本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS SageMaker 筆記本的受管理原則
這些 AWS 受管理的原則新增使用 SageMaker 筆記本所需的權限。這些策略可在您的 AWS 帳戶中使用,並由從 SageMaker 主控台建立的執行角色使用。
AWS 受管理的策略: AmazonSageMakerNotebooksServiceRolePolicy
此 AWS 受管政策授予使用 Amazon SageMaker 筆記本通常所需的許可。政策會新增至您登入 Amazon SageMaker 工作室經典版時所AmazonSageMaker-ExecutionRole
建立的政策。如需關於服務連結角色詳細資訊,請參閱服務連結角色。
許可詳細資訊
此政策包含以下許可。
-
elasticfilesystem
- 讓主體建立和刪除 Amazon Elastic File System (EFS) 檔案系統、存取點和掛載目標。這些僅限於用密鑰標記的那些ManagedByAmazonSageMakerResource。讓主體描述所有 EFS 檔案系統、存取點和掛載目標。讓主體建立或覆寫 EFS 存取點和裝載目標的標籤。 -
ec2
- 讓主體為 Amazon Elastic Compute Cloud (EC2) 執行個體建立網路介面和安全群組。也讓主體建立和覆寫這些資源的標籤。 -
sso
- 讓主體將受管執行個體新增至 AWS IAM Identity Center中並刪除。 -
sagemaker
— 允許主參與者建立及讀取 SageMaker使用者設定檔。也允許主參與者建立、讀取和刪除 SageMaker 空格。允許主參與者新增及列出標籤。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEFSAccessPointCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateAccessPoint", "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*", "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSAccessPointDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:DeleteAccessPoint" ], "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSMountWithDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSDescribe", "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Sid": "AllowEFSTagging", "Effect": "Allow", "Action": "elasticfilesystem:TagResource", "Resource": [ "arn:aws:elasticfilesystem:*:*:access-point/*", "arn:aws:elasticfilesystem:*:*:file-system/*" ], "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEC2Tagging", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid": "AllowEC2Operations", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*" }, { "Sid": "AllowEC2AuthZ", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowIdcOperations", "Effect": "Allow", "Action": [ "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:GetManagedApplicationInstance" ], "Resource": "*" }, { "Sid": "AllowSagemakerProfileCreation", "Effect": "Allow", "Action": [ "sagemaker:CreateUserProfile", "sagemaker:DescribeUserProfile" ], "Resource": "*" }, { "Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:DescribeSpace", "sagemaker:DeleteSpace", "sagemaker:ListTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*" }, { "Sid": "AllowSagemakerAddTagsForAppManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*", "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } } ] }
Amazon SageMaker 更新 SageMaker筆記型電腦受管政策
檢視有關 Amazon AWS 受管政策更新的詳細資訊, SageMaker 因為此服務開始追蹤這些變更。
政策 | 版本 | 變更 | 日期 |
---|---|---|---|
8 |
新增 |
2024年5月22 日 | |
AmazonSageMakerNotebooksServiceRolePolicy -更新現有策略 |
7 |
新增 |
2023 年 3 月 9 日 |
AmazonSageMakerNotebooksServiceRolePolicy -更新現有策略 |
6 |
新增 |
2023 年 1 月 12 日 |
SageMaker 開始追蹤其 AWS 受管理策略的變更。 |
2021 年 6 月 1 日 |