AWS SageMaker 筆記本的受管理原則 - Amazon SageMaker
AmazonSageMakerNotebooksServiceRole政策SageMaker 筆記本政策更新

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

AWS SageMaker 筆記本的受管理原則

這些 AWS 受管理的原則新增使用 SageMaker 筆記本所需的權限。這些策略可在您的 AWS 帳戶中使用,並由從 SageMaker 主控台建立的執行角色使用。

AWS 受管理的策略: AmazonSageMakerNotebooksServiceRolePolicy

此 AWS 受管政策授予使用 Amazon SageMaker 筆記本通常所需的許可。政策會新增至您登入 Amazon SageMaker 工作室經典版時所AmazonSageMaker-ExecutionRole建立的政策。如需關於服務連結角色詳細資訊,請參閱服務連結角色

許可詳細資訊

此政策包含以下許可。

  • elasticfilesystem - 讓主體建立和刪除 Amazon Elastic File System (EFS) 檔案系統、存取點和掛載目標。這些僅限於用密鑰標記的那些ManagedByAmazonSageMakerResource。讓主體描述所有 EFS 檔案系統、存取點和掛載目標。讓主體建立或覆寫 EFS 存取點和裝載目標的標籤。

  • ec2 - 讓主體為 Amazon Elastic Compute Cloud (EC2) 執行個體建立網路介面和安全群組。也讓主體建立和覆寫這些資源的標籤。

  • sso - 讓主體將受管執行個體新增至 AWS IAM Identity Center中並刪除。

  • sagemaker— 允許主參與者建立及讀取 SageMaker使用者設定檔。也允許主參與者建立、讀取和刪除 SageMaker 空格。允許主參與者新增及列出標籤。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowEFSAccessPointCreation",
            "Effect": "Allow",
            "Action": "elasticfilesystem:CreateAccessPoint",
            "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*",
                    "aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSAccessPointDeletion",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DeleteAccessPoint"
            ],
            "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSCreation",
            "Effect": "Allow",
            "Action": "elasticfilesystem:CreateFileSystem",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSMountWithDeletion",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteMountTarget"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEFSDescribe",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEFSTagging",
            "Effect": "Allow",
            "Action": "elasticfilesystem:TagResource",
            "Resource": [
                "arn:aws:elasticfilesystem:*:*:access-point/*",
                "arn:aws:elasticfilesystem:*:*:file-system/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowEC2Tagging",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        },
        {
            "Sid": "AllowEC2Operations",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEC2AuthZ",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*"
                }
            }
        },
        {
            "Sid": "AllowIdcOperations",
            "Effect": "Allow",
            "Action": [
                "sso:CreateManagedApplicationInstance",
                "sso:DeleteManagedApplicationInstance",
                "sso:GetManagedApplicationInstance"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSagemakerProfileCreation",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateUserProfile",
                "sagemaker:DescribeUserProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateSpace",
                "sagemaker:DescribeSpace",
                "sagemaker:DeleteSpace",
                "sagemaker:ListTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*"
        },
        {
            "Sid": "AllowSagemakerAddTagsForAppManagedSpaces",
            "Effect": "Allow",
            "Action": [
                "sagemaker:AddTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*",
            "Condition": {
                "StringEquals": {
                    "sagemaker:TaggingAction": "CreateSpace"
                }
            }
        }
    ]
}

Amazon SageMaker 更新 SageMaker筆記型電腦受管政策

檢視有關 Amazon AWS 受管政策更新的詳細資訊, SageMaker 因為此服務開始追蹤這些變更。

政策 版本 變更 日期

AmazonSageMakerNotebooksServiceRole政策 - 更新現有政策

8

新增 sagemaker:CreateSpacesagemaker:DescribeSpacesagemaker:DeleteSpacesagemaker:ListTagssagemaker:AddTags 許可。

 2024年5月22 日

AmazonSageMakerNotebooksServiceRolePolicy -更新現有策略

7

新增 elasticfilesystem:TagResource 許可。

 2023 年 3 月 9 日

AmazonSageMakerNotebooksServiceRolePolicy -更新現有策略

6

新增 elasticfilesystem:CreateAccessPointelasticfilesystem:DeleteAccessPointelasticfilesystem:DescribeAccessPoints 許可。

 2023 年 1 月 12 日

SageMaker 開始追蹤其 AWS 受管理策略的變更。

 2021 年 6 月 1 日