本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS 适用于亚马逊的托管政策 SageMaker
要向用户、群组和角色添加权限,使用 AWS 托管策略比自己编写策略要容易得多。创建仅为团队提供所需权限的 IAM 客户管理型策略需要时间和专业知识。要快速入门,您可以使用我们的 AWS 托管策略。这些政策涵盖常见用例,可在您的 AWS 账户中使用。有关 AWS 托管策略的更多信息,请参阅 IAM 用户指南中的AWS 托管策略。
AWS 服务维护和更新 AWS 托管策略。您无法更改 AWS 托管策略中的权限。服务偶尔会向 AWS 托管策略添加其他权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当推出新功能或有新操作可用时,服务最有可能更新 AWS 托管策略。服务不会从 AWS 托管策略中移除权限,因此策略更新不会破坏您的现有权限。
此外,还 AWS 支持跨多个服务的工作职能的托管策略。例如,ReadOnlyAccess AWS 托管策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动新特征时, AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的AWS 管理型策略。
重要
我们建议您使用允许执行使用案例的最严格的策略。
以下 AWS 托管政策是亚马逊特有的,您可以将其附加到账户中的用户 SageMaker:
-
AmazonSageMakerFullAccess— 授予对 Amazon SageMaker 和 SageMaker 地理空间资源以及支持的操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限,但支持具有特定sagemaker标签的存储桶和对象。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但仅允许将其中带有 “AmazonSageMaker” 的 IAM 角色传递给 AWS Glue AWS Step Functions、和 AWS RoboMaker 服务。 -
AmazonSageMakerReadOnly— 授予对 Amazon SageMaker 资源的只读访问权限。
以下 AWS 托管策略可以附加到您账户中的用户,但不建议这样做:
-
AdministratorAccess– 为所有 AWS 服务和账户中的所有资源授予所有操作权限。 -
DataScientist– 授予广泛的权限,以涵盖数据科学家所遇到的大多数使用案例(主要用于分析和商业智能)。
您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。
您也可以创建自己的自定义 IAM 策略,根据需要授予对 Amazon SageMaker 操作和资源的权限。您可以将这些自定义策略附加到需要它们的用户或组。
主题
- AWS 托管策略: AmazonSageMakerFullAccess
- AWS 托管策略: AmazonSageMakerReadOnly
- AWS 亚马逊 C SageMaker anvas 的托管政策
- AWS Amazon SageMaker 集群的托管策略
- AWS Amazon Feature Stor SageMaker e 托管政策
- AWS Amazon SageMaker 地理空间托管政策
- AWS 亚马逊 G SageMaker round Truth 的托管政策
- AWS SageMaker 模型治理的托管策略
- AWS 模型注册管理机构的托管策略
- AWS SageMaker 笔记本电脑的托管策略
- AWS 管 SageMaker 道的托管策略
- AWS SageMaker 项目管理策略和 JumpStart
- SageMaker AWS 托管策略的更新
AWS 托管策略: AmazonSageMakerFullAccess
该政策授予管理权限,允许委托人完全访问所有 Amazon SageMaker 和 SageMaker 地理空间资源及操作。该策略还提供对相关服务的部分访问权限。此策略允许将所有 IAM 角色传递给 Amazon SageMaker,但仅允许将其中带有 “AmazonSageMaker” 的 IAM 角色传递给 AWS Glue AWS Step Functions、和 AWS RoboMaker 服务。该政策不包括创建 Amazon SageMaker 域名的权限。有关创建域所需策略的信息,请参阅Amazon SageMaker 先决条件。
权限详细信息
该策略包含以下权限。
-
application-autoscaling— 允许委托人自动扩展 SageMaker 实时推理端点。 -
athena— 允许委托人从中查询数据目录、数据库和表元数据的列表。 Amazon Athena -
aws-marketplace— 允许委托人查看 AWS AI Marketplace 订阅。如果您想访问中订阅的 SageMaker软件,则需要此选项。 AWS Marketplace -
cloudformation— 允许委托人获取使用 SageMaker JumpStart 解决方案和管道的 AWS CloudFormation 模板。 SageMaker JumpStart创建运行与其他 AWS 服务关联的 end-to-end 机器学习解决方案所需的资源。 SageMaker SageMaker Pipelines 创建由 Service Catalog 支持的新项目。 -
cloudwatch— 允许委托人发布 CloudWatch 指标、与警报交互以及将日志上传到您账户中的 CloudWatch 日志。 -
codebuild— 允许委托人存储 SageMaker 管道和项目的 AWS CodeBuild 构件。 -
codecommit— 需要与 SageMaker笔记本实例 AWS CodeCommit 集成。 -
cognito-idp— Amazon G SageMaker round Truth 需要定义私人员工和工作团队。 -
ec2— 当您 SageMaker 为 SageMaker 任务、模型、终端节点和笔记本实例指定 Amazon VPC 时,需要用于管理 Amazon EC2 资源和网络接口。 -
ecr— 需要提取和存储 Amazon SageMaker Studio Classic(自定义映像)、训练、处理、批量推理和推理终端节点的 Docker 工件。在里面使用自己的容器也需要这样做 SageMaker。代表用户创建和删除自定义映像需要 SageMaker JumpStart 解决方案的额外权限。 -
elastic-inference— 允许委托人连接到 Amazon Elastic Inferen SageMaker ce 以使用笔记本实例和终端节点。 -
elasticfilesystem- 允许主体访问 Amazon Elastic File System。这是使用 Amazon Elastic File System 中的数据源训练机器学习模型所必需的。 SageMaker -
fsx- 允许主体访问 Amazon FSx。这是使用 Amazon FSx 中的数据源训练机器学习模型所必需的。 SageMaker -
glue— 需要在 SageMaker 笔记本实例中进行推理管道预处理。 -
groundtruthlabeling- Ground Truth 标注作业所需。可通过 Ground Truth 控制台访问groundtruthlabeling端点。 -
iam— 需要向 SageMaker 控制台授予对可用 IAM 角色的访问权限并创建与服务相关的角色。 -
kms— 需要授予 SageMaker 控制台访问可用 AWS KMS 密钥的权限,并针对任务和端点中的任何指定 AWS KMS 别名检索这些密钥。 -
lambda- 允许主体调用和获取 AWS Lambda 函数列表。 -
logs— 需要允许 SageMaker 作业和端点发布日志流。 -
redshift- 允许主体访问 Amazon Redshift 集群凭证。 -
redshift-data- 允许主体使用 Amazon Redshift 中的数据来运行、描述和取消语句;获取语句结果;以及列出架构和表。 -
robomaker— 允许委托人拥有创建、获取描述和删除 AWS RoboMaker 仿真应用程序和作业的完全访问权限。这也是在笔记本实例上运行强化学习示例时所需。 -
s3, s3express— 允许委托人完全访问与亚马逊 S3 或 Amazon S3 Express 相关但不是全部的 Amazon S3 和 Amazon S3 Express 资源。 SageMaker -
sagemaker— 允许委托人列出 SageMaker 用户个人资料上的标签,并向 SageMaker 应用程序和空间添加标签。仅允许访问 sagemaker 的 SageMaker 流程定义:WorkteamType “私人人群” 或 “供应商人群”。 -
sagemaker和sagemaker-geospatial— 允许委托人对 SageMaker 域和用户配置文件进行只读访问。 -
secretsmanager- 允许主体完全访问 AWS Secrets Manager。主体可以安全地加密、存储和检索数据库和其他服务的凭证。对于带有使用 SageMaker 代码存储库的 SageMaker 笔记本实例,也需要这样做 GitHub。 -
servicecatalog- 允许主体使用 Service Catalog。委托人可以创建、获取、更新或终止预配置产品,例如使用 AWS 资源部署的服务器、数据库、网站或应用程序。 SageMaker JumpStart 和 Projects 需要这样才能在用户中查找和读取服务目录产品和启动 AWS 资源。 -
sns- 允许主体获取 Amazon SNS 主题列表。启用了同步推理功能的端点需要该权限来通知用户推理已完成。 -
states— SageMaker JumpStart 和 Pipelines 需要使用服务目录来创建步骤函数资源。 -
tag— SageMaker 流水线需要在 Studio Classic 中渲染。Studio Classic 需要标有sagemaker:project-id特定标签键的资源。这需要tag:GetResources权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllNonAdminSageMakerActions", "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Sid": "AllowAddTagsForSpace", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:space/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } }, { "Sid": "AllowAddTagsForApp", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Sid": "AllowStudioActions", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:DescribeApp", "sagemaker:ListApps" ], "Resource": "*" }, { "Sid": "AllowAppActionsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "AllowAppActionsForSharedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "StringEquals": { "sagemaker:SpaceSharingType": [ "Shared" ] } } }, { "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private", "Shared" ] } } }, { "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private" ] } } }, { "Sid": "AllowFlowDefinitionActions", "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Sid": "AllowAWSServiceActions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Sid": "AllowECRActions", "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Sid": "AllowCodeCommitActions", "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Sid": "AllowCodeBuildActions", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Sid": "AllowStepFunctionsActions", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Sid": "AllowSecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "AllowReadOnlySecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "AllowServiceCatalogProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Sid": "AllowS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AllowS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Sid": "AllowS3BucketACL", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowLambdaInvokeFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AllowCreateServiceLinkedRoleForRobomaker", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Sid": "AllowSNSActions", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "AllowPassRoleForSageMakerRoles", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Sid": "AllowPassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AllowAthenaActions", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Sid": "AllowGlueCreateTable", "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueUpdateTable", "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Sid": "AllowGlueDeleteTable", "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetTablesAndDatabases", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetAndCreateDatabase", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Sid": "AllowRedshiftDataActions", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Sid": "AllowRedshiftGetClusterCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "AllowListTagsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid": "AllowCloudformationListStackResources", "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AllowS3ExpressObjectActions", "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*", "arn:aws:s3express:*:*:bucket/*aws-glue*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressCreateBucketActions", "Effect": "Allow", "Action": [ "s3express:CreateBucket" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressListBucketActions", "Effect": "Allow", "Action": [ "s3express:ListAllMyDirectoryBuckets" ], "Resource": "*" } ] }
AWS 托管策略: AmazonSageMakerReadOnly
此政策授予 SageMaker 通过 AWS Management Console 和软件开发工具包对 Amazon 的只读访问权限。
权限详细信息
该策略包含以下权限。
-
application-autoscaling— 允许用户浏览可扩展的 SageMaker 实时推理端点的描述。 -
aws-marketplace— 允许用户查看 AWS AI Marketplace 订阅。 -
cloudwatch— 允许用户接收 CloudWatch 警报。 -
cognito-idp— Amazon Gro SageMaker und Truth 需要浏览私人员工和工作团队的描述和列表。 -
ecr- 读取 Docker 构件以进行训练和推理时所需。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }
SageMaker AWS 托管策略的更新
查看 SageMaker 自该服务开始跟踪这些更改以来 AWS 托管策略更新的详细信息。
| Policy | 版本 | 更改 | Date |
|---|---|---|---|
AmazonSageMakerFull访问权限 – 对现有策略的更新 |
26 |
添加 |
2024 年 3 月 29 日 |
AmazonSageMakerFullAccess -更新现有政策 |
25 |
添加 |
2023 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新现有政策 |
24 |
添加 |
2022 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新现有政策 |
23 |
添加 |
2022 年 6 月 29 日 |
AmazonSageMakerFullAccess -更新现有政策 |
22 |
添加 |
2022 年 5 月 1 日 |
AmazonSageMakerRead只有 – 对现有策略的更新 |
11 |
添加 |
2021 年 12 月 1 日 |
AmazonSageMakerFullAccess -更新现有政策 |
21 |
为启用了异步推理的端点添加 |
2021 年 9 月 8 日 |
AmazonSageMakerFullAccess -更新现有政策 |
20 |
更新 |
2021 年 7 月 15 日 |
AmazonSageMakerReadOnly -更新现有政策 |
10 |
为 SageMaker 功能商店 |
2021 年 6 月 10 日 |
|
SageMaker 开始跟踪其 AWS 托管策略的更改。 |
2021 年 6 月 1 日 |
