本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Amazon SageMaker 畫布的受管政策
這些 AWS 受管政策新增使用 Amazon SageMaker Canvas 所需的許可。這些策略可在您的 AWS 帳戶中使用,並由從 SageMaker主控台建立的執行角色使用。
主題
- AWS 受管理的策略: AmazonSageMakerCanvasFullAccess
- AWS 受管理的策略: AmazonSageMakerCanvasDataPrepFullAccess
- AWS 受管理的策略: AmazonSageMakerCanvasDirectDeployAccess
- AWS 受管政策: AmazonSageMakerCanvas人工智慧 ServicesAccess
- AWS 受管理的策略: AmazonSageMakerCanvasBedrockAccess
- AWS 受管理的策略: AmazonSageMakerCanvasForecastAccess
- Amazon SageMaker 更新 Amazon SageMaker 畫布受管政策
AWS 受管理的策略: AmazonSageMakerCanvasFullAccess
此政策授予允許透過 AWS Management Console 和開發套件完整存取 Amazon SageMaker Canvas 的許可。該政策還提供對相關服務的選擇訪問 [例如,Amazon Simple Storage Service (Amazon S3), AWS Identity and Access Management (IAM),Amazon Virtual Private Cloud(Amazon VPC),Amazon Elastic Container Registry (Amazon ECR),Amazon CloudWatch 日誌,Amazon Redshift,Amazon SageMaker 自動駕駛儀, SageMaker 模型註冊表和 Amazon Forecast]。 AWS Secrets Manager
此政策旨在幫助客戶實驗並開始使用 SageMaker Canvas 的所有功能。為了獲得更精細的控制,我們建議客戶在移至生產工作負載時建立自己的範圍縮減版本。如需詳細資訊,請參閱 IAM 政策類型:如何以及何時使用它們
許可詳細資訊
此 AWS 受管理的策略包括下列權限。
-
sagemaker— 允許主參與者在 ARN 包含「畫布」、「畫布」或「模 SageMaker型編譯」的資源上建立和裝載模型。此外,用戶可以在同一 AWS 帳戶中將其 SageMaker Canvas SageMaker 模型註冊到模型註冊表。 -
ec2- 讓主體建立 Amazon VPC 端點。 -
ecr- 讓主體取得容器映像的相關資訊。 -
glue- 讓主體擷取目錄中的資料表。 -
iam— 允許校長將 IAM 角色傳遞給 Amazon SageMaker 和 Amazon Forecast。也可讓主參與者建立服務連結角色。 -
logs- 允許主體從訓練任務和端點發佈日誌。 -
s3- 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包括「」、SageMaker「Sageemaker」或「下垂器」的物件。此外,也讓主體從特定區域中 ARN 以 “jumpstart-cache-prod-” 開頭的 Amazon S3 儲存貯體中擷取物件。 -
secretsmanager- 讓主體儲存客戶認證,以便使用 Secrets Manager 連接至 Snowflake 資料庫。 -
redshift- 如果該使用者存在,則讓主體取得任何 Amazon Redshift 叢集上 “sagemaker_access*” dbuser 的憑證。 -
redshift-data- 讓主體使用 Amazon Redshift 資料 API 在 Amazon edshift 上執行查詢。此僅提供對 Redshift 資料 API 本身的存取,而不會直接提供對 Amazon Redshift 叢集的存取許可。如需詳細資訊,請參閱使用 Amazon Redshift 資料 API。 -
forecast- 讓主體使用 Amazon Forecast。 -
application-autoscaling— 允許主參與者自動縮放 SageMaker 推論端點。 -
rds- 讓主體傳回佈建 Amazon RDS 執行個體的相關資訊。 -
cloudwatch— 允許校長創建和管理 Amazon CloudWatch 警報。 -
athena— 允許主體建立、讀取和管理 Amazon Athena 查詢、目錄和執行。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerUserDetailsAndPackageOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups", "sagemaker:ListEndpoints" ], "Resource": "*" }, { "Sid": "SageMakerPackageGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource": [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid": "SageMakerTrainingOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid": "SageMakerHostingOperations", "Effect": "Allow", "Action": [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:InvokeEndpointAsync" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid": "EC2VPCOperation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource": "*" }, { "Sid": "ECROperations", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "ReadSageMakerJumpstartArtifacts", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": "glue:SearchTables", "Resource": [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource": "*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "ForecastOperations", "Effect": "Allow", "Action": [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource": [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "IAMPassOperationForForecast", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "forecast.amazonaws.com" } } }, { "Sid": "AutoscalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "sagemaker", "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount" } } }, { "Sid": "AsyncEndpointOperations", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "sagemaker:DescribeEndpointConfig" ], "Resource": "*" }, { "Sid": "SageMakerCloudWatchUpdate", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:TargetTracking*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "application-autoscaling.amazonaws.com" } } }, { "Sid": "AutoscalingSageMakerEndpointOperation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } } ] }
AWS 受管理的策略: AmazonSageMakerCanvasDataPrepFullAccess
此政策授予允許完整存取 Amazon SageMaker Canvas 資料準備功能的許可。該政策還為與資料準備功能整合的服務提供最低權限許可 [例如,Amazon 簡單儲存服務 AWS Identity and Access Management (Amazon S3)、(IAM)、Amazon EMR EventBridge、Amazon Redshift、 AWS Key Management Service (AWS KMS) 和 AWS Secrets Manager]。
許可詳細資訊
此 AWS 受管理的策略包括下列權限。
-
sagemaker— 允許主參與者存取處理工作、訓練工作、推論管道、AutoML 任務和功能群組。 -
athena— 允許主體從 Amazon Athena 查詢資料目錄、資料庫和表格中繼資料的清單。 -
elasticmapreduce— 允許主體讀取和列出 Amazon EMR 叢集。 -
events— 允許主體針對已排程任務建立、讀取、更新和新增目標至 Amazon EventBridge 規則。 -
glue— 允許主參與者從 AWS Glue 目錄中的資料庫取得及搜尋表格。 -
iam— 允許校長將 IAM 角色傳遞給 Amazon SageMaker 和 EventBridge. -
kms— 允許主參與者擷取儲存在工作和端點中的 AWS KMS 別名,以及存取關聯的 KMS 金鑰。 -
logs- 允許主體從訓練任務和端點發佈日誌。 -
redshift— 允許主體取得登入資料以存取 Amazon Redshift 資料庫。 -
redshift-data— 允許主體執行、取消、描述、列出和取得 Amazon Redshift 查詢的結果。還允許主體列出 Amazon Redshift 結構描述和表格。 -
s3- 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包含「」、SageMaker「Sageemaker」或「Sageemaker」的物件;或標有「」,不區分SageMaker大小寫的物件。 -
secretsmanager— 允許主參與者使用 Secrets Manager 來儲存和擷取客戶資料庫認證。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerListFeatureGroupOperation", "Effect": "Allow", "Action": "sagemaker:ListFeatureGroups", "Resource": "*" }, { "Sid": "SageMakerFeatureGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateFeatureGroup", "sagemaker:DescribeFeatureGroup" ], "Resource": "arn:aws:sagemaker:*:*:feature-group/*" }, { "Sid": "SageMakerProcessingJobOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateProcessingJob", "sagemaker:DescribeProcessingJob", "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*" }, { "Sid": "SageMakerProcessingJobListOperation", "Effect": "Allow", "Action": "sagemaker:ListProcessingJobs", "Resource": "*" }, { "Sid": "SageMakerPipelineOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribePipeline", "sagemaker:CreatePipeline", "sagemaker:UpdatePipeline", "sagemaker:DeletePipeline", "sagemaker:StartPipelineExecution", "sagemaker:ListPipelineExecutionSteps", "sagemaker:DescribePipelineExecution" ], "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*" }, { "Sid": "KMSListOperations", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" }, { "Sid": "KMSOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "IAMListOperations", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "events.amazonaws.com" ] } } }, { "Sid": "EventBridgePutOperation", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeOperations", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutTargets" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeTagBasedOperations", "Effect": "Allow", "Action": [ "events:TagResource" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true", "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeListTagOperation", "Effect": "Allow", "Action": "events:ListTagsForResource", "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:SearchTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "EMROperations", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups" ], "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*" }, { "Sid": "EMRListOperation", "Effect": "Allow", "Action": "elasticmapreduce:ListClusters", "Resource": "*" }, { "Sid": "AthenaListDataCatalogOperation", "Effect": "Allow", "Action": "athena:ListDataCatalogs", "Resource": "*" }, { "Sid": "AthenaQueryExecutionOperations", "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": "arn:aws:athena:*:*:workgroup/*" }, { "Sid": "AthenaDataCatalogOperations", "Effect": "Allow", "Action": [ "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "arn:aws:athena:*:*:datacatalog/*" }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult" ], "Resource": "*" }, { "Sid": "RedshiftArnBasedOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": "arn:aws:redshift:*:*:cluster:*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*", "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*" } ] }
AWS 受管理的策略: AmazonSageMakerCanvasDirectDeployAccess
此政策授予 Amazon SageMaker Canvas 建立和管理 Amazon SageMaker 端點所需的許可。
許可詳細資訊
此 AWS 受管理的策略包括下列權限。
-
sagemaker— 允許主參與者使用以「畫布」或「畫布」開頭的 ARN 資源名稱來建立及管理 SageMaker端點。 -
cloudwatch— 允許主體擷取 Amazon CloudWatch 指標資料。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerEndpointPerms", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:DeleteEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:Canvas*", "arn:aws:sagemaker:*:*:canvas*" ] }, { "Sid": "ReadCWInvocationMetrics", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] }
AWS 受管政策: AmazonSageMakerCanvas人工智慧 ServicesAccess
此政策授予 Amazon SageMaker 帆布使用 Amazon Textract,Amazon Rekognition,Amazon Comprehend 和 Amazon 基岩的許可。
許可詳細資訊
此 AWS 受管理的策略包括下列權限。
-
textract- 讓主體使用 Amazon Textract 偵測影像中的文件、費用和身分。 -
rekognition- 讓主體使用 Amazon Rekognition 偵測影像中的標籤和文字。 -
comprehend- 讓主體使用 Amazon Comprehend 偵測文字文件中的情緒和優勢語言,以及具名和個人身分識別資訊 (PII) 實體。 -
bedrock- 讓主體使用 Amazon Bedrock 列出和調用基礎模型。 -
iam— 允許校長將 IAM 角色傳遞給 Amazon 基岩。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Textract", "Effect": "Allow", "Action": [ "textract:AnalyzeDocument", "textract:AnalyzeExpense", "textract:AnalyzeID", "textract:StartDocumentAnalysis", "textract:StartExpenseAnalysis", "textract:GetDocumentAnalysis", "textract:GetExpenseAnalysis" ], "Resource": "*" }, { "Sid": "Rekognition", "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectText" ], "Resource": "*" }, { "Sid": "Comprehend", "Effect": "Allow", "Action": [ "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectEntities", "comprehend:BatchDetectSentiment", "comprehend:DetectPiiEntities", "comprehend:DetectEntities", "comprehend:DetectSentiment", "comprehend:DetectDominantLanguage" ], "Resource": "*" }, { "Sid": "Bedrock", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:ListFoundationModels", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "CreateBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob", "bedrock:CreateProvisionedModelThroughput", "bedrock:TagResource" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "SageMaker", "Canvas" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:RequestTag/Canvas": "true", "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "GetStopAndDeleteBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:GetCustomModel", "bedrock:GetProvisionedModelThroughput", "bedrock:StopModelCustomizationJob", "bedrock:DeleteProvisionedModelThroughput" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "FoundationModelPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*" ] }, { "Sid": "BedrockFineTuningPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } } ] }
AWS 受管理的策略: AmazonSageMakerCanvasBedrockAccess
此政策授予將 Amazon SageMaker Canvas 與 Amazon 基岩搭配使用所需的許可。
許可詳細資訊
此 AWS 受管理的策略包括下列權限。
-
s3— 允許主體從「SageMaker-*/ 畫布」目錄中的 Amazon S3 儲存貯體新增和擷取物件。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3CanvasAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/Canvas/*" ] }, { "Sid": "S3BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }
AWS 受管理的策略: AmazonSageMakerCanvasForecastAccess
此政策授予將 Amazon SageMaker 畫布與 Amazon Forecast 搭配使用所需的許可。
許可詳細資訊
此 AWS 受管理的策略包括下列權限。
-
s3- 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱以 “sagemaker-” 開頭的物件。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/canvas" ] } { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }
Amazon SageMaker 更新 Amazon SageMaker 畫布受管政策
檢視 SageMaker Canvas AWS 受管理原則更新的詳細資料,因為此服務開始追蹤這些變更。
| 政策 | 版本 | 變更 | 日期 |
|---|---|---|---|
1 |
初始政策 |
2024年2月2日 | |
|
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
9 |
新增 |
2024年1月24日 |
AmazonSageMakerCanvasFullAccess -更新現有策略 |
8 |
新增 |
2023 年 12 月 8 日 |
2 |
小更新以強制執行先前策略的意圖,版本 1; 沒有添加或刪除權限。 |
2023 年 12 月 7 日 | |
3 |
新增 |
2023 年 11 月 29 日 | |
|
AmazonSageMakerCanvasDataPrepFullAccess -新政策 |
1 |
初始政策 |
2023 年 10 月 26 日 |
1 |
初始政策 |
2023 年 10 月 6 日 | |
AmazonSageMakerCanvasFullAccess -更新現有策略 |
7 |
新增 |
2023 年 9 月 29 日 |
|
AmazonSageMakerCanvasAI ServicesAccess -現有政策的更新 |
2 |
新增 |
2023 年 9 月 29 日 |
AmazonSageMakerCanvasFullAccess -更新現有策略 |
6 |
新增 |
2023 年 8 月 29 日 |
AmazonSageMakerCanvasFullAccess -更新現有策略 |
5 |
新增 |
2023 年 7 月 24 日 |
AmazonSageMakerCanvasFullAccess -更新現有策略 |
4 |
新增 |
2023 年 5 月 4 日 |
AmazonSageMakerCanvasFullAccess -更新現有策略 |
3 |
新增 |
2023 年 3 月 24 日 |
|
AmazonSageMakerCanvas人工智能 ServicesAccess -新政策 |
1 |
初始政策 |
2023 年 3 月 23 日 |
AmazonSageMakerCanvasFullAccess -更新現有策略 |
2 |
新增 |
2022 年 12 月 6 日 |
AmazonSageMakerCanvasFullAccess -新政策 |
1 |
初始政策 |
2022 年 9 月 8 日 |
1 |
初始政策 |
2022 年 8 月 24 日 |
