本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AmazonSageMakerCanvasFullAccess
描述:提供對 Amazon SageMaker Canvas 資源和操作的完整存取權。此政策也提供對相關服務的選取存取權限 (例如 S3 IAM、VPC、、ECR、、 CloudWatch 記錄、Redshift、Secrets Manager 和 Forecast)。此政策應附加至 Amazon SageMaker 網域/使用者設定檔執行角色。
AmazonSageMakerCanvasFullAccess是AWS 受管理的策略。
使用此政策
您可以附加AmazonSageMakerCanvasFullAccess至您的使用者、群組和角色。
政策詳情
-
類型: AWS 受管理的策略
-
創作時間:二零二二年九月九日 UTC
-
編輯時間:二 ○ 二四年八月十六日,四時三十五分 UTC
-
ARN:
arn:aws:iam::aws:policy/AmazonSageMakerCanvasFullAccess
政策版本
策略版本:v11(預設值)
原則的預設版本是定義原則權限的版本。當具有策略的使用者或角色發出要求以存取 AWS 資源時,請 AWS 檢查原則的預設版本,以決定是否允許該要求。
JSON政策文件
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "SageMakerUserDetailsAndPackageOperations", "Effect" : "Allow", "Action" : [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups", "sagemaker:ListEndpoints" ], "Resource" : "*" }, { "Sid" : "SageMakerPackageGroupOperations", "Effect" : "Allow", "Action" : [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource" : [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid" : "SageMakerTrainingOperations", "Effect" : "Allow", "Action" : [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:StopAutoMLJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource" : [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid" : "SageMakerHostingOperations", "Effect" : "Allow", "Action" : [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:InvokeEndpointAsync" ], "Resource" : [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid" : "EC2VPCOperation", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource" : "*" }, { "Sid" : "ECROperations", "Effect" : "Allow", "Action" : [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource" : "*" }, { "Sid" : "IAMGetOperations", "Effect" : "Allow", "Action" : [ "iam:GetRole" ], "Resource" : "arn:aws:iam::*:role/*" }, { "Sid" : "IAMPassOperation", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : "arn:aws:iam::*:role/*", "Condition" : { "StringEquals" : { "iam:PassedToService" : "sagemaker.amazonaws.com" } } }, { "Sid" : "LoggingOperation", "Effect" : "Allow", "Action" : [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource" : "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid" : "S3Operations", "Effect" : "Allow", "Action" : [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource" : [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid" : "ReadSageMakerJumpstartArtifacts", "Effect" : "Allow", "Action" : "s3:GetObject", "Resource" : [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid" : "S3ListOperations", "Effect" : "Allow", "Action" : [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource" : "*" }, { "Sid" : "GlueOperations", "Effect" : "Allow", "Action" : "glue:SearchTables", "Resource" : [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid" : "SecretsManagerARNBasedOperation", "Effect" : "Allow", "Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource" : [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid" : "SecretManagerTagBasedOperation", "Effect" : "Allow", "Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource" : "*", "Condition" : { "StringEquals" : { "secretsmanager:ResourceTag/SageMaker" : "true" } } }, { "Sid" : "RedshiftOperations", "Effect" : "Allow", "Action" : [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource" : "*" }, { "Sid" : "RedshiftGetCredentialsOperation", "Effect" : "Allow", "Action" : [ "redshift:GetClusterCredentials" ], "Resource" : [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid" : "ForecastOperations", "Effect" : "Allow", "Action" : [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource" : [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid" : "RDSOperation", "Effect" : "Allow", "Action" : "rds:DescribeDBInstances", "Resource" : "*" }, { "Sid" : "IAMPassOperationForForecast", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : "arn:aws:iam::*:role/*", "Condition" : { "StringEquals" : { "iam:PassedToService" : "forecast.amazonaws.com" } } }, { "Sid" : "AutoscalingOperations", "Effect" : "Allow", "Action" : [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource" : "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition" : { "StringEquals" : { "application-autoscaling:service-namespace" : "sagemaker", "application-autoscaling:scalable-dimension" : "sagemaker:variant:DesiredInstanceCount" } } }, { "Sid" : "AsyncEndpointOperations", "Effect" : "Allow", "Action" : [ "cloudwatch:DescribeAlarms", "sagemaker:DescribeEndpointConfig" ], "Resource" : "*" }, { "Sid" : "DescribeScalingOperations", "Effect" : "Allow", "Action" : [ "application-autoscaling:DescribeScalingActivities" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "SageMakerCloudWatchUpdate", "Effect" : "Allow", "Action" : [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource" : [ "arn:aws:cloudwatch:*:*:alarm:TargetTracking*" ], "Condition" : { "StringEquals" : { "aws:CalledViaLast" : "application-autoscaling.amazonaws.com" } } }, { "Sid" : "AutoscalingSageMakerEndpointOperation", "Action" : "iam:CreateServiceLinkedRole", "Effect" : "Allow", "Resource" : "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition" : { "StringLike" : { "iam:AWSServiceName" : "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid" : "AthenaOperation", "Action" : [ "athena:ListTableMetadata", "athena:ListDataCatalogs", "athena:ListDatabases" ], "Effect" : "Allow", "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "GlueOperation", "Action" : [ "glue:GetDatabases", "glue:GetPartitions", "glue:GetTables" ], "Effect" : "Allow", "Resource" : [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ], "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "QuicksightOperation", "Action" : [ "quicksight:ListNamespaces" ], "Effect" : "Allow", "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "AllowUseOfKeyInAccount", "Effect" : "Allow", "Action" : [ "kms:DescribeKey" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/Source" : "SageMakerCanvas", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "EMRServerlessCreateApplicationOperation", "Effect" : "Allow", "Action" : "emr-serverless:CreateApplication", "Resource" : "arn:aws:emr-serverless:*:*:/*", "Condition" : { "StringEquals" : { "aws:RequestTag/sagemaker:is-canvas-resource" : "True", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "EMRServerlessListApplicationOperation", "Effect" : "Allow", "Action" : "emr-serverless:ListApplications", "Resource" : "arn:aws:emr-serverless:*:*:/*", "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "EMRServerlessApplicationOperations", "Effect" : "Allow", "Action" : [ "emr-serverless:UpdateApplication", "emr-serverless:StopApplication", "emr-serverless:GetApplication", "emr-serverless:StartApplication" ], "Resource" : "arn:aws:emr-serverless:*:*:/applications/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/sagemaker:is-canvas-resource" : "True", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "EMRServerlessStartJobRunOperation", "Effect" : "Allow", "Action" : "emr-serverless:StartJobRun", "Resource" : "arn:aws:emr-serverless:*:*:/applications/*", "Condition" : { "StringEquals" : { "aws:RequestTag/sagemaker:is-canvas-resource" : "True", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "EMRServerlessListJobRunOperation", "Effect" : "Allow", "Action" : "emr-serverless:ListJobRuns", "Resource" : "arn:aws:emr-serverless:*:*:/applications/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/sagemaker:is-canvas-resource" : "True", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "EMRServerlessJobRunOperations", "Effect" : "Allow", "Action" : [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource" : "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/sagemaker:is-canvas-resource" : "True", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "EMRServerlessTagResourceOperation", "Effect" : "Allow", "Action" : "emr-serverless:TagResource", "Resource" : "arn:aws:emr-serverless:*:*:/*", "Condition" : { "StringEquals" : { "aws:RequestTag/sagemaker:is-canvas-resource" : "True", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "IAMPassOperationForEMRServerless", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition" : { "StringEquals" : { "iam:PassedToService" : "emr-serverless.amazonaws.com", "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } } ] }
進一步了解
