本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Amazon 的受管政策 SageMaker
若要新增使用者、群組和角色的權限,使用 AWS 受管理的原則比自己撰寫原則更容易。建立 IAM 客戶受管政策需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。若要快速開始使用,您可以使用我們的 AWS 受管政策。這些政策涵蓋常見使用案例,並可在您的 AWS 帳戶中使用。如需 AWS 受管政策的詳細資訊,請參閱 IAM 使用者指南中的AWS 受管政策。
AWS 服務會維護和更新 AWS 受管理的策略。您無法變更 AWS 受管理原則中的權限。服務有時會將其他權限新增至受 AWS 管理的策略,以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新作業可用時,服務最有可能更新 AWS 受管理的策略。服務不會從 AWS 受管理的政策移除權限,因此政策更新不會破壞您現有的權限。
此外,還 AWS 支援跨多個服務之工作職能的受管理原則。例如,ReadOnlyAccess AWS 受管理的策略提供對所有 AWS 服務和資源的唯讀存取權。當服務啟動新功能時, AWS 會為新的操作和資源新增唯讀許可。如需任務職能政策的清單和說明,請參閱 IAM 使用者指南中有關任務職能的AWS 受管政策。
重要
我們建議您使用允許您執行使用案例的最受限政策。
下列 AWS 受管政策 (您可以附加到帳戶中的使用者) 是 Amazon 特有的 SageMaker:
-
AmazonSageMakerFullAccess— 授予對 Amazon SageMaker 和 SageMaker 地理空間資源的完全訪問權限以及支持的操作。這不提供不受限制的 Amazon S3 存取,但是支援使用特定sagemaker標籤的儲存貯體與物件。此政策允許將所有 IAM 角色傳遞給 Amazon SageMaker,但只允許將其中包含「AmazonSageMaker」的 IAM 角色傳遞到 AWS Glue AWS Step Functions、和 AWS RoboMaker 服務。 -
AmazonSageMakerReadOnly— 授予對 Amazon SageMaker 資源的只讀訪問權限。
下列 AWS 受管理的策略可以附加到您帳戶中的使用者,但不建議您使用:
-
AdministratorAccess– 為所有 AWS 服務與帳戶中的所有資源授予所有操作許可。 -
DataScientist– 授予各種許可來涵蓋大部分的資料科學家遇到的使用案例 (主要用於分析與商用智慧)。
您可以透過登入 IAM; 主控台並搜尋以檢閱上述許可政策。
您也可以建立自己的自訂 IAM 政策,以根據需要允許 Amazon SageMaker 動作和資源的許可。您可以將這些自訂政策連接至需要這些政策的 使用者或群組。
主題
- AWS 受管理的策略: AmazonSageMakerFullAccess
- AWS 受管理的策略: AmazonSageMakerReadOnly
- AWS Amazon SageMaker 畫布的受管政策
- AWS Amazon SageMaker 叢集的受管政策
- AWS Amazon SageMaker 功能商店的受管政策
- AWS Amazon SageMaker 地理空間受管政策
- AWS Amazon SageMaker Ground Truth 的受管政策
- AWS SageMaker 模型治理的受管理原則
- AWS 模型登錄的受管理原則
- AWS SageMaker 筆記本的受管理原則
- AWS 管道的受 SageMaker 管原則
- AWS 專案與管 SageMaker 理的政策 JumpStart
- SageMaker AWS 受管理策略的更新
AWS 受管理的策略: AmazonSageMakerFullAccess
此政策授予管理許可,允許主體完全訪問所有 Amazon SageMaker 和 SageMaker 地理空間資源和操作。該策略還提供對相關服務的選擇存取許可。此政策允許將所有 IAM 角色傳遞給 Amazon SageMaker,但只允許將其中包含「AmazonSageMaker」的 IAM 角色傳遞到 AWS Glue AWS Step Functions、和 AWS RoboMaker 服務。此政策不包括建立 Amazon SageMaker 網域的許可。如需建立領域所需政策的資訊,請參閱Amazon SageMaker 前提。
許可詳細資訊
此政策包含以下許可。
-
application-autoscaling— 允許主參與者自動調整 SageMaker 即時推論端點的規模。 -
athena— 可讓主參與者從 Amazon Athena中查詢資料目錄、資料庫和表格中繼資料的清單。 -
aws-marketplace— 允許主參與者檢視 AWS AI Marketplace 訂閱。如果您想要存取訂閱的 SageMaker軟體,則需要此功能 AWS Marketplace。 -
cloudformation-允許主參與者取得使用 SageMaker JumpStart 解決方案和管線的 AWS CloudFormation 範本。 SageMaker JumpStart建立執行與其他 AWS 服務相關聯的 end-to-end 機器學習解決 SageMaker 方案所需的資源。 SageMaker 管道會建立由 Service Catalog 支援的新專案。 -
cloudwatch— 允許主體張貼 CloudWatch 指標、與警示互動,以及將記錄檔上傳至您帳戶中的 CloudWatch 記錄。 -
codebuild— 允許主參與者儲存「 SageMaker 管線」和「專案」的 AWS CodeBuild 成品。 -
codecommit— 需要與 SageMaker筆記本實例 AWS CodeCommit 集成。 -
cognito-idp— 需要 Amazon SageMaker Ground Truth 來定義私人勞動力和工作團隊. -
ec2— 當您 SageMaker SageMaker 為任務、模型、端點和筆記型電腦執行個體指定 Amazon VPC 時,需要管理 Amazon EC2 資源和網路界面。 -
ecr— 需要為 Amazon SageMaker Studio 經典版 (自訂映像)、訓練、處理、批次推論和推論端點提取和存放 Docker 成品。這也需要在中使用您自己的容器 SageMaker。代表使用者建立和移除自訂映像檔,需要其他 SageMaker JumpStart 解決方案權限。 -
elastic-inference— 允許主體連線至 Amazon Elastic Inference 使用 SageMaker 筆記本執行個體和端點。 -
elasticfilesystem- 讓主體存取 Amazon Elastic File System。 SageMaker 若要使用 Amazon Elastic File System 中的資料來源來訓練機器學習模型,這是必要的。 -
fsx– 讓主體存取 Amazon FSx。 SageMaker 若要使用 Amazon FSx 中的資料來源來訓練機器學習模型,這是必要的。 -
glue— 需要用於從 SageMaker 筆記本執行個體內部推論管道預處理。 -
groundtruthlabeling- 用於 Ground Truth 標籤工作。groundtruthlabeling端點是由 Ground Truth 主控台存取。 -
iam— 需要授予 SageMaker 主控台存取可用 IAM 角色並建立服務連結角色。 -
kms— 需要授予 SageMaker 控制台對可用 AWS KMS 密鑰的訪問權限,並檢索作業和端點中任何指定的 AWS KMS 別名。 -
lambda- 讓主體調用並取得 AWS Lambda 函式清單。 -
logs— 允許 SageMaker 工作和端點發佈記錄資料流所需。 -
redshift- 讓主體存取 Amazon Redshift 叢集憑證。 -
redshift-data- 讓主體使用來自 Amazon Redshift 的資料執行、描述和取消陳述式;取得陳述式結果,以及列出結構描述和資料表。 -
robomaker— 可讓主參與者具有建立、取得描述及刪除 AWS RoboMaker 模擬應用程式與工作的完整存取權。在筆記本執行個體上執行強化學習範例時也需要。 -
s3, s3express— 允許主體完全存取與 Amazon S3 或 Amazon S3 快遞相關的資源 SageMaker,但不是所有的 Amazon S3 或 Amazon S3 快遞資源。 -
sagemaker— 允許主參與 SageMaker 者在使用者設定檔上列出標籤,並將標籤新增至 SageMaker 應用程式和空間。僅允許訪問流動器的 SageMaker 流量定義:WorkteamType 「私人人群」或「供應商人群」。 -
sagemaker和sagemaker-geospatial-允許主參與者對 SageMaker 網域和使用者設定檔進行唯讀存取。 -
secretsmanager- 讓主體完整存取 AWS Secrets Manager。主體可以安全地加密、存放與擷取資料庫及其他服務的憑證。對於具有使 GitHub用的 SageMaker 程式碼儲存庫的 SageMaker 筆記型電腦執行個體,也需要 -
servicecatalog- 讓主體使用 Service Catalog。主參與者可以建立、取得、更新或終止已佈建產品的清單,例如伺服器、資料庫、網站或使用 AWS 資源部署的應用程式。這是 SageMaker JumpStart 和項目所需的,以查找和讀取服務目錄產品以及在用戶中啟動 AWS 資源。 -
sns- 允許主體取得 Amazon SNS 主題清單。啟用非同步推論的端點需要此功能,才能通知使用者其推論已完成。 -
states— 需要 SageMaker JumpStart 和 Pipeline 才能使用服務目錄來建立步驟函數資源。 -
tag-在工作室經典中渲染 SageMaker 管道所需。工作室經典需要使用特定標sagemaker:project-id籤鍵標記的資源。此動作需要tag:GetResources許可。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllNonAdminSageMakerActions", "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Sid": "AllowAddTagsForSpace", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:space/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } }, { "Sid": "AllowAddTagsForApp", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Sid": "AllowStudioActions", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:DescribeApp", "sagemaker:ListApps" ], "Resource": "*" }, { "Sid": "AllowAppActionsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "AllowAppActionsForSharedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "StringEquals": { "sagemaker:SpaceSharingType": [ "Shared" ] } } }, { "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private", "Shared" ] } } }, { "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private" ] } } }, { "Sid": "AllowFlowDefinitionActions", "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Sid": "AllowAWSServiceActions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Sid": "AllowECRActions", "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Sid": "AllowCodeCommitActions", "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Sid": "AllowCodeBuildActions", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Sid": "AllowStepFunctionsActions", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Sid": "AllowSecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "AllowReadOnlySecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "AllowServiceCatalogProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Sid": "AllowS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AllowS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Sid": "AllowS3BucketACL", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowLambdaInvokeFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AllowCreateServiceLinkedRoleForRobomaker", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Sid": "AllowSNSActions", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "AllowPassRoleForSageMakerRoles", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Sid": "AllowPassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AllowAthenaActions", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Sid": "AllowGlueCreateTable", "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueUpdateTable", "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Sid": "AllowGlueDeleteTable", "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetTablesAndDatabases", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetAndCreateDatabase", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Sid": "AllowRedshiftDataActions", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Sid": "AllowRedshiftGetClusterCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "AllowListTagsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid": "AllowCloudformationListStackResources", "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AllowS3ExpressObjectActions", "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*", "arn:aws:s3express:*:*:bucket/*aws-glue*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressCreateBucketActions", "Effect": "Allow", "Action": [ "s3express:CreateBucket" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressListBucketActions", "Effect": "Allow", "Action": [ "s3express:ListAllMyDirectoryBuckets" ], "Resource": "*" } ] }
AWS 受管理的策略: AmazonSageMakerReadOnly
此政策會 SageMaker 透過 AWS Management Console 和 SDK 授予 Amazon 的唯讀存取權。
許可詳細資訊
此政策包含以下許可。
-
application-autoscaling— 可讓使用者瀏覽可擴充 SageMaker 即時推論端點的說明。 -
aws-marketplace— 允許使用者檢視 AWS AI Marketplace 訂閱。 -
cloudwatch— 允許用戶接收 CloudWatch 警報。 -
cognito-idp— 需要 Amazon SageMaker Ground Truth 瀏覽說明和私人勞動力和工作團隊的列表。 -
ecr- 用於讀取 Docker 成品供訓練和推論所用。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }
SageMaker AWS 受管理策略的更新
檢視 SageMaker 自此服務開始追蹤這些變更以來的 AWS 受管理策略更新詳細資料。
| 政策 | 版本 | 變更 | 日期 |
|---|---|---|---|
AmazonSageMakerFull存取 - 更新現有政策 |
26 |
新增 |
2024年3月29 日 |
AmazonSageMakerFullAccess -更新現有策略 |
25 |
新增 |
2023 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新現有策略 |
24 |
新增 |
2022 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新現有策略 |
23 |
新增 |
2022 年 6 月 29 日 |
AmazonSageMakerFullAccess -更新現有策略 |
22 |
新增 |
2022 年 5 月 1 日 |
AmazonSageMakerRead只有 - 更新現有政策 |
11 |
新增 |
2021 年 12 月 1 日 |
AmazonSageMakerFullAccess -更新現有策略 |
21 |
為啟用非同步推論的端點新增 |
2021 年 9 月 8 日 |
AmazonSageMakerFullAccess -更新現有策略 |
20 |
更新 |
2021 年 7 月 15 日 |
AmazonSageMakerReadOnly -更新現有策略 |
10 |
為 SageMaker 功能商店 |
2021 年 6 月 10 日 |
|
SageMaker 開始追蹤其 AWS 受管理策略的變更。 |
2021 年 6 月 1 日 |
