本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Amazon 托管政策 SageMaker
要向用户、群组和角色添加权限,使用起来更简单 AWS 托管策略而不是自己编写策略。创建IAM客户托管策略以仅向您的团队提供他们所需的权限需要时间和专业知识。要快速入门,你可以使用我们的 AWS 托管策略。这些政策涵盖常见用例,可在您的 AWS account。有关 AWS 托管策略,请参阅 AWS 《IAM用户指南》中的托管策略。
AWS 服务维护和更新 AWS 托管策略。您无法在中更改权限 AWS 托管策略。服务偶尔会向... 添加其他权限 AWS 托管策略以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。服务最有可能更新 AWS 新功能启动或新操作可用时的托管策略。服务不会从中移除权限 AWS 托管策略,因此策略更新不会破坏您的现有权限。
此外, AWS 支持跨多个服务的工作职能的托管策略。例如,ReadOnlyAccess AWS 托管策略提供对所有人的只读访问权限 AWS 服务和资源。当一项服务启动一项新功能时, AWS 为新操作和资源添加只读权限。有关工作职能政策的列表和说明,请参阅 AWS 《IAM用户指南》中工作职能的托管策略。
重要
我们建议您使用允许执行使用案例的最严格的策略。
以下 AWS 您可以将托管策略附加到账户中的用户,这些政策是亚马逊特有的 SageMaker:
-
AmazonSageMakerFullAccess— 授予对 Amazon SageMaker 和 SageMaker 地理空间资源以及支持的操作的完全访问权限。这不提供无限制的 Amazon S3 访问权限,但支持具有特定sagemaker标签的存储桶和对象。此政策允许将所有IAM角色传递给 Amazon SageMaker,但仅允许将其中带有 AmazonSageMaker “” 的IAM角色传递给 AWS Glue, AWS Step Functions,以及 AWS RoboMaker 服务。 -
AmazonSageMakerReadOnly— 授予对 Amazon SageMaker 资源的只读访问权限。
以下 AWS 托管策略可以附加到您账户中的用户,但不建议这样做:
-
AdministratorAccess— 为所有人授予所有动作 AWS 服务和账户中的所有资源。 -
DataScientist– 授予广泛的权限,以涵盖数据科学家所遇到的大多数使用案例(主要用于分析和商业智能)。
您可以登录IAM控制台并进行搜索来查看这些权限策略。
您也可以创建自己的自定义IAM策略,根据需要授予对 Amazon SageMaker 操作和资源的权限。您可以将这些自定义策略附加到需要它们的用户或组。
主题
- AWS 托管策略: AmazonSageMakerFullAccess
- AWS 托管策略: AmazonSageMakerReadOnly
- AWS 亚马逊 C SageMaker anvas 的托管政策
- AWS Amazon SageMaker 特色商店的托管政策
- AWS Amazon SageMaker 地理空间的托管政策
- AWS 亚马逊 G SageMaker round Truth 的托管政策
- AWS Amazon 的托管政策 SageMaker HyperPod
- AWS SageMaker 模型治理的托管策略
- AWS 模型注册管理机构的托管策略
- AWS SageMaker 笔记本电脑的托管策略
- AWS 管 SageMaker 道的托管策略
- AWS SageMaker 项目的托管策略和 JumpStart
- SageMaker 更新到 AWS 管理的策略
AWS 托管策略: AmazonSageMakerFullAccess
该政策授予管理权限,允许委托人完全访问所有 Amazon SageMaker 和 SageMaker 地理空间资源及操作。该策略还提供对相关服务的部分访问权限。此政策允许将所有IAM角色传递给 Amazon SageMaker,但仅允许将其中带有 AmazonSageMaker “” 的IAM角色传递给 AWS Glue, AWS Step Functions,以及 AWS RoboMaker 服务。该政策不包括创建 Amazon SageMaker 域名的权限。有关创建域所需策略的信息,请参阅Amazon SageMaker 先决条件。
权限详细信息
该策略包含以下权限。
-
application-autoscaling— 允许委托人自动缩放 SageMaker 实时推理端点。 -
athena— 允许委托人从中查询数据目录、数据库和表元数据的列表 Amazon Athena. -
aws-marketplace— 允许校长查看 AWS 人工智能 Marketplace 如果您想访问订阅的 SageMaker软件,则需要此选项 AWS Marketplace. -
cloudformation— 允许校长获得 AWS CloudFormation 用于使用 SageMaker JumpStart 解决方案和管道的模板。 SageMaker JumpStart创建运行与其他解决方案 end-to-end 相关的机器学习解决方案所需的资源 SageMaker AWS 服务。 SageMaker Pipelines 创建由 Service Catalog 支持的新项目。 -
cloudwatch— 允许委托人发布 CloudWatch 指标、与警报交互以及将日志上传到您账户中的 CloudWatch 日志。 -
codebuild— 允许校长存储 AWS CodeBuild SageMaker 管道和项目的工件。 -
codecommit— 需要用于 AWS CodeCommit 与 SageMaker笔记本实例集成。 -
cognito-idp— Amazon G SageMaker round Truth 需要定义私人员工和工作团队。 -
ec2— 当您 SageMaker 为 SageMaker 任务、模型、终端节点和笔记本实例指定 Amazon 时,需要VPC用于管理 Amazon EC2 资源和网络接口。 -
ecr— 需要提取和存储 Amazon SageMaker Studio Classic(自定义映像)、训练、处理、批量推理和推理终端节点的 Docker 工件。在里面使用自己的容器也需要这样做 SageMaker。代表用户创建和删除自定义映像需要 SageMaker JumpStart 解决方案的额外权限。 -
elastic-inference— 允许委托人连接到 Amazon Elastic Inferen SageMaker ce 以使用笔记本实例和终端节点。 -
elasticfilesystem- 允许主体访问 Amazon Elastic File System。这是使用 Amazon Elastic File System 中的数据源训练机器学习模型所必需的。 SageMaker -
fsx— 允许委托人访问亚马逊FSx。这是使用 Amazon 中的数据源训练机器学习模型FSx所必需的。 SageMaker -
glue— 需要在 SageMaker 笔记本实例中进行推理管道预处理。 -
groundtruthlabeling- Ground Truth 标注作业所需。可通过 Ground Truth 控制台访问groundtruthlabeling端点。 -
iam— 需要向 SageMaker 控制台授予对可用IAM角色的访问权限并创建与服务相关的角色。 -
kms— 需要向 SageMaker 控制台提供可用访问权限 AWS KMS 密钥并检索任何指定的密钥 AWS KMS 作业和终端节点中的别名。 -
lambda— 允许委托人调用并获取以下列表 AWS Lambda 函数。 -
logs— 需要允许 SageMaker 作业和端点发布日志流。 -
redshift- 允许主体访问 Amazon Redshift 集群凭证。 -
redshift-data- 允许主体使用 Amazon Redshift 中的数据来运行、描述和取消语句;获取语句结果;以及列出架构和表。 -
robomaker— 允许委托人拥有创建、获取描述和删除的完全访问权限 AWS RoboMaker 仿真应用程序和作业。这也是在笔记本实例上运行强化学习示例时所需。 -
s3, s3express— 允许委托人完全访问与亚马逊 S3 或 Amazon S3 Express 相关但不是全部的 Amazon S3 和 Amazon S3 Express 资源。 SageMaker -
sagemaker— 允许委托人列出 SageMaker 用户个人资料上的标签,并向 SageMaker 应用程序和空间添加标签。仅允许访问 sagemaker 的 SageMaker 流程定义:WorkteamType “私人人群” 或 “供应商人群”。 -
sagemaker和sagemaker-geospatial— 允许委托人对 SageMaker 域和用户配置文件进行只读访问。 -
secretsmanager— 允许委托人拥有完全访问权限 AWS Secrets Manager。 委托人可以安全地加密、存储和检索数据库和其他服务的凭证。对于带有使用 SageMaker 代码存储库的 SageMaker 笔记本实例,也需要这样做 GitHub。 -
servicecatalog- 允许主体使用 Service Catalog。委托人可以创建、获取列表、更新或终止预配置产品,例如使用部署的服务器、数据库、网站或应用程序 AWS 资源的费用。这是项目查找 SageMaker JumpStart 和阅读服务目录产品并启动所必需的 AWS 用户中的资源。 -
sns— 允许校长获取 Amazon SNS 主题列表。启用了同步推理功能的端点需要该权限来通知用户推理已完成。 -
states— SageMaker JumpStart 和 Pipelines 需要使用服务目录来创建步骤函数资源。 -
tag— SageMaker 流水线需要在 Studio Classic 中渲染。Studio Classic 需要标有sagemaker:project-id特定标签键的资源。这需要tag:GetResources权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllNonAdminSageMakerActions", "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Sid": "AllowAddTagsForSpace", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:space/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } }, { "Sid": "AllowAddTagsForApp", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Sid": "AllowStudioActions", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:DescribeApp", "sagemaker:ListApps" ], "Resource": "*" }, { "Sid": "AllowAppActionsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "AllowAppActionsForSharedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "StringEquals": { "sagemaker:SpaceSharingType": [ "Shared" ] } } }, { "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private", "Shared" ] } } }, { "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private" ] } } }, { "Sid": "AllowFlowDefinitionActions", "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Sid": "AllowAWSServiceActions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Sid": "AllowECRActions", "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Sid": "AllowCodeCommitActions", "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Sid": "AllowCodeBuildActions", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Sid": "AllowStepFunctionsActions", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Sid": "AllowSecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "AllowReadOnlySecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "AllowServiceCatalogProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Sid": "AllowS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AllowS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Sid": "AllowS3BucketACL", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowLambdaInvokeFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AllowCreateServiceLinkedRoleForRobomaker", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Sid": "AllowSNSActions", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "AllowPassRoleForSageMakerRoles", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Sid": "AllowPassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AllowAthenaActions", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Sid": "AllowGlueCreateTable", "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueUpdateTable", "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Sid": "AllowGlueDeleteTable", "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetTablesAndDatabases", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetAndCreateDatabase", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Sid": "AllowRedshiftDataActions", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Sid": "AllowRedshiftGetClusterCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "AllowListTagsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid": "AllowCloudformationListStackResources", "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AllowS3ExpressObjectActions", "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*", "arn:aws:s3express:*:*:bucket/*aws-glue*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressCreateBucketActions", "Effect": "Allow", "Action": [ "s3express:CreateBucket" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressListBucketActions", "Effect": "Allow", "Action": [ "s3express:ListAllMyDirectoryBuckets" ], "Resource": "*" } ] }
AWS 托管策略: AmazonSageMakerReadOnly
此政策授予 SageMaker 通过 Amazon 的只读访问权限 AWS Management Console 和SDK。
权限详细信息
该策略包含以下权限。
-
application-autoscaling— 允许用户浏览可扩展的 SageMaker 实时推理端点的描述。 -
aws-marketplace— 允许用户查看 AWS 人工智能 Marketplace -
cloudwatch— 允许用户接收 CloudWatch 警报。 -
cognito-idp— Amazon Gro SageMaker und Truth 需要浏览私人员工和工作团队的描述和列表。 -
ecr- 读取 Docker 构件以进行训练和推理时所需。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }
SageMaker 更新到 AWS 管理的策略
查看有关更新的详细信息 AWS SageMaker 自该服务开始跟踪这些更改以来的管理策略。
| Policy | 版本 | 更改 | Date |
|---|---|---|---|
AmazonSageMakerFullAccess – 对现有策略的更新 |
26 |
添加 |
2024 年 3 月 29 日 |
AmazonSageMakerFullAccess -更新现有政策 |
25 |
添加 |
2023 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新现有政策 |
24 |
添加 |
2022 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新现有政策 |
23 |
添加 |
2022 年 6 月 29 日 |
AmazonSageMakerFullAccess -更新现有政策 |
22 |
添加 |
2022 年 5 月 1 日 |
AmazonSageMakerReadOnly – 对现有策略的更新 |
11 |
添加 |
2021 年 12 月 1 日 |
AmazonSageMakerFullAccess -更新现有政策 |
21 |
为启用了异步推理的端点添加 |
2021 年 9 月 8 日 |
AmazonSageMakerFullAccess -更新现有政策 |
20 |
更新 |
2021 年 7 月 15 日 |
AmazonSageMakerReadOnly -更新现有政策 |
10 |
SageMaker 功能商店新API |
2021 年 6 月 10 日 |
|
SageMaker 开始跟踪它的变化 AWS 托管策略。 |
2021 年 6 月 1 日 |
