AmazonSageMakerFullAccess AmazonSageMakerReadOnly Amazon SageMaker AI 策略更新

Amazon SageMaker AI 的 AWS 托管式策略

要向用户、组和角色添加权限，与自己编写策略相比，使用 AWS 托管式策略更简单。创建仅为团队提供所需权限的 IAM 客户管理型策略需要时间和专业知识。要快速入门，您可以使用我们的 AWS 托管式策略。这些策略涵盖常见使用案例，可在您的 AWS 账户中使用。有关 AWS 托管式策略的更多信息，请参阅《IAM 用户指南》中的 AWS 托管式策略。

AWS 服务负责维护和更新 AWS 托管式策略。您无法更改 AWS 托管式策略中的权限。服务偶尔会向 AWS 托管式策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份（用户、组和角色）。当启动新特征或新操作可用时，服务最有可能会更新 AWS 托管式策略。服务不会从 AWS 托管式策略中删除权限，因此策略更新不会破坏您的现有权限。

此外，AWS 还支持跨多种服务的工作职能的托管式策略。例如，ReadOnlyAccess AWS 托管策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动新特征时，AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明，请参阅 IAM 用户指南中的适用于工作职能的 AWS 托管式策略。

重要

我们建议您使用允许执行使用案例的最严格的策略。

以下 AWS 托管式策略（可附加到您账户中的用户）特定于 Amazon SageMaker AI：

AmazonSageMakerFullAccess – 授予对 Amazon SageMaker AI 和 SageMaker AI 地理空间资源以及受支持操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限，但支持具有特定 sagemaker 标签的存储桶和对象。此策略允许将所有 IAM 角色传递给 Amazon SageMaker AI，但仅允许将包含“AmazonSageMaker”的 IAM 角色传递给 AWS Glue、AWS Step Functions 和 AWS RoboMaker 服务。
AmazonSageMakerReadOnly – 授予对 Amazon SageMaker AI 资源的只读访问权限。

以下 AWS 托管式策略也可以附加到您账户中的用户，但不建议使用：

AdministratorAccess – 为所有 AWS 服务和账户中的所有资源授予所有操作权限。
DataScientist – 授予广泛的权限，以涵盖数据科学家所遇到的大多数使用案例（主要用于分析和商业智能）。

您可以通过登录到 IAM 控制台并搜索这些权限策略来查看它们。

此外，您还可以创建自己的自定义 IAM 策略，以授予 Amazon SageMaker AI 操作和资源的相关权限（在需要它们时）。您可以将这些自定义策略附加到需要它们的用户或组。

主题

AWS 托管式策略：AmazonSageMakerFullAccess

此策略授予管理权限，允许主体完全访问所有 Amazon SageMaker AI 和 SageMaker AI 地理空间资源和操作。该策略还提供对相关服务的部分访问权限。此策略允许将所有 IAM 角色传递给 Amazon SageMaker AI，但仅允许将包含“AmazonSageMaker”的 IAM 角色传递给 AWS Glue、AWS Step Functions 和 AWS RoboMaker 服务。此策略不包括创建 Amazon SageMaker AI 域的权限。有关创建域所需策略的信息，请参阅完成 Amazon SageMaker AI 的先决条件。

权限详细信息

该策略包含以下权限。

application-autoscaling - 允许主体自动扩展 SageMaker AI 实时推理端点。
athena - 允许主体从 Amazon Athena 中查询数据目录、数据库和表元数据的列表。
aws-marketplace - 允许主体查看 AWS AI Marketplace 订阅。如果您想访问 AWS Marketplace 中订阅的 SageMaker AI 软件，则需要此权限。
cloudformation - 允许主体获取使用 SageMaker AI JumpStart 解决方案和 Pipelines 时所需的 AWS CloudFormation 模板。SageMaker AI JumpStart 创建了运行端到端机器学习解决方案所需的资源，这些解决方案将 SageMaker AI 与其他 AWS 服务联系起来。SageMaker AI Pipelines 可创建由 Service Catalog 支持的新项目。
cloudwatch - 允许主体发布 CloudWatch 指标，与警报交互以及将日志上传到您账户中的 CloudWatch Logs。
codebuild - 允许主体存储 SageMaker AI 管道和项目的 AWS CodeBuild 构件。
codecommit - AWS CodeCommit 与 SageMaker AI Notebook 实例集成时所需。
cognito-idp - Amazon SageMaker Ground Truth 定义私有人力和工作团队时所需。
ec2 - 当您为 SageMaker AI 作业、模型、端点和笔记本实例指定 Amazon VPC 时，SageMaker AI 需要该权限来管理 Amazon EC2 资源和网络接口。
ecr：需要为 Amazon SageMaker Studio Classic（自定义映像）、训练、处理、批量推理和推理端点提取和存储 Docker 构件。在 SageMaker AI 中使用您自己的容器时也需要该权限。代表用户创建和移除自定义映像时需要获得 SageMaker AI JumpStart 解决方案的额外权限。
elasticfilesystem - 允许主体访问 Amazon Elastic File System。这是 SageMaker AI 使用 Amazon Elastic File System 中的数据来源训练机器学习模型时所需。
fsx - 允许主体访问 Amazon FSx。这是 SageMaker AI 使用 Amazon FSx 中的数据来源训练机器学习模型时所需。
glue - 从 SageMaker AI Notebook 实例中预处理推理管道时所需。
groundtruthlabeling - Ground Truth 标注作业所需。可通过 Ground Truth 控制台访问 groundtruthlabeling 端点。
iam - 向 SageMaker AI 控制台授予对可用 IAM 角色的访问权限并创建与服务相关的角色时所需。
kms - 向 SageMaker AI 控制台授予对可用 AWS KMS 密钥的访问权限并为作业和端点中任何指定的 AWS KMS 别名检索这些密钥时所需。
lambda - 允许主体调用和获取 AWS Lambda 函数列表。
logs - 允许 SageMaker AI 作业和端点发布日志流时所需。
redshift - 允许主体访问 Amazon Redshift 集群凭证。
redshift-data - 允许主体使用 Amazon Redshift 中的数据来运行、描述和取消语句；获取语句结果；以及列出架构和表。
robomaker - 允许主体拥有创建、获取描述和删除 AWS RoboMaker 模拟应用程序和作业的完全访问权限。这也是在笔记本实例上运行强化学习示例时所需。
s3, s3express – 允许主体完全访问与 SageMaker AI 有关的 Amazon S3 和 Amazon S3 Express 资源，但不能访问所有 Amazon S3 或 Amazon S3 Express。
sagemaker – 允许主体在 SageMaker AI 用户配置文件中列出标签，并在 SageMaker AI 应用程序和空间中添加标签。仅允许访问 sagemaker:WorkteamType 为“private-crowd”或“vendor-crowd”的 SageMaker AI 流定义。允许跨所有支持训练计划功能的 AWS 区域，在 SageMaker 训练作业以及 SageMaker HyperPod 集群内，使用和描述 SageMaker AI 训练计划及预留容量。
sagemaker 和 sagemaker-geospatial – 允许主体只读访问 SageMaker AI 域和用户配置文件。
secretsmanager - 允许主体完全访问 AWS Secrets Manager。主体可以安全地加密、存储和检索数据库和其他服务的凭证。对于带有使用 GitHub 的 SageMaker AI 代码存储库的 SageMaker AI Notebook 实例，也需要该权限。
servicecatalog - 允许主体使用 Service Catalog。主体可以创建预置产品，获取预置产品列表，更新或终止预置产品，例如使用 AWS 资源部署的服务器、数据库、网站或应用程序。这是 SageMaker AI JumpStart 和 Projects 在用户中查找和读取服务目录产品并启动 AWS 资源所需。
sns - 允许主体获取 Amazon SNS 主题列表。启用了同步推理功能的端点需要该权限来通知用户推理已完成。
states - SageMaker AI JumpStart 和 Pipelines 使用服务目录创建阶跃函数资源时所需。
tag – SageMaker AI Pipelines 在 Studio Classic 中渲染所需的参数。Studio Classic 需要使用特定 sagemaker:project-id 标记键标记的资源。这需要 tag:GetResources 权限。

JSON


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAllNonAdminSageMakerActions",
      "Effect": "Allow",
      "Action": [
        "sagemaker:*",
        "sagemaker-geospatial:*"
      ],
      "NotResource": [
        "arn:aws:sagemaker:*:*:domain/*",
        "arn:aws:sagemaker:*:*:user-profile/*",
        "arn:aws:sagemaker:*:*:app/*",
        "arn:aws:sagemaker:*:*:space/*",
        "arn:aws:sagemaker:*:*:partner-app/*",
        "arn:aws:sagemaker:*:*:flow-definition/*",
        "arn:aws:sagemaker:*:*:training-plan/*",
        "arn:aws:sagemaker:*:*:reserved-capacity/*"
      ]
    },
    {
      "Sid": "AllowAddTagsForSpace",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddTags"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:space/*"
      ],
      "Condition": {
        "StringEquals": {
          "sagemaker:TaggingAction": "CreateSpace"
        }
      }
    },
    {
      "Sid": "AllowAddTagsForApp",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddTags"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:app/*"
      ]
    },
    {
      "Sid": "AllowUseOfTrainingPlanResources",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateTrainingJob",
        "sagemaker:CreateCluster",
        "sagemaker:UpdateCluster",
        "sagemaker:DescribeTrainingPlan"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:training-plan/*",
        "arn:aws:sagemaker:*:*:reserved-capacity/*"
      ]
    },
    {
      "Sid": "AllowStudioActions",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreatePresignedDomainUrl",
        "sagemaker:DescribeDomain",
        "sagemaker:ListDomains",
        "sagemaker:DescribeUserProfile",
        "sagemaker:ListUserProfiles",
        "sagemaker:DescribeSpace",
        "sagemaker:ListSpaces",
        "sagemaker:DescribeApp",
        "sagemaker:ListApps"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAppActionsForUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*",
      "Condition": {
        "Null": {
          "sagemaker:OwnerUserProfileArn": "true"
        }
      }
    },
    {
      "Sid": "AllowAppActionsForSharedSpaces",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
      "Condition": {
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Shared"
          ]
        }
      }
    },
    {
      "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateSpace",
        "sagemaker:UpdateSpace",
        "sagemaker:DeleteSpace"
      ],
      "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
      "Condition": {
        "Null": {
          "sagemaker:OwnerUserProfileArn": "true"
        }
      }
    },
    {
      "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateSpace",
        "sagemaker:UpdateSpace",
        "sagemaker:DeleteSpace"
      ],
      "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
      "Condition": {
        "ArnLike": {
          "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
        },
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Private",
            "Shared"
          ]
        }
      }
    },
    {
      "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
      "Condition": {
        "ArnLike": {
          "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
        },
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Private"
          ]
        }
      }
    },
    {
      "Sid": "AllowFlowDefinitionActions",
      "Effect": "Allow",
      "Action": "sagemaker:*",
      "Resource": [
        "arn:aws:sagemaker:*:*:flow-definition/*"
      ],
      "Condition": {
        "StringEqualsIfExists": {
          "sagemaker:WorkteamType": [
            "private-crowd",
            "vendor-crowd"
          ]
        }
      }
    },
    {
      "Sid": "AllowAWSServiceActions",
      "Effect": "Allow",
      "Action": [
        "application-autoscaling:DeleteScalingPolicy",
        "application-autoscaling:DeleteScheduledAction",
        "application-autoscaling:DeregisterScalableTarget",
        "application-autoscaling:DescribeScalableTargets",
        "application-autoscaling:DescribeScalingActivities",
        "application-autoscaling:DescribeScalingPolicies",
        "application-autoscaling:DescribeScheduledActions",
        "application-autoscaling:PutScalingPolicy",
        "application-autoscaling:PutScheduledAction",
        "application-autoscaling:RegisterScalableTarget",
        "aws-marketplace:ViewSubscriptions",
        "cloudformation:GetTemplateSummary",
        "cloudwatch:DeleteAlarms",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricAlarm",
        "cloudwatch:PutMetricData",
        "codecommit:BatchGetRepositories",
        "codecommit:CreateRepository",
        "codecommit:GetRepository",
        "codecommit:List*",
        "cognito-idp:AdminAddUserToGroup",
        "cognito-idp:AdminCreateUser",
        "cognito-idp:AdminDeleteUser",
        "cognito-idp:AdminDisableUser",
        "cognito-idp:AdminEnableUser",
        "cognito-idp:AdminRemoveUserFromGroup",
        "cognito-idp:CreateGroup",
        "cognito-idp:CreateUserPool",
        "cognito-idp:CreateUserPoolClient",
        "cognito-idp:CreateUserPoolDomain",
        "cognito-idp:DescribeUserPool",
        "cognito-idp:DescribeUserPoolClient",
        "cognito-idp:List*",
        "cognito-idp:UpdateUserPool",
        "cognito-idp:UpdateUserPoolClient",
        "ec2:CreateNetworkInterface",
        "ec2:CreateNetworkInterfacePermission",
        "ec2:CreateVpcEndpoint",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteNetworkInterfacePermission",
        "ec2:DescribeDhcpOptions",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeVpcs",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:CreateRepository",
        "ecr:Describe*",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:StartImageScan",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeMountTargets",
        "fsx:DescribeFileSystems",
        "glue:CreateJob",
        "glue:DeleteJob",
        "glue:GetJob*",
        "glue:GetTable*",
        "glue:GetWorkflowRun",
        "glue:ResetJobBookmark",
        "glue:StartJobRun",
        "glue:StartWorkflowRun",
        "glue:UpdateJob",
        "groundtruthlabeling:*",
        "iam:ListRoles",
        "kms:DescribeKey",
        "kms:ListAliases",
        "lambda:ListFunctions",
        "logs:CreateLogDelivery",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DeleteLogDelivery",
        "logs:Describe*",
        "logs:GetLogDelivery",
        "logs:GetLogEvents",
        "logs:ListLogDeliveries",
        "logs:PutLogEvents",
        "logs:PutResourcePolicy",
        "logs:UpdateLogDelivery",
        "robomaker:CreateSimulationApplication",
        "robomaker:DescribeSimulationApplication",
        "robomaker:DeleteSimulationApplication",
        "robomaker:CreateSimulationJob",
        "robomaker:DescribeSimulationJob",
        "robomaker:CancelSimulationJob",
        "secretsmanager:ListSecrets",
        "servicecatalog:Describe*",
        "servicecatalog:List*",
        "servicecatalog:ScanProvisionedProducts",
        "servicecatalog:SearchProducts",
        "servicecatalog:SearchProvisionedProducts",
        "sns:ListTopics",
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowECRActions",
      "Effect": "Allow",
      "Action": [
        "ecr:SetRepositoryPolicy",
        "ecr:CompleteLayerUpload",
        "ecr:BatchDeleteImage",
        "ecr:UploadLayerPart",
        "ecr:DeleteRepositoryPolicy",
        "ecr:InitiateLayerUpload",
        "ecr:DeleteRepository",
        "ecr:PutImage"
      ],
      "Resource": [
        "arn:aws:ecr:*:*:repository/*sagemaker*"
      ]
    },
    {
      "Sid": "AllowCodeCommitActions",
      "Effect": "Allow",
      "Action": [
        "codecommit:GitPull",
        "codecommit:GitPush"
      ],
      "Resource": [
        "arn:aws:codecommit:*:*:*sagemaker*",
        "arn:aws:codecommit:*:*:*SageMaker*",
        "arn:aws:codecommit:*:*:*Sagemaker*"
      ]
    },
    {
      "Sid": "AllowCodeBuildActions",
      "Action": [
        "codebuild:BatchGetBuilds",
        "codebuild:StartBuild"
      ],
      "Resource": [
        "arn:aws:codebuild:*:*:project/sagemaker*",
        "arn:aws:codebuild:*:*:build/*"
      ],
      "Effect": "Allow"
    },
    {
      "Sid": "AllowStepFunctionsActions",
      "Action": [
        "states:DescribeExecution",
        "states:GetExecutionHistory",
        "states:StartExecution",
        "states:StopExecution",
        "states:UpdateStateMachine"
      ],
      "Resource": [
        "arn:aws:states:*:*:statemachine:*sagemaker*",
        "arn:aws:states:*:*:execution:*sagemaker*:*"
      ],
      "Effect": "Allow"
    },
    {
      "Sid": "AllowSecretManagerActions",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:CreateSecret"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
      ]
    },
    {
      "Sid": "AllowReadOnlySecretManagerActions",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "secretsmanager:ResourceTag/SageMaker": "true"
        }
      }
    },
    {
      "Sid": "AllowServiceCatalogProvisionProduct",
      "Effect": "Allow",
      "Action": [
        "servicecatalog:ProvisionProduct"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct",
      "Effect": "Allow",
      "Action": [
        "servicecatalog:TerminateProvisionedProduct",
        "servicecatalog:UpdateProvisionedProduct"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "servicecatalog:userLevel": "self"
        }
      }
    },
    {
      "Sid": "AllowS3ObjectActions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::*SageMaker*",
        "arn:aws:s3:::*Sagemaker*",
        "arn:aws:s3:::*sagemaker*",
        "arn:aws:s3:::*aws-glue*"
      ]
    },
    {
      "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Condition": {
        "StringEqualsIgnoreCase": {
          "s3:ExistingObjectTag/SageMaker": "true"
        }
      }
    },
    {
      "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/servicecatalog:provisioning": "true"
        }
      }
    },
    {
      "Sid": "AllowS3BucketActions",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListAllMyBuckets",
        "s3:GetBucketCors",
        "s3:PutBucketCors"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowS3BucketACL",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketAcl",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::*SageMaker*",
        "arn:aws:s3:::*Sagemaker*",
        "arn:aws:s3:::*sagemaker*"
      ]
    },
    {
      "Sid": "AllowLambdaInvokeFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:*SageMaker*",
        "arn:aws:lambda:*:*:function:*sagemaker*",
        "arn:aws:lambda:*:*:function:*Sagemaker*",
        "arn:aws:lambda:*:*:function:*LabelingFunction*"
      ]
    },
    {
      "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling",
      "Action": "iam:CreateServiceLinkedRole",
      "Effect": "Allow",
      "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
      "Condition": {
        "StringLike": {
          "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowCreateServiceLinkedRoleForRobomaker",
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": "robomaker.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowSNSActions",
      "Effect": "Allow",
      "Action": [
        "sns:Subscribe",
        "sns:CreateTopic",
        "sns:Publish"
      ],
      "Resource": [
        "arn:aws:sns:*:*:*SageMaker*",
        "arn:aws:sns:*:*:*Sagemaker*",
        "arn:aws:sns:*:*:*sagemaker*"
      ]
    },
    {
      "Sid": "AllowPassRoleForSageMakerRoles",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "glue.amazonaws.com",
            "robomaker.amazonaws.com",
            "states.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "AllowPassRoleToSageMaker",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "sagemaker.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowAthenaActions",
      "Effect": "Allow",
      "Action": [
        "athena:ListDataCatalogs",
        "athena:ListDatabases",
        "athena:ListTableMetadata",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:StartQueryExecution",
        "athena:StopQueryExecution"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowGlueCreateTable",
      "Effect": "Allow",
      "Action": [
        "glue:CreateTable"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
        "arn:aws:glue:*:*:table/sagemaker_featurestore/*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*"
      ]
    },
    {
      "Sid": "AllowGlueUpdateTable",
      "Effect": "Allow",
      "Action": [
        "glue:UpdateTable"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/sagemaker_featurestore/*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/sagemaker_featurestore"
      ]
    },
    {
      "Sid": "AllowGlueDeleteTable",
      "Effect": "Allow",
      "Action": [
        "glue:DeleteTable"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*"
      ]
    },
    {
      "Sid": "AllowGlueGetTablesAndDatabases",
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabases",
        "glue:GetTable",
        "glue:GetTables"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/*",
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*"
      ]
    },
    {
      "Sid": "AllowGlueGetAndCreateDatabase",
      "Effect": "Allow",
      "Action": [
        "glue:CreateDatabase",
        "glue:GetDatabase"
      ],
      "Resource": [
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/sagemaker_featurestore",
        "arn:aws:glue:*:*:database/sagemaker_processing",
        "arn:aws:glue:*:*:database/default",
        "arn:aws:glue:*:*:database/sagemaker_data_wrangler"
      ]
    },
    {
      "Sid": "AllowRedshiftDataActions",
      "Effect": "Allow",
      "Action": [
        "redshift-data:ExecuteStatement",
        "redshift-data:DescribeStatement",
        "redshift-data:CancelStatement",
        "redshift-data:GetStatementResult",
        "redshift-data:ListSchemas",
        "redshift-data:ListTables"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowRedshiftGetClusterCredentials",
      "Effect": "Allow",
      "Action": [
        "redshift:GetClusterCredentials"
      ],
      "Resource": [
        "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
        "arn:aws:redshift:*:*:dbname:*"
      ]
    },
    {
      "Sid": "AllowListTagsForUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:ListTags"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:user-profile/*"
      ]
    },
    {
      "Sid": "AllowCloudformationListStackResources",
      "Effect": "Allow",
      "Action": [
        "cloudformation:ListStackResources"
      ],
      "Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
    },
    {
      "Sid": "AllowS3ExpressObjectActions",
      "Effect": "Allow",
      "Action": [
        "s3express:CreateSession"
      ],
      "Resource": [
        "arn:aws:s3express:*:*:bucket/*SageMaker*",
        "arn:aws:s3express:*:*:bucket/*Sagemaker*",
        "arn:aws:s3express:*:*:bucket/*sagemaker*",
        "arn:aws:s3express:*:*:bucket/*aws-glue*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid": "AllowS3ExpressCreateBucketActions",
      "Effect": "Allow",
      "Action": [
        "s3express:CreateBucket"
      ],
      "Resource": [
        "arn:aws:s3express:*:*:bucket/*SageMaker*",
        "arn:aws:s3express:*:*:bucket/*Sagemaker*",
        "arn:aws:s3express:*:*:bucket/*sagemaker*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid": "AllowS3ExpressListBucketActions",
      "Effect": "Allow",
      "Action": [
        "s3express:ListAllMyDirectoryBuckets"
      ],
      "Resource": "*"
    }
  ]
}

显示更多

显示更少

AWS 托管式策略：AmazonSageMakerReadOnly

此策略授予通过 AWS 管理控制台和 SDK 对 Amazon SageMaker AI 进行只读访问的权限。

权限详细信息

该策略包含以下权限。

application-autoscaling – 允许用户浏览可扩展 SageMaker AI 实时推理端点的描述。
aws-marketplace - 允许用户查看 AWS AI Marketplace 订阅。
cloudwatch - 允许用户接收 CloudWatch 警报。
cognito-idp - Amazon SageMaker Ground Truth 浏览私有人力和工作团队的描述和列表时所需。
ecr - 读取 Docker 构件以进行训练和推理时所需。

SageMaker AI 对 AWS 托管式策略的更新

查看有关适用于 SageMaker AI 的 AWS 托管式策略更新的详细信息（从该服务开始跟踪这些更改开始）。

策略	版本	更改	日期
AmazonSageMakerFullAccess – 对现有策略的更新	27	使用以下操作添加语句 ID `AllowUseOfTrainingPlanResources`：`sagemaker:CreateTrainingJob`、`sagemaker:CreateCluster`、`sagemaker:UpdateCluster`、`sagemaker:DescribeTrainingPlan`。在 `AllowAllNonAdminSageMakerActions` 策略语句中排除的资源中添加合作伙伴应用程序、训练计划和预留容量。	2024 年 12 月 4 日
AmazonSageMakerFullAccess – 对现有策略的更新	26	添加 `sagemaker:AddTags` 权限	2024 年 3 月 29 日
AmazonSageMakerFullAccess - 对现有策略的更新	25	添加 `sagemaker:CreateApp`、`sagemaker:DescribeApp`、`sagemaker:DeleteApp`、`sagemaker:CreateSpace`、`sagemaker:UpdateSpace`、`sagemaker:DeleteSpace`、`s3express:CreateSession`、`s3express:CreateBucket` 和 `s3express:ListAllMyDirectoryBuckets` 权限。	2023 年 11 月 30 日
AmazonSageMakerFullAccess - 对现有策略的更新	24	添加 `sagemaker-geospatial:*`、`sagemaker:AddTags`、`sagemaker-ListTags`、`sagemaker-DescribeSpace` 和 `sagemaker:ListSpaces` 权限。	2022 年 11 月 30 日
AmazonSageMakerFullAccess - 对现有策略的更新	23	添加 `glue:UpdateTable`。	2022 年 6 月 29 日
AmazonSageMakerFullAccess - 对现有策略的更新	22	添加 `cloudformation:ListStackResources`。	2022 年 5 月 1 日
AmazonSageMakerReadOnly – 对现有策略的更新	11	添加 `sagemaker:QueryLineage`、`sagemaker:GetLineageGroupPolicy`、`sagemaker:BatchDescribeModelPackage` 和 `sagemaker:GetModelPackageGroupPolicy` 权限。	2021 年 12 月 1 日
AmazonSageMakerFullAccess - 对现有策略的更新	21	为启用了异步推理的端点添加 `sns:Publish` 权限。	2021 年 9 月 8 日
AmazonSageMakerFullAccess - 对现有策略的更新	20	更新 `iam:PassRole` 资源和权限。	2021 年 7 月 15 日
AmazonSageMakerReadOnly - 对现有策略的更新	10	为 SageMaker AI Feature Store 添加了新的 API `BatchGetRecord`。	2021 年 6 月 10 日
		SageMaker AI 开始跟踪其 AWS 托管式策略的更改。	2021 年 6 月 1 日

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

文档惯例

Amazon SageMaker AI API 权限参考

SageMaker Canvas