本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AmazonSageMakerCanvasDataPrepFullAccess
描述:提供對 Amazon SageMaker 資源和操作的完整存取權,以便在 Canvas 中準備資料。該政策還提供對相關服務的選擇訪問權限(例如IAM,S3KMS,,RDS, CloudWatch 日誌,Redshift,Athena,Glue EventBridge,Secrets Manager)。此政策應附加至 Amazon SageMaker 網域/使用者設定檔執行角色。
AmazonSageMakerCanvasDataPrepFullAccess是AWS 受管理的策略。
使用此政策
您可以附加AmazonSageMakerCanvasDataPrepFullAccess至您的使用者、群組和角色。
政策詳情
-
類型: AWS 受管理的策略
-
創作時間:二零二三年十月二十七日,22:56 UTC
-
編輯時間:二零二四年八月十六日,18:11 UTC
-
ARN:
arn:aws:iam::aws:policy/AmazonSageMakerCanvasDataPrepFullAccess
政策版本
策略版本:v4(預設值)
原則的預設版本是定義原則權限的版本。當具有策略的使用者或角色發出要求以存取 AWS 資源時,請 AWS 檢查原則的預設版本,以決定是否允許該要求。
JSON政策文件
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "SageMakerListFeatureGroupOperation",
"Effect" : "Allow",
"Action" : "sagemaker:ListFeatureGroups",
"Resource" : "*"
},
{
"Sid" : "SageMakerFeatureGroupOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateFeatureGroup",
"sagemaker:DescribeFeatureGroup"
],
"Resource" : "arn:aws:sagemaker:*:*:feature-group/*"
},
{
"Sid" : "SageMakerProcessingJobOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateProcessingJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:AddTags"
],
"Resource" : "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
},
{
"Sid" : "SageMakerProcessingJobListOperation",
"Effect" : "Allow",
"Action" : "sagemaker:ListProcessingJobs",
"Resource" : "*"
},
{
"Sid" : "SageMakerPipelineOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:DescribePipeline",
"sagemaker:CreatePipeline",
"sagemaker:UpdatePipeline",
"sagemaker:DeletePipeline",
"sagemaker:StartPipelineExecution",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:DescribePipelineExecution"
],
"Resource" : "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
},
{
"Sid" : "KMSListOperations",
"Effect" : "Allow",
"Action" : "kms:ListAliases",
"Resource" : "*"
},
{
"Sid" : "KMSOperations",
"Effect" : "Allow",
"Action" : "kms:DescribeKey",
"Resource" : "arn:aws:kms:*:*:key/*"
},
{
"Sid" : "S3Operations",
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource" : [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "S3GetObjectOperation",
"Effect" : "Allow",
"Action" : "s3:GetObject",
"Resource" : "arn:aws:s3:::*",
"Condition" : {
"StringEqualsIgnoreCase" : {
"s3:ExistingObjectTag/SageMaker" : "true"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "S3ListOperations",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource" : "*"
},
{
"Sid" : "IAMListOperations",
"Effect" : "Allow",
"Action" : "iam:ListRoles",
"Resource" : "*"
},
{
"Sid" : "IAMGetOperations",
"Effect" : "Allow",
"Action" : "iam:GetRole",
"Resource" : "arn:aws:iam::*:role/*"
},
{
"Sid" : "IAMPassOperation",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"sagemaker.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Sid" : "EventBridgePutOperation",
"Effect" : "Allow",
"Action" : [
"events:PutRule"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeOperations",
"Effect" : "Allow",
"Action" : [
"events:DescribeRule",
"events:PutTargets"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeTagBasedOperations",
"Effect" : "Allow",
"Action" : [
"events:TagResource"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job" : "true",
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeListTagOperation",
"Effect" : "Allow",
"Action" : "events:ListTagsForResource",
"Resource" : "*"
},
{
"Sid" : "GlueOperations",
"Effect" : "Allow",
"Action" : [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:SearchTables"
],
"Resource" : [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid" : "EMROperations",
"Effect" : "Allow",
"Action" : [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups"
],
"Resource" : "arn:aws:elasticmapreduce:*:*:cluster/*"
},
{
"Sid" : "EMRListOperation",
"Effect" : "Allow",
"Action" : "elasticmapreduce:ListClusters",
"Resource" : "*"
},
{
"Sid" : "AthenaListDataCatalogOperation",
"Effect" : "Allow",
"Action" : "athena:ListDataCatalogs",
"Resource" : "*"
},
{
"Sid" : "AthenaQueryExecutionOperations",
"Effect" : "Allow",
"Action" : [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource" : "arn:aws:athena:*:*:workgroup/*"
},
{
"Sid" : "AthenaDataCatalogOperations",
"Effect" : "Allow",
"Action" : [
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource" : "arn:aws:athena:*:*:datacatalog/*"
},
{
"Sid" : "RedshiftOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult"
],
"Resource" : "*"
},
{
"Sid" : "RedshiftArnBasedOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:ExecuteStatement",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource" : "arn:aws:redshift:*:*:cluster:*"
},
{
"Sid" : "RedshiftGetCredentialsOperation",
"Effect" : "Allow",
"Action" : "redshift:GetClusterCredentials",
"Resource" : [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid" : "SecretsManagerARNBasedOperation",
"Effect" : "Allow",
"Action" : "secretsmanager:CreateSecret",
"Resource" : "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
},
{
"Sid" : "SecretManagerTagBasedOperation",
"Effect" : "Allow",
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource" : "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/SageMaker" : "true",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "RDSOperation",
"Effect" : "Allow",
"Action" : "rds:DescribeDBInstances",
"Resource" : "*"
},
{
"Sid" : "LoggingOperation",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
},
{
"Sid" : "EMRServerlessCreateApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:CreateApplication",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListApplications",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessApplicationOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:UpdateApplication",
"emr-serverless:GetApplication"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessStartJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:StartJobRun",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListJobRuns",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessJobRunOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessTagResourceOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:TagResource",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "IAMPassOperationForEMRServerless",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "emr-serverless.amazonaws.com",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
}
]
}進一步了解
