Workforce Authentication and Restrictions
Ground Truth enables you to use your own private workforce to work on labeling jobs. A private workforce is an abstract concept which refers to a set of people who work for you. Each labeling job is created using a work team, composed of workers in your workforce. Ground Truth supports private workforce creation using Amazon Cognito.
A Ground Truth workforce maps to a Amazon Cognito user pool. A Ground Truth work team maps to a Amazon Cognito user group. Amazon Cognito manages the worker authentication. Amazon Cognito supports Open ID connection (OIDC) and customers can set up Amazon Cognito federation with their own identity provider (IdP).
Ground Truth only allows one workforce per account per AWS Region. Each workforce has a dedicated Ground Truth work portal login URL.
You can also restrict workers to a Classless Inter-Domain Routing (CIDR) block/IP address range. This means annotators must be on a specific network to access the annotation site. You can add up to ten CIDR blocks for one workforce. To learn more, see Manage Private Workforce Using the Amazon SageMaker API.
To learn how you can create a private workforce, see Create a Private Workforce (Amazon Cognito).
Restrict Access to Workforce Types
Amazon SageMaker Ground Truth work teams fall into one of three workforce types: public (with Amazon Mechanical Turk), private, and vendor. To restrict
user access to a specific work team using one of these types or the work team ARN,
use the sagemaker:WorkteamType and/or the
sagemaker:WorkteamArn condition keys. For the
sagemaker:WorkteamType condition key, use string condition operators. For the sagemaker:WorkteamArn
condition key, use Amazon Resource Name (ARN) condition operators. If the user attempts to
create a labeling job with a restricted work team, SageMaker returns an access denied error.
The policies below demonstrate different ways to use the
sagemaker:WorkteamType and sagemaker:WorkteamArn condition keys
with appropriate condition operators and valid condition values.
The following example uses the sagemaker:WorkteamType condition key with the
StringEquals condition operator to restrict access to a public work team. It
accepts condition values in the following format:
workforcetype-crowdworkforcetype can equal public,
private, or vendor.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictWorkteamType", "Effect": "Deny", "Action": "sagemaker:CreateLabelingJob", "Resource": "*", "Condition": { "StringEquals": { "sagemaker:WorkteamType": "public-crowd" } } } ] }
The following policies show how to restrict access to a public work team using the
sagemaker:WorkteamArn condition key. The first shows how to use it with a valid
IAM regex-variant of the work team ARN and the ArnLike condition operator. The
second shows how to use it with the ArnEquals condition operator and the work
team ARN.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictWorkteamType", "Effect": "Deny", "Action": "sagemaker:CreateLabelingJob", "Resource": "*", "Condition": { "ArnLike": { "sagemaker:WorkteamArn": "arn:aws:sagemaker:*:*:workteam/public-crowd/*" } } } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictWorkteamType", "Effect": "Deny", "Action": "sagemaker:CreateLabelingJob", "Resource": "*", "Condition": { "ArnEquals": { "sagemaker:WorkteamArn": "arn:aws:sagemaker:us-west-2:394669845002:workteam/public-crowd/default" } } } ] }
