AWS managed policy: AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary

Note

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Amazon DataZone permissions boundary policies on your own. Amazon DataZone permissions boundary policies should only be attached to Amazon DataZone managed roles. For more information on permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

When you create an Amazon SageMaker environment via the Amazon DataZone data portal, Amazon DataZone applies this permissions boundary to the IAM roles that are produced during environment creation. The permissions boundary limits the scope of the roles that Amazon DataZone creates and any roles that you add.

Amazon DataZone uses the AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary managed policy to limit the provisioned IAM principal to which it is attached. The principals might take the form of the user roles that Amazon DataZone can assume on behalf of interactive enterprise users or analytic services (AWS SageMaker, for example), and then conduct actions to process data such as reading and writing from Amazon S3 or Amazon Redshift or running AWS Glue crawler.

The AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary policy grants read and write access for Amazon DataZone to services such as Amazon SageMaker, AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, and Amazon Athena. The policy also gives read and write permissions to some infrastructure resources that are required to use these services such as network interfaces, Amazon ECR repositories and AWS KMS keys. It also give access to Amazon SageMaker applications like Amazon SageMaker Canvas.

Amazon DataZone applies the AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary managed policy as a permissions boundary for all Amazon DataZone environment roles (owner and contributor). This permissions boundary restricts these roles to only allow access to the required resources and actions necessary for an environment.

To view the permissions for this policy, see AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary in the AWS Managed Policy Reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AmazonDataZoneSageMakerManageAccessRolePolicy

Policy updates