Domain resource isolation - Amazon SageMaker

Domain resource isolation

You can isolate resources between each of the domains in your account and Region using an AWS Identity and Access Management policy. With resource isolation, SageMaker resources, such as models, experiments, training jobs, and pipelines created in one domain, cannot be accessed from other domains . The following topic shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain. You must repeat this process for each domain in your account. For more information about domain tags and backfilling these tags, see Multiple domains overview.

Console

The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain, from the Amazon SageMaker console.

Note

This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.

  1. Create an IAM policy named StudioDomainResourceIsolationPolicy-domain-id with the following JSON policy document by completing the steps in Creating IAM policies (console).

    { "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "domain-arn" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default" } ] }
  2. Attach the StudioDomainResourceIsolationPolicy-domain-id policy to the domain's execution role by completing the steps in Modifying a role (console).

AWS CLI

The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the execution role of the domain, from the AWS CLI.

Note

This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.

  1. Create a file named StudioDomainResourceIsolationPolicy-domain-id with the following content from your local machine.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "domain-arn" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default" } ] }
  2. Create a new IAM policy using the StudioDomainResourceIsolationPolicy-domain-id file.

    aws iam create-policy --policy-name StudioDomainResourceIsolationPolicy-domain-id --policy-document file://StudioDomainResourceIsolationPolicy-domain-id
  3. Attach the newly created policy to a new or existing role that is used as the domain's execution role.

    aws iam attach-role-policy --policy-arn arn:aws:iam:account-id:policy/StudioDomainResourceIsolationPolicy-domain-id --role-name domain-execution-role