기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
AmazonSageMakerCanvasDataPrepFullAccess
설명: Canvas에서의 데이터 준비를 위한 Amazon SageMaker 리소스 및 작업에 대한 전체 액세스 권한을 제공합니다. 또한 이 정책은 관련 서비스(예: S3, IAM, KMS, RDS, CloudWatch Logs, Redshift, Athena, Glue, EventBridge, Secrets Manager)에 대한 선택적 액세스를 제공합니다. 이 정책은 Amazon SageMaker 도메인/사용자 프로필 실행 역할에 연결되어야 합니다.
AmazonSageMakerCanvasDataPrepFullAccess은(는) AWS 관리형 정책입니다.
이 정책 사용
사용자, 그룹 및 역할에 AmazonSageMakerCanvasDataPrepFullAccess를 연결할 수 있습니다.
정책 세부 정보
-
유형: AWS 관리형 정책
-
생성 시간: 2023년 10월 27일, 22:56 UTC
-
편집된 시간: 2024년 8월 16일, 18:11 UTC
-
ARN:
arn:aws:iam::aws:policy/AmazonSageMakerCanvasDataPrepFullAccess
정책 버전
정책 버전: v4(기본값)
정책의 기본 버전은 정책에 대한 권한을 정의하는 버전입니다. 정책이 적용되는 사용자 또는 역할이 AWS 리소스에 대한 액세스를 요청하면 AWS는 정책의 기본 버전을 검사하여 요청을 허용할지 여부를 결정합니다.
JSON 정책 문서
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "SageMakerListFeatureGroupOperation",
"Effect" : "Allow",
"Action" : "sagemaker:ListFeatureGroups",
"Resource" : "*"
},
{
"Sid" : "SageMakerFeatureGroupOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateFeatureGroup",
"sagemaker:DescribeFeatureGroup"
],
"Resource" : "arn:aws:sagemaker:*:*:feature-group/*"
},
{
"Sid" : "SageMakerProcessingJobOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateProcessingJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:AddTags"
],
"Resource" : "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
},
{
"Sid" : "SageMakerProcessingJobListOperation",
"Effect" : "Allow",
"Action" : "sagemaker:ListProcessingJobs",
"Resource" : "*"
},
{
"Sid" : "SageMakerPipelineOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:DescribePipeline",
"sagemaker:CreatePipeline",
"sagemaker:UpdatePipeline",
"sagemaker:DeletePipeline",
"sagemaker:StartPipelineExecution",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:DescribePipelineExecution"
],
"Resource" : "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
},
{
"Sid" : "KMSListOperations",
"Effect" : "Allow",
"Action" : "kms:ListAliases",
"Resource" : "*"
},
{
"Sid" : "KMSOperations",
"Effect" : "Allow",
"Action" : "kms:DescribeKey",
"Resource" : "arn:aws:kms:*:*:key/*"
},
{
"Sid" : "S3Operations",
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource" : [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "S3GetObjectOperation",
"Effect" : "Allow",
"Action" : "s3:GetObject",
"Resource" : "arn:aws:s3:::*",
"Condition" : {
"StringEqualsIgnoreCase" : {
"s3:ExistingObjectTag/SageMaker" : "true"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "S3ListOperations",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource" : "*"
},
{
"Sid" : "IAMListOperations",
"Effect" : "Allow",
"Action" : "iam:ListRoles",
"Resource" : "*"
},
{
"Sid" : "IAMGetOperations",
"Effect" : "Allow",
"Action" : "iam:GetRole",
"Resource" : "arn:aws:iam::*:role/*"
},
{
"Sid" : "IAMPassOperation",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"sagemaker.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Sid" : "EventBridgePutOperation",
"Effect" : "Allow",
"Action" : [
"events:PutRule"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeOperations",
"Effect" : "Allow",
"Action" : [
"events:DescribeRule",
"events:PutTargets"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeTagBasedOperations",
"Effect" : "Allow",
"Action" : [
"events:TagResource"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job" : "true",
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeListTagOperation",
"Effect" : "Allow",
"Action" : "events:ListTagsForResource",
"Resource" : "*"
},
{
"Sid" : "GlueOperations",
"Effect" : "Allow",
"Action" : [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:SearchTables"
],
"Resource" : [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid" : "EMROperations",
"Effect" : "Allow",
"Action" : [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups"
],
"Resource" : "arn:aws:elasticmapreduce:*:*:cluster/*"
},
{
"Sid" : "EMRListOperation",
"Effect" : "Allow",
"Action" : "elasticmapreduce:ListClusters",
"Resource" : "*"
},
{
"Sid" : "AthenaListDataCatalogOperation",
"Effect" : "Allow",
"Action" : "athena:ListDataCatalogs",
"Resource" : "*"
},
{
"Sid" : "AthenaQueryExecutionOperations",
"Effect" : "Allow",
"Action" : [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource" : "arn:aws:athena:*:*:workgroup/*"
},
{
"Sid" : "AthenaDataCatalogOperations",
"Effect" : "Allow",
"Action" : [
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource" : "arn:aws:athena:*:*:datacatalog/*"
},
{
"Sid" : "RedshiftOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult"
],
"Resource" : "*"
},
{
"Sid" : "RedshiftArnBasedOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:ExecuteStatement",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource" : "arn:aws:redshift:*:*:cluster:*"
},
{
"Sid" : "RedshiftGetCredentialsOperation",
"Effect" : "Allow",
"Action" : "redshift:GetClusterCredentials",
"Resource" : [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid" : "SecretsManagerARNBasedOperation",
"Effect" : "Allow",
"Action" : "secretsmanager:CreateSecret",
"Resource" : "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
},
{
"Sid" : "SecretManagerTagBasedOperation",
"Effect" : "Allow",
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource" : "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/SageMaker" : "true",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "RDSOperation",
"Effect" : "Allow",
"Action" : "rds:DescribeDBInstances",
"Resource" : "*"
},
{
"Sid" : "LoggingOperation",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
},
{
"Sid" : "EMRServerlessCreateApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:CreateApplication",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListApplications",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessApplicationOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:UpdateApplication",
"emr-serverless:GetApplication"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessStartJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:StartJobRun",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListJobRuns",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessJobRunOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessTagResourceOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:TagResource",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "IAMPassOperationForEMRServerless",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "emr-serverless.amazonaws.com",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
}
]
}자세히 알아보기
