含以下許可。
+ `s3` - 從 Amazon S3 儲存貯體擷取物件。可擷取的物件僅限於名稱包含字串 `"sagemaker"` 的物件 (不區分大小寫)。
+ `kms` – 列出用於內容加密的 AWS KMS 金鑰。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSMMonitoringModelCards",
"Effect": "Allow",
"Action": [
"sagemaker:ListMonitoringAlerts",
"sagemaker:ListMonitoringExecutions",
"sagemaker:UpdateMonitoringAlert",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StopMonitoringSchedule",
"sagemaker:ListMonitoringAlertHistory",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:CreateModelCard",
"sagemaker:DescribeModelCard",
"sagemaker:UpdateModelCard",
"sagemaker:DeleteModelCard",
"sagemaker:ListModelCards",
"sagemaker:ListModelCardVersions",
"sagemaker:CreateModelCardExportJob",
"sagemaker:DescribeModelCardExportJob",
"sagemaker:ListModelCardExportJobs"
],
"Resource": "*"
},
{
"Sid": "AllowSMTrainingModelsSearchTags",
"Effect": "Allow",
"Action": [
"sagemaker:ListTrainingJobs",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListModels",
"sagemaker:DescribeModel",
"sagemaker:Search",
"sagemaker:AddTags",
"sagemaker:DeleteTags",
"sagemaker:ListTags"
],
"Resource": "*"
},
{
"Sid": "AllowKMSActions",
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": "*"
},
{
"Sid": "AllowS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:CreateBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowS3ListActions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker AI 模型治理受管政策
檢視自此服務開始追蹤這些變更以來SageMaker AI Model Governance AWS 受管政策更新的詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 SageMaker AI [文件歷史記錄頁面](doc-history.md)上的 RSS 摘要。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerModelGovernanceUseAccess](#security-iam-awsmanpol-governance-AmazonSageMakerModelGovernanceUseAccess) - 更新現有政策 | 3 | 新增陳述式 ID (`Sid`) | 2024 年 6 月 4 日 |
| AmazonSageMakerModelGovernanceUseAccess - 更新現有政策 | 2 | 新增 `sagemaker:DescribeModelPackage`和 `DescribeModelPackageGroup` 許可。 | 2023 年 7 月 17 日 |
| AmazonSageMakerModelGovernanceUseAccess - 新政策 | 1 | 初始政策 | 2022 年 11 月 30 日 |
# AWS 模型登錄檔的受管政策
這些 AWS 受管政策會新增使用模型登錄所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 Amazon SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerModelRegistryFullAccess](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess)
+ [Amazon SageMaker AI 更新模型註冊庫受管政策](#security-iam-awsmanpol-model-registry-updates)
## AWS 受管政策:AmazonSageMakerModelRegistryFullAccess
此 AWS 受管政策會授予使用 Amazon SageMaker AI 網域內所有模型登錄檔功能所需的許可。設定 Model Registry 設定以啟用 Model Registry 許可時,此政策會附加至執行角色。
此政策包含以下許可。
+ `ecr` - 讓主體擷取關於 Amazon Elastic Container Registry (Amazon ECR) 映像的資訊,包括中繼資料。
+ `iam` - 允許主體將執行角色傳遞至 Amazon SageMaker AI 服務。
+ `resource-groups` – 允許主體建立、列出、標記和刪除 AWS Resource Groups。
+ `s3` - 讓主體從存放模型版本的 Amazon Simple Storage Service (Amazon S3) 儲存貯體擷取物件。可擷取的物件僅限於名稱包含字串 `"sagemaker"` 的物件 (不區分大小寫)。
+ `sagemaker` - 允許主體使用 SageMaker 模型註冊庫來編目、管理及部署模型。
+ `kms` – 僅允許 SageMaker AI 服務主體新增授予、產生資料金鑰、解密和讀取 AWS KMS 金鑰,以及僅允許標記為「Sagemaker」使用的金鑰。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerModelRegistrySageMakerReadPermission",
"Effect": "Allow",
"Action": [
"sagemaker:DescribeAction",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineExecution",
"sagemaker:ListAssociations",
"sagemaker:ListArtifacts",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackages",
"sagemaker:Search",
"sagemaker:GetSearchSuggestions"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistrySageMakerWritePermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags",
"sagemaker:CreateModel",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteTags",
"sagemaker:UpdateModelPackage"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryS3GetPermission",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AmazonSageMakerModelRegistryS3ListPermission",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryECRReadPermission",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryIAMPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "AmazonSageMakerModelRegistryTagReadPermission",
"Effect": "Allow",
"Action": [
"tag:GetResources"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupGetPermission",
"Effect": "Allow",
"Action": [
"resource-groups:GetGroupQuery"
],
"Resource": "arn:aws:resource-groups:*:*:group/*"
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupListPermission",
"Effect": "Allow",
"Action": [
"resource-groups:ListGroupResources"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupWritePermission",
"Effect": "Allow",
"Action": [
"resource-groups:CreateGroup",
"resource-groups:Tag"
],
"Resource": "arn:aws:resource-groups:*:*:group/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "sagemaker:collection"
}
}
},
{
"Sid": "AmazonSageMakerModelRegistryResourceGroupDeletePermission",
"Effect": "Allow",
"Action": "resource-groups:DeleteGroup",
"Resource": "arn:aws:resource-groups:*:*:group/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:collection": "true"
}
}
},
{
"Sid": "AmazonSageMakerModelRegistryResourceKMSPermission",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker" : "true"
},
"StringLike": {
"kms:ViaService": "sagemaker.*.amazonaws.com"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新模型註冊庫受管政策
檢視自此服務開始追蹤這些變更以來,模型登錄檔受 AWS 管政策更新的詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 SageMaker AI [文件歷史記錄頁面](doc-history.md)上的 RSS 摘要。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerModelRegistryFullAccess](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess) - 更新現有政策 | 2 | 新增 `kms:CreateGrant`、`kms:DescribeKey`、`kms:GenerateDataKey` 和 `kms:Decrypt` 許可。 | 2024 年 6 月 6 日 |
| AmazonSageMakerModelRegistryFullAccess - 新政策 | 1 | 初始政策 | 2023 年 4 月 12 日 |
# AWS SageMaker 筆記本的受管政策
這些 AWS 受管政策新增使用 SageMaker 筆記本所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy)
+ [Amazon SageMaker AI 更新 SageMaker AI 筆記本受管政策](#security-iam-awsmanpol-notebooks-updates)
## AWS 受管政策:AmazonSageMakerNotebooksServiceRolePolicy
此 AWS 受管政策會授予使用 Amazon SageMaker Notebooks 時通常需要的許可。政策會新增至您加入 Amazon SageMaker Studio Classic 時所建立的 `AWSServiceRoleForAmazonSageMakerNotebooks`。如需關於服務連結角色詳細資訊,請參閱[服務連結角色](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service-linked)。如需詳細資訊,請參閱 [AmazonSageMakerNotebooksServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerNotebooksServiceRolePolicy.html)
**許可詳細資訊**
此政策包含以下許可。
+ `elasticfilesystem` - 讓主體建立和刪除 Amazon Elastic File System (EFS) 檔案系統、存取點和掛載目標。僅限於標記了 *ManagedByAmazonSageMakerResource *的金鑰。讓主體描述所有 EFS 檔案系統、存取點和掛載目標。讓主體建立或覆寫 EFS 存取點和裝載目標的標籤。
+ `ec2` - 讓主體為 Amazon Elastic Compute Cloud (EC2) 執行個體建立網路介面和安全群組。也讓主體建立和覆寫這些資源的標籤。
+ `sso` - 讓主體將受管執行個體新增至 AWS IAM Identity Center中並刪除。
+ `sagemaker` - 允許主體建立和讀取 SageMaker AI 使用者設定檔和 SageMaker AI 空間;刪除 SageMaker AI 空間和 SageMaker AI 應用程式;以及新增和列出標籤。
+ `fsx` - 允許主體描述 Amazon FSx for Lustre 檔案系統,以及使用中繼資料將其掛載在筆記本上。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowFSxDescribe",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowSageMakerDeleteApp",
"Effect": "Allow",
"Action": [
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*"
},
{
"Sid": "AllowEFSAccessPointCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateAccessPoint",
"Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*",
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSAccessPointDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DeleteAccessPoint"
],
"Resource": "arn:aws:elasticfilesystem:*:*:access-point/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateFileSystem",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSMountWithDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSDescribe",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},
{
"Sid": "AllowEFSTagging",
"Effect": "Allow",
"Action": "elasticfilesystem:TagResource",
"Resource": [
"arn:aws:elasticfilesystem:*:*:access-point/*",
"arn:aws:elasticfilesystem:*:*:file-system/*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEC2Tagging",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "AllowEC2Operations",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Sid": "AllowEC2AuthZ",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowIdcOperations",
"Effect": "Allow",
"Action": [
"sso:CreateManagedApplicationInstance",
"sso:DeleteManagedApplicationInstance",
"sso:GetManagedApplicationInstance"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerProfileCreation",
"Effect": "Allow",
"Action": [
"sagemaker:CreateUserProfile",
"sagemaker:DescribeUserProfile"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:DescribeSpace",
"sagemaker:DeleteSpace",
"sagemaker:ListTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*"
},
{
"Sid": "AllowSagemakerAddTagsForAppManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*",
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker AI 筆記本受管政策
檢視自此服務開始追蹤 Amazon SageMaker AI AWS 受管政策更新以來的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) - 更新現有政策 | 10 | 新增 `fsx:DescribeFileSystems` 許可。 | 2024 年 11 月 14 日 |
| [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) - 更新現有政策 | 9 | 新增 `sagemaker:DeleteApp` 許可。 | 2024 年 7 月 24 日 |
| AmazonSageMakerNotebooksServiceRolePolicy - 更新現有政策 | 8 | 新增 `sagemaker:CreateSpace`、`sagemaker:DescribeSpace`、`sagemaker:DeleteSpace`、`sagemaker:ListTags` 和 `sagemaker:AddTags` 許可。 | 2024 年 5 月 22 日 |
| AmazonSageMakerNotebooksServiceRolePolicy - 更新現有政策 | 7 | 新增 `elasticfilesystem:TagResource` 許可。 | 2023 年 3 月 9 日 |
| AmazonSageMakerNotebooksServiceRolePolicy - 更新現有政策 | 6 | 新增 `elasticfilesystem:CreateAccessPoint`、`elasticfilesystem:DeleteAccessPoint` 和 `elasticfilesystem:DescribeAccessPoints` 許可。 | 2023 年 1 月 12 日 |
| | | SageMaker AI 開始追蹤其 AWS 受管政策的變更。 | 2021 年 6 月 1 日 |
# AWS Amazon SageMaker 合作夥伴 AI 應用程式的 受管政策
這些 AWS 受管政策新增使用 Amazon SageMaker 合作夥伴 AI 應用程式所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerPartnerAppsFullAccess](#security-iam-awsmanpol-AmazonSageMakerPartnerAppsFullAccess)
+ [Amazon SageMaker AI 更新合作夥伴 AI 應用程式受管政策](#security-iam-awsmanpol-partner-apps-updates)
## AWS 受管政策:AmazonSageMakerPartnerAppsFullAccess
允許對 Amazon SageMaker 合作夥伴 AI 應用程式進行完整管理存取。
**許可詳細資訊**
此 AWS 受管政策包含下列許可。
+ `sagemaker` - 授予 Amazon SageMaker 合作夥伴 AI 應用程式使用者存取應用程式、列出可用應用程式、啟動應用程式 Web UI,以及使用應用程式 SDK 進行連線的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerPartnerListAppsPermission",
"Effect": "Allow",
"Action": "sagemaker:ListPartnerApps",
"Resource": "*"
},
{
"Sid": "AmazonSageMakerPartnerAppsPermission",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePartnerAppPresignedUrl",
"sagemaker:DescribePartnerApp",
"sagemaker:CallPartnerAppApi"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Resource": "arn:aws:sagemaker:*:*:partner-app/*"
}
]
}
```
------
## Amazon SageMaker AI 更新合作夥伴 AI 應用程式受管政策
檢視自此服務開始追蹤這些變更以來,合作夥伴 AI 應用程式 AWS 受管政策更新的詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 SageMaker AI [文件歷史記錄頁面](doc-history.md)上的 RSS 摘要。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| AmazonSageMakerPartnerAppsFullAccess - 新政策 | 1 | 初始政策 | 2025 年 1 月 17 日 |
# AWS SageMaker 管道的受管政策
這些 AWS 受管政策新增使用 SageMaker 管道所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations)
+ [Amazon SageMaker AI 更新 SageMaker AI Pipelines 受管政策](#security-iam-awsmanpol-pipelines-updates)
## AWS 受管政策:AmazonSageMakerPipelinesIntegrations
此 AWS 受管政策會授予在 SageMaker Pipelines 中使用回呼步驟和 Lambda 步驟時通常需要的許可。政策會新增至您加入 Amazon SageMaker Studio Classic 時所建立的 `AmazonSageMaker-ExecutionRole`。政策可附加至用於編寫或執行管道的任何角色。
此政策會授予適當的 AWS Lambda、Amazon Simple Queue Service (Amazon SQS)、Amazon EventBridge 和 IAM 許可,這些許可在建置叫用 Lambda 函數或包含回呼步驟的管道時需要,可用於手動核准步驟或執行自訂工作負載。
Amazon SQS 許可可讓您建立接收回電訊息所需的 Amazon SQS 佇列,以及將訊息傳送到該佇列。
Lambda 許可可讓您建立、讀取、更新和刪除管道步驟中使用的 Lambda 函式,也可以調用這些 Lambda 函式。
此政策授予執行管道 Amazon EMR 步驟所需的 Amazon EMR 許可。
**許可詳細資訊**
此政策包含以下許可。
+ `elasticmapreduce` - 讀取、新增和取消執行中的 Amazon EMR 叢集中步驟。讀取、建立和終止新的 Amazon EMR 叢集。
+ `events` - 讀取、建立、更新和新增目標至名為 `SageMakerPipelineExecutionEMRStepStatusUpdateRule` 和 `SageMakerPipelineExecutionEMRClusterStatusUpdateRule` 的 EventBridge 規則。
+ `iam` – 將 IAM 角色傳遞至 AWS Lambda 服務、Amazon EMR 和 Amazon EC2。
+ `lambda` - 建立、讀取、更新、刪除和調用 Lambda 函式。這些權限僅限於名稱包含 “sagemaker” 的功能。
+ `sqs` - 建立 Amazon SQS 佇列;傳送 Amazon SQS 訊息。這些許可僅限於名稱包含 “sagemaker” 的佇列。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:UpdateFunctionCode"
],
"Resource": [
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*sageMaker*",
"arn:aws:lambda:*:*:function:*SageMaker*"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:SendMessage"
],
"Resource": [
"arn:aws:sqs:*:*:*sagemaker*",
"arn:aws:sqs:*:*:*sageMaker*",
"arn:aws:sqs:*:*:*SageMaker*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"elasticmapreduce.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:PutTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRStepStatusUpdateRule",
"arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRClusterStatusUpdateRule"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:AddJobFlowSteps",
"elasticmapreduce:CancelSteps",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:RunJobFlow",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:TerminateJobFlows",
"elasticmapreduce:ListSteps"
],
"Resource": [
"arn:aws:elasticmapreduce:*:*:cluster/*"
]
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker AI Pipelines 受管政策
檢視自此服務開始追蹤 Amazon SageMaker AI AWS 受管政策更新以來的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) - 更新現有政策 | 3 | 已新增`elasticmapreduce:RunJobFlows`、`elasticmapreduce:TerminateJobFlows`、`elasticmapreduce:ListSteps` 和 `elasticmapreduce:DescribeCluster` 的許可。 | 2023 年 2 月 17 日 |
| [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) - 更新現有政策 | 2 | 已新增`lambda:GetFunction`、`events:DescribeRule`、`events:PutRule`、`events:PutTargets`、`elasticmapreduce:AddJobFlowSteps`、`elasticmapreduce:CancelSteps` 和 `elasticmapreduce:DescribeStep` 的許可。 | 2022 年 4 月 20 日 |
| AmazonSageMakerPipelinesIntegrations - 新政策 | 1 | 初始政策 | 2021 年 7 月 30 日 |
# AWS SageMaker 訓練計畫的 受管政策
此 AWS 受管政策授予在 Amazon SageMaker SageMaker 訓練計劃和預留容量所需的許可。此政策可以連接到用於在 SageMaker AI 內建立和管理訓練計劃和預留容量的 IAM 角色,包括您的 [SageMaker AI 執行角色](sagemaker-roles.md)。
**Topics**
+ [AWS 受管政策:AmazonSageMakerTrainingPlanCreateAccess](#security-iam-awsmanpol-AmazonSageMakerTrainingPlanCreateAccess)
+ [Amazon SageMaker AI 更新 SageMaker 訓練計畫受管政策](#security-iam-awsmanpol-training-plan-updates)
## AWS 受管政策:AmazonSageMakerTrainingPlanCreateAccess
此政策提供在 SageMaker AI 中建立、描述、搜尋和列出訓練計畫的必要許可。此外,它還允許在特定條件下將標籤新增至訓練計畫和預留容量資源。
**許可詳細資訊**
此政策包含以下許可。
+ `sagemaker` - 建立訓練計畫和預留容量、允許在標記動作為 `CreateTrainingPlan` 或 `CreateReservedCapacity` 時將標籤新增至訓練計畫和預留容量、允許描述訓練計畫、允許搜尋訓練計畫方案,以及列出所有資源上現有的訓練計畫。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateTrainingPlanPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingPlan",
"sagemaker:CreateReservedCapacity",
"sagemaker:DescribeReservedCapacity"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AggTagsToTrainingPlanPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
],
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": ["CreateTrainingPlan","CreateReservedCapacity"]
}
}
},
{
"Sid": "DescribeTrainingPlanPermissions",
"Effect": "Allow",
"Action": "sagemaker:DescribeTrainingPlan",
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*"
]
},
{
"Sid": "NonResourceLevelTrainingPlanPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:SearchTrainingPlanOfferings",
"sagemaker:ListTrainingPlans"
],
"Resource": "*"
},
{
"Sid": "ListUltraServersByReservedCapacityPermissions",
"Effect": "Allow",
"Action": "sagemaker:ListUltraServersByReservedCapacity",
"Resource": [
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker 訓練計畫受管政策
檢視自此服務開始追蹤 Amazon SageMaker AI AWS 受管政策更新以來的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| AmazonSageMakerTrainingPlanCreateAccess - 更新的政策 | 2 | 已更新政策來新增許可,以擷取特定預留容量的相關資訊,並列出預留容量中的所有 UltraServer。 | 2024 年 7 月 29 日 |
| AmazonSageMakerTrainingPlanCreateAccess - 新政策 | 1 | 初始政策 | 2024 年 12 月 4 日 |
# AWS SageMaker 專案和 JumpStart 的受管政策
這些 AWS 受管政策新增使用內建 Amazon SageMaker AI 專案範本和 JumpStart 解決方案的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
SageMaker Projects 和 JumpStart 使用 AWS Service Catalog 來佈建客戶帳戶中 AWS 的資源。某些建立的資源需要擔任執行角色。例如,如果 AWS Service Catalog 代表客戶為 SageMaker AI 機器學習 CI/CD 專案建立 CodePipeline 管道,則該管道需要 IAM 角色。
[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 角色具有從 AWS Service Catalog 啟動 SageMaker AI 產品組合所需的許可。[AmazonSageMakerServiceCatalogProductsUseRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsUseRole) 角色具有從 AWS Service Catalog 使用 SageMaker AI 產品組合所需的許可。`AmazonSageMakerServiceCatalogProductsLaunchRole` 角色會將 `AmazonSageMakerServiceCatalogProductsUseRole`角色傳遞至佈建的 AWS Service Catalog 產品資源。
**Topics**
+ [AWS 受管政策:AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy)
+ [AWS 受管政策:AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy)
+ [AWS Service Catalog AWS 受管政策的 Amazon SageMaker AI 更新](#security-iam-awsmanpol-sc-updates)
## AWS 受管政策:AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
此服務會使用此服務角色政策 AWS Service Catalog ,從 Amazon SageMaker AI 產品組合佈建產品。政策會授予一組相關 AWS 服務的許可 AWS CodePipeline,包括 AWS CodeBuild、、 AWS CodeCommit AWS Glue AWS CloudFormation等。
`AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy` 政策旨在由從 SageMaker AI 主控台建立的 `AmazonSageMakerServiceCatalogProductsLaunchRole` 角色使用。政策新增許可,以使用 Service Catalog 為 SageMaker 專案和 JumpStart 佈建 AWS 資源到客戶的帳戶。
**許可詳細資訊**
此政策包含以下許可。
+ `apigateway` - 讓角色呼叫標記為 `sagemaker:launch-source` 的 API Gateway 端點。
+ `cloudformation` – 允許 AWS Service Catalog 建立、更新和刪除 CloudFormation 堆疊。也允許 Service Catalog 標記和取消標記資源。
+ `codebuild` – 允許 CloudFormation 擔任 AWS Service Catalog 並傳遞給 CloudFormation 的角色建立、更新和刪除 CodeBuild 專案。 CloudFormation
+ `codecommit` – 允許 CloudFormation 擔任 AWS Service Catalog 並傳遞給 CloudFormation 的角色建立、更新和刪除 CodeCommit 儲存庫。 CloudFormation
+ `codepipeline` – 允許 CloudFormation 擔任 AWS Service Catalog 並傳遞給 CloudFormation 的角色建立、更新和刪除 CodePipelines。 CloudFormation
+ `codeconnections`, `codestar-connections` – 也允許角色傳遞 AWS CodeConnections 和 AWS CodeStar 連線。
+ `cognito-idp` - 讓角色建立、更新和刪除群組和使用者集區。也可以標記資源。
+ `ecr` – 允許 CloudFormation 擔任 AWS Service Catalog 並傳遞給 CloudFormation 的角色建立和刪除 Amazon ECR 儲存庫。也可以標記資源。
+ `events` – 允許 CloudFormation 擔任 AWS Service Catalog 並傳遞給 CloudFormation 的角色建立和刪除 EventBridge 規則。用於將 CICD 管道的各種元件結合在一起。
+ `firehose` - 允許角色與 Firehose 串流互動。
+ `glue` – 允許角色與 互動 AWS Glue。
+ `iam` - 讓角色傳遞字首為 `AmazonSageMakerServiceCatalog` 的角色。當專案佈建 AWS Service Catalog 產品時為必需,因為角色需要傳遞給 AWS Service Catalog。
+ `lambda` - 讓角色與 AWS Lambda互動。也可以標記資源。
+ `logs` - 讓角色建立、刪除和存取日誌串流。
+ `s3` – 允許 CloudFormation 擔任 AWS Service Catalog 的角色存取存放專案範本程式碼的 Amazon S3 儲存貯體。
+ `sagemaker` - 允許角色與各種 SageMaker AI 服務互動。可以在範本佈建期間在 CloudFormation 中完成,也可以在 CICD 管道執行時在 CodeBuild 中完成。也可以標記以下資源:端點、端點組態、模型、管道、專案和模型套件。
+ `states` - 讓角色建立、刪除和更新字首為 `sagemaker` 的 Step Function。
若要檢視此政策的許可,請參閱《 AWS 受管政策參考》中的 [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy.html)。
## AWS 受管政策:AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy
Amazon API Gateway 會在 Amazon Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品內使用此政策。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 API Gateway 所建立且需要角色 AWS 的資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `lambda` - 調用合作夥伴範本建立的函式。
+ `sagemaker` - 調用合作夥伴範本建立的端點。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:sagemaker-*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Effect": "Allow",
"Action": "sagemaker:InvokeEndpoint",
"Resource": "arn:aws:sagemaker:*:*:endpoint/*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
此政策由 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品 AWS CloudFormation 內使用。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 所建立 CloudFormation 且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `iam` - 傳遞 `AmazonSageMakerServiceCatalogProductsLambdaRole` 和 `AmazonSageMakerServiceCatalogProductsApiGatewayRole` 角色。
+ `lambda` – 建立、更新、刪除和叫用 AWS Lambda 函數;擷取、發佈和刪除 Lambda 層的版本。
+ `apigateway` - 建立、更新和刪除 Amazon API Gateway 資源。
+ `s3` - 從 Amazon Simple Storage Service (Amazon S3) 儲存貯體擷取 `lambda-auth-code/layer.zip` 檔案。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "apigateway.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:ListTags",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:PublishLayerVersion",
"lambda:GetLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:layer:sagemaker-*",
"arn:aws:lambda:*:*:function:sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/tags/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/lambda-auth-code/layer.zip"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
此政策由 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品 AWS Lambda 內使用。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 Lambda 建立且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `secretsmanager` - 從合作夥伴提供的機密中擷取資料,用於合作夥伴範本。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:partner": false
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
Amazon API Gateway 會在 Amazon Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品內使用此政策。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 API Gateway 建立且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `logs` - 建立和讀取 CloudWatch Logs 群組、串流和事件;更新事件;描述各種資源。
這些許可僅限於其日誌群組前字首以“aws/apigateway/”開頭的資源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/apigateway/*"
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy
此政策由 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品 AWS CloudFormation 內使用。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 所建立 CloudFormation 且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `sagemaker` - 允許存取各種 SageMaker AI 資源,但不包括網域、使用者設定檔、應用程式和流程定義。
+ `iam` - 傳遞 `AmazonSageMakerServiceCatalogProductsCodeBuildRole` 和 `AmazonSageMakerServiceCatalogProductsExecutionRole` 角色。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:flow-definition/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
此政策由 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品 AWS CodeBuild 內使用。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 CodeBuild 建立且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `sagemaker` - 允許存取各種 SageMaker AI 資源。
+ `codecommit` - 將 CodeCommit 封存上傳至 CodeBuild 管道、取得上傳狀態以及取消上傳;取得分支和遞交資訊。這些許可僅限於名稱以 “sagemaker-” 開頭的資源。
+ `ecr` - 建立 Amazon ECR 儲存庫和容器映像;上傳影像層。這些許可僅限於名稱以 “sagemaker-” 開頭的儲存庫。
`ecr` - 閱讀所有資源。
+ `iam` - 傳遞下列角色:
+ `AmazonSageMakerServiceCatalogProductsCloudformationRole` 至 AWS CloudFormation。
+ `AmazonSageMakerServiceCatalogProductsCodeBuildRole` 至 AWS CodeBuild。
+ `AmazonSageMakerServiceCatalogProductsCodePipelineRole` 至 AWS CodePipeline。
+ `AmazonSageMakerServiceCatalogProductsEventsRole` 至 Amazon EventBridge。
+ `AmazonSageMakerServiceCatalogProductsExecutionRole` 至 Amazon SageMaker AI。
+ `logs` - 建立和讀取 CloudWatch Logs 群組、串流和事件;更新事件;描述各種資源。
這些許可僅限於其名稱字首以 “aws/codebuild” 開頭的資源。
+ `s3` - 建立、讀取和列出 Amazon S3 儲存貯體。這些許可僅限於名稱以 “sagemaker-” 開頭的儲存貯體。
+ `codeconnections`、 `codestar-connections` – 使用 AWS CodeConnections 和 AWS CodeStar 連線。
若要檢視此政策的許可,請參閱《 AWS 受管政策參考》中的 [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy.html)。
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
此政策由 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品 AWS CodePipeline 內使用。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 CodePipeline 建立且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `cloudformation` - 建立、讀取、刪除和更新 CloudFormation 堆疊;建立、讀取、刪除和執行變更集;設定堆疊政策;標記和取消標記資源。這些許可僅限於名稱以 “sagemaker-” 開頭的資源。
+ `s3`— 建立、讀取、列出和刪除 Amazon S3 儲存貯體;新增、讀取和刪除儲存貯體中的物件;讀取和設定 CORS 組態;讀取存取控制清單 (ACL);以及讀取儲存貯體所在的 AWS 區域。
這些許可僅限於名稱以 “sagemaker-” 或 “aws-glue-” 開頭的儲存貯體。
+ `iam` - 傳遞 `AmazonSageMakerServiceCatalogProductsCloudformationRole` 角色。
+ `codebuild`— 取得 CodeBuild 建置資訊並開始組建。這些許可僅限於名稱以 “sagemaker-” 開頭的專案與建置資源。
+ `codecommit` - 將 CodeCommit 封存上傳至 CodeBuild 管道、取得上傳狀態以及取消上傳;取得分支和遞交資訊。
+ `codeconnections`、 `codestar-connections` – 使用 AWS CodeConnections 和 AWS CodeStar 連線。
若要檢視此政策的許可,請參閱《 AWS 受管政策參考》中的 [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy.html)。
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy
在 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品中,Amazon EventBridge 會使用此政策。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 EventBridge 建立且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `codepipeline` - 啟動 CodeBuild 執行。這些許可僅限於名稱以 “sagemaker-” 開頭的管道。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codepipeline:StartPipelineExecution",
"Resource": "arn:aws:codepipeline:*:*:sagemaker-*"
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy
Amazon Data Firehose 會在 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品內使用此政策。此政策旨在連接至 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 Firehose 建立且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `firehose` - 傳送 Firehose 記錄。這些許可僅限於交付串流名稱以 “sagemaker-” 開頭的資源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy
Glue 在 Amazon SageMaker AI AWS 產品組合的 AWS Service Catalog 佈建產品中使用此政策。此政策旨在連接到 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 Glue 所建立且需要角色的 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `glue` – 建立、讀取和刪除 AWS Glue 分割區、資料表和資料表版本。這些許可僅限於名稱以 “sagemaker-” 開頭的資源。建立和讀取 AWS Glue 資料庫。這些許可僅限於名稱為 “default”、“global\$1temp” 或以 “sagemaker-” 開頭的資料庫。取得使用者定義的函式。
+ `s3`— 建立、讀取、列出和刪除 Amazon S3 儲存貯體;新增、讀取和刪除儲存貯體中的物件;讀取和設定 CORS 組態;讀取存取控制清單 (ACL),以及讀取儲存貯體所在的 AWS 區域。
這些許可僅限於名稱以 “sagemaker-” 或 “aws-glue-” 開頭的儲存貯體。
+ `logs` - 建立、讀取和刪除 CloudWatch Logs 日誌群組、串流和交付;以及建立資源政策。
這些許可僅限於其名稱字首以 “aws/glue” 開頭的資源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:BatchCreatePartition",
"glue:BatchDeletePartition",
"glue:BatchDeleteTable",
"glue:BatchDeleteTableVersion",
"glue:BatchGetPartition",
"glue:CreateDatabase",
"glue:CreatePartition",
"glue:CreateTable",
"glue:DeletePartition",
"glue:DeleteTable",
"glue:DeleteTableVersion",
"glue:GetDatabase",
"glue:GetPartition",
"glue:GetPartitions",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:SearchTables",
"glue:UpdatePartition",
"glue:UpdateTable",
"glue:GetUserDefinedFunctions"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/global_temp",
"arn:aws:glue:*:*:database/sagemaker-*",
"arn:aws:glue:*:*:table/sagemaker-*",
"arn:aws:glue:*:*:tableVersion/sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/glue/*"
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy
此政策由 Amazon SageMaker AI 產品組合的 AWS Service Catalog 佈建產品 AWS Lambda 內使用。此政策旨在連接到 [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) 傳遞至 Lambda 建立且需要角色之 AWS 資源的 IAM 角色。
**許可詳細資訊**
此政策包含以下許可。
+ `sagemaker` - 允許存取各種 SageMaker AI 資源。
+ `ecr` - 建立和刪除 Amazon ECR 儲存庫;建立、讀取與刪除容器映像;上傳影像層。這些許可僅限於名稱以 “sagemaker-” 開頭的儲存庫。
+ `events` - 建立、讀取和刪除 Amazon EventBridge 規則;以及建立和移除目標。這些許可僅限於名稱以 “sagemaker-” 開頭的規則。
+ `s3`— 建立、讀取、列出和刪除 Amazon S3 儲存貯體;新增、讀取和刪除儲存貯體中的物件;讀取和設定 CORS 組態;讀取存取控制清單 (ACL),以及讀取儲存貯體所在的 AWS 區域。
這些許可僅限於名稱以 “sagemaker-” 或 “aws-glue-” 開頭的儲存貯體。
+ `iam` - 傳遞 `AmazonSageMakerServiceCatalogProductsExecutionRole` 角色。
+ `logs` - 建立、讀取和刪除 CloudWatch Logs 日誌群組、串流和交付;以及建立資源政策。
這些許可僅限於其名稱字首以 “aws/lambda/” 開頭的資源。
+ `codebuild` – 開始並取得 AWS CodeBuild 組建的相關資訊。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid" : "AmazonSageMakerLambdaECRPermission",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaEventBridgePermission",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3BucketPermission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3ObjectPermission",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"Resource": [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:algorithm/*",
"arn:aws:sagemaker:*:*:app-image-config/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:automl-job/*",
"arn:aws:sagemaker:*:*:code-repository/*",
"arn:aws:sagemaker:*:*:compilation-job/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:data-quality-job-definition/*",
"arn:aws:sagemaker:*:*:device-fleet/*/device/*",
"arn:aws:sagemaker:*:*:device-fleet/*",
"arn:aws:sagemaker:*:*:edge-packaging-job/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:experiment/*",
"arn:aws:sagemaker:*:*:experiment-trial/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:feature-group/*",
"arn:aws:sagemaker:*:*:human-loop/*",
"arn:aws:sagemaker:*:*:human-task-ui/*",
"arn:aws:sagemaker:*:*:hyper-parameter-tuning-job/*",
"arn:aws:sagemaker:*:*:image/*",
"arn:aws:sagemaker:*:*:image-version/*/*",
"arn:aws:sagemaker:*:*:inference-recommendations-job/*",
"arn:aws:sagemaker:*:*:labeling-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:model-bias-job-definition/*",
"arn:aws:sagemaker:*:*:model-explainability-job-definition/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-quality-job-definition/*",
"arn:aws:sagemaker:*:*:monitoring-schedule/*",
"arn:aws:sagemaker:*:*:notebook-instance/*",
"arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:pipeline/*/execution/*",
"arn:aws:sagemaker:*:*:processing-job/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:transform-job/*",
"arn:aws:sagemaker:*:*:workforce/*",
"arn:aws:sagemaker:*:*:workteam/*"
]
},
{
"Sid" : "AmazonSageMakerLambdaPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
},
{
"Sid" : "AmazonSageMakerLambdaLogPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
},
{
"Sid" : "AmazonSageMakerLambdaCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:StartBuild",
"codebuild:BatchGetBuilds"
],
"Resource": "arn:aws:codebuild:*:*:project/sagemaker-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:project-name": "*"
}
}
}
]
}
```
------
## AWS Service Catalog AWS 受管政策的 Amazon SageMaker AI 更新
檢視自此服務開始追蹤 Amazon SageMaker AI AWS 受管政策更新以來的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy) - 更新的政策 | 10 | 已更新 `codestar-connections:PassConnection`和 `codeconnections:PassConnection`許可。 | 2025 年 9 月 27 日 |
| [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy) - 更新的政策 | 3 | 已更新 `codestar-connections:UseConnection`和 `codeconnections:UseConnection`許可。 | 2025 年 9 月 27 日 |
| [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy) - 更新的政策 | 3 | 已更新 `codestar-connections:UseConnection`和 `codeconnections:UseConnection`許可。 | 2025 年 9 月 27 日 |
| [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy) - 更新的政策 | 9 | 新增 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 許可。 | 2024 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 7 | 將政策復原至版本 7 (v7)。移除 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 許可。 | 2024 年 6 月 12 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 8 | 新增 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 許可。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy) - 更新的政策 | 2 | 新增 `codestar-connections:UseConnection`和 `codeconnections:UseConnection` 許可。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy) - 更新的政策 | 2 | 新增 `cloudformation:TagResource`、`cloudformation:UntagResource`、`codestar-connections:UseConnection` 和 `codeconnections:UseConnection` 許可。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy) - 更新的政策 | 2 | 新增 `codebuild:StartBuild`和 `codebuild:BatchGetBuilds` 許可。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | 初始政策 | 2023 年 8 月 1 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy) | 1 | 初始政策 | 2023 年 8 月 1 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy) | 1 | 初始政策 | 2023 年 8 月 1 日 |
| [AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy) - 更新的政策 | 2 | 新增許可至 `glue:GetUserDefinedFunctions`。 | 2022 年 8 月 26 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 7 | 新增許可至 `sagemaker:AddTags`。 | 2022 年 8 月 2 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 6 | 新增許可至 `lambda:TagResource`。 | 2022 年 7 月 14 日 |
| AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy | 1 | 初始政策 | 2022 年 4 月 4 日 |
| [AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | 初始政策 | 2022 年 3 月 24 日 |
| [AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy) | 1 | 初始政策 | 2022 年 3 月 24 日 |
| AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy | 1 | 初始政策 | 2022 年 3 月 24 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 5 | 新增許可至 `ecr-idp:TagResource`。 | 2022 年 3 月 21 日 |
| AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy | 1 | 初始政策 | 2022 年 2 月 22 日 |
| [AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy) | 1 | 初始政策 | 2022 年 2 月 22 日 |
| [AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy) | 1 | 初始政策 | 2022 年 2 月 22 日 |
| AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy | 1 | 初始政策 | 2022 年 2 月 22 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 4 | 新增 `cognito-idp:TagResource` 和 `s3:PutBucketCORS` 的許可。 | 2022 年 2 月 16 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 3 | 新增 `sagemaker` 的許可。 建立、讀取、更新和刪除 SageMaker 映像。 | 2021 年 9 月 15 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的政策 | 2 | 新增 `sagemaker` 和 `codestar-connections` 的許可。 建立、讀取、更新和刪除程式碼儲存庫。 將 AWS CodeStar 連線傳遞至 AWS CodePipeline。 | 2021 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | 1 | 初始政策 | 2020 年 11 月 27 日 |
## AWS 受管政策的 SageMaker AI 更新
檢視自此服務開始追蹤這些變更以來,SageMaker AI AWS 受管政策更新的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) - 更新現有政策 | 27 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/sagemaker/latest/dg/security-iam-awsmanpol.html) | 2024 年 12 月 4 日 |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) - 更新現有政策 | 26 | 新增 `sagemaker:AddTags` 許可。 | 2024 年 3 月 29 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 25 | 新增 `sagemaker:CreateApp`、`sagemaker:DescribeApp`、`sagemaker:DeleteApp`、`sagemaker:CreateSpace`、`sagemaker:UpdateSpace`、`sagemaker:DeleteSpace`、`s3express:CreateSession`、`s3express:CreateBucket` 和 `s3express:ListAllMyDirectoryBuckets` 許可。 | 2023 年 11 月 30 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 24 | 新增 `sagemaker-geospatial:*`、`sagemaker:AddTags`、`sagemaker-ListTags`、`sagemaker-DescribeSpace` 和 `sagemaker:ListSpaces` 許可。 | 2022 年 11 月 30 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 23 | 新增 `glue:UpdateTable`。 | 2022 年 6 月 29 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 22 | 新增 `cloudformation:ListStackResources`。 | 2022 年 5 月 1 日 |
| [AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly) - 更新現有政策 | 11 | 新增 `sagemaker:QueryLineage`、`sagemaker:GetLineageGroupPolicy`、`sagemaker:BatchDescribeModelPackage`、`sagemaker:GetModelPackageGroupPolicy` 許可。 | 2021 年 12 月 1 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 21 | 為啟用非同步推論的端點新增 `sns:Publish` 權限。 | 2021 年 9 月 8 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 20 | 更新 `iam:PassRole` 資源和許可。 | 2021 年 7 月 15 日 |
| AmazonSageMakerReadOnly - 更新現有政策 | 10 | 為 SageMaker AI Feature Store 新增了新的 API `BatchGetRecord`。 | 2021 年 6 月 10 日 |
| | | SageMaker AI 開始追蹤其 AWS 受管政策的變更。 | 2021 年 6 月 1 日 |