Permissions - Build a Secure Enterprise Machine Learning Platform on AWS


IAM policies need to be created and attached to different roles to perform different operations. IAM provides fine-grained controls to allow / deny access to different SageMaker operations such as launching SageMaker Notebook instances or starting SageMaker training jobs. Following are some example IAM policies for controlling access to various SageMaker operations for the different roles. Note that the following IAM policies serve as examples only. It is important that you modify and test them for your specific needs.

  • Data scientist/ML engineer role — Data scientists/ML engineers mainly need access to SageMaker Notebook instances or Studio for experimentation, or SageMaker console to view job status or other metadata. The following sample policies provide the data scientist / ML engineer role with controlled access to the SageMaker Notebook instance or SageMaker Studio domain.

  • SageMaker Console access — The following sample policy enables an AWS user to gain read-only permission to the SageMaker console, so the user can navigate inside the console and perform additional privileged operations such as launching a SageMaker Notebook instance if additional permissions are granted in other policies. If you need to restrict read-only access to a subset of actions, you can replace List*, Describe*, and Get* with specific actions instead.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerReadAccess", "Effect": "Allow", "Action": [ "sagemaker:List*", "sagemaker:Describe*", "sagemaker:Get*" ], "Resource": "*" } ] }
  • SageMaker Notebook Access — The following sample policy enables an AWS user to launch a SageMaker Notebook instance from the SageMaker console when the user has an AWS userid (for example, AXXXXXXXXXXXXXXXXXXXX or <IAM Role ID>:<user name> for a Security Assertion Markup Language (SAML) federated user) that matches the value of the “owner” tag associated with the notebook instance. The Governance section of this guide covers more detail on resource tagging and how it is used for permission management. The following IAM policy can be attached to an IAM user directly, or to an IAM role (for example, a data scientist role) that a user assumes.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerNotebookAccessbyOwner", "Effect": "Allow", "Action": [ "sagemaker:StartNotebookInstance", "sagemaker:StopNotebookInstance", "sagemaker:CreatePresignedNotebookInstanceUrl" ], "Resource": "*", "Condition": { "StringEquals": { "sagemaker:ResourceTag/owner": "${aws:userid}" } } } ] }

    The previous example uses aws:userid to manage fine-grained access to the SageMaker Notebook instances by the individual users. Another option is to use the Session tags and match the tag on the principal to resource, as shown in the following code sample. For more information about the Principal tag, see Working backward: From IAM policies and principal tags to standardized names and tags for your AWS resources.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerNotebookAccessbyOwner", "Effect": "Allow", "Action": [ "sagemaker:StartNotebookInstance", "sagemaker:StopNotebookInstance", "sagemaker:CreatePresignedNotebookInstanceUrl" ], "Resource": "*", "Condition": { "StringEquals": { "sagemaker:ResourceTag/owner": "${aws:PrincipalTag/owner}" } } } ] }
  • SageMaker Studio access — The following sample policy enables a SageMaker Studio user to access the SageMaker Studio where the user profile matches the user ID. This IAM policy can be attached to an IAM user directly, or an IAM role (for example, a data scientist role) that a user assumes. Similar to the previous example, you can also use Session tags and match the principal and resource tags in the condition. From an authentication perspective, SageMaker Studio also supports AWS Single-Sign-On based authentication.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerStudioAccessbyOwner" "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl" ], "Resource": "*", "Condition": { "StringLike": { "sagemaker:ResourceTag/owner": "${aws:userid}" } } } ]
  • SageMaker Notebook execution role — The SageMaker notebook execution role needs access to data stored in S3, and permission to run SageMaker processing, training, or tuning jobs.

    The following sample policy allows a SageMaker notebook execution role to create a SageMaker processing, training, and tuning job and pass a job execution role to it.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerTraining", "Effect": "Allow", "Action": [ "sagemaker:CreateTrainingJob", "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateProcessingJob" ], "Resource": "*" }, { "Sid": "SageMakerPassRoleTraining", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "<SAGEMAKER_TRAINING_EXECUTION_ROLE_ARN>", "Condition": { "StringEquals": { "iam:PassedToService": "" } } } ] }

    For quick experimentation, data scientists can build and push Docker images for model training to an Amazon ECR repo from the SageMaker Notebook instance. The following sample policy can be attached to the SageMaker Notebook execution role to enable this. The following policy also checks for ECR repos with resource tag equal to SageMaker to provide fine-grained access control to the different repos in the ECR. SageMaker also provides a suite of built-in algorithms containers and managed machine learning framework containers. These containers are accessible by various SageMaker jobs such as training jobs without the need for additional permission.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SagemakerCreateECR", "Effect": "Allow", "Action": [ "ecr:CreateRepository" ], "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "SageMaker" } } }, { "Sid": "SageMakerECRAccess", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*" }, { "Sid": "SagemakerECRRepo", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:UploadLayerPart", "ecr:DescribeImages", "ecr:ListImages", "ecr:InitiateLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "SageMaker" } } }, { "Sid": "SagemakerECRRead", "Effect": "Allow", "Action": [ "ecr:DescribeRepositories" ], "Resource": "arn:aws:ecr:*:*:repository/*" } ] }

    The following sample policy, when attached to the SageMaker notebook execution role, enables a user to create a model and deploy an endpoint in SageMaker.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerModel", "Effect": "Allow", "Action": [ "sagemaker:CreateModel", "sagemaker:DescribeEndpointConfig", "sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint", "sagemaker:DescribeEndpoint" ], "Resource": "*" }, { "Sid": "SageMakerPassRoleModel", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "<SAGEMAKER_MODEL_EXECUTION_ROLE_ARN>", "Condition": { "StringEquals": { "iam:PassedToService": "" } } } ] }
  • Training / tuning / processing job role — When the SageMaker processing, training, or tuning job runs, it needs access to resources such as AWS Key Management Service (AWS KMS), CloudWatch Logs, and access to S3 data sources and ECR repository.

    The following sample shows a policy that can be attached to a training / tuning / processing job role to run the SageMaker training / processing / tuning job and use an S3 bucket as the input source and output target. This policy also allows the SageMaker job to create Elastic Network Interface (ENI) and communicate to other VPC resources with actions such as ec2:CreateNetworkInterface.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerLog", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "*" }, { "Sid": "SageMakerEC2Management", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "SageMakerKMSUsage", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt" ], "Resource": "<DATA_KMS_CMK_ARN>" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3::<ACCOUNT_ID>:<INPUT_BUCKET_NAME>", "arn:aws:s3::<ACCOUNT_ID>:<OUTPUT_BUCKET_NAME>/<PATH_NAME>" ] }, { "Sid": "SageMakerECRAccess", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*" }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "SageMaker" } } } ] }
  • SageMaker Model hosting role — the IAM policies for the SageMaker model will need access to EC2, AWS KMS, CloudWatch, and application auto-scaling to host the model in a SageMaker endpoint.

    The following example shows a policy that can be attached to the model hosting role to set up a SageMaker endpoint. You should further specify the resources to restrict access by the different actions based on requirements.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerLog", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "*" }, { "Sid": "SageMakerEC2Management", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "SageMakerAutoscaling", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget" ], "Resource": "*" }, { "Sid": "SageMakerKMSUsage", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt" ], "Resource": "<DATA_KMS_CMK_ARN>" }, { "Sid": "SageMakerECRAccess", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*", }, { "Sid": "SageMakerECRUsage", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:*:<ACCOUNT_ID>:repository/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "SageMaker" } } }, { "Sid": "SageMakerElasticInterface", "Effect": "Allow", "Action": [ "elastic-inference:Connect" ], "Resource": "*" } ] }
  • VPC endpoint — You can create VPC endpoint policy to restrict access to resources behind VPC endpoints. The following policy will allow any user or service within the VPC to access the specified S3 buckets.

    { "Version": "2012-10-17", "Sid": "AccessOnlytoSpecificBucket", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": [ "arn:aws:s3:::<bucket_name>", "arn:aws:s3:::<bucket_name>/*" ] } ] }

There are additional sample managed policies and custom policies that can be used as references for building IAM policies to meet different needs. For pushing containers from within Studio notebooks to ECR, see Using the Amazon SageMaker Studio Image Build CLI to build container images from your Studio notebooks. Guardrails can be set up at the account level to enforce policies such as network isolation or limiting training to a specific VPC. See the Guardrails section of this document for additional detail.