SageMakerStudioAdminIAMDefaultExecutionPolicy
Description: Administrative execution policy for using IAM roles with SageMaker Unified Studio. Allows admins to provision, manage and access resources in your account (excluding access to data resources) for IAM-based usage of SageMaker Unified Studio.
SageMakerStudioAdminIAMDefaultExecutionPolicy is an AWS managed policy.
Using this policy
You can attach SageMakerStudioAdminIAMDefaultExecutionPolicy to your users, groups, and roles.
Policy details
-
Type: AWS managed policy
-
Creation time: August 18, 2025, 17:19 UTC
-
Edited time: November 18, 2025, 23:34 UTC
-
ARN:
arn:aws:iam::aws:policy/SageMakerStudioAdminIAMDefaultExecutionPolicy
Policy version
Policy version: v5 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DataZone", "Effect" : "Allow", "Action" : [ "datazone:*" ], "Resource" : [ "*" ] }, { "Sid" : "SageMakerUnifiedStudioMcp", "Effect" : "Allow", "Action" : [ "sagemaker-unified-studio-mcp:*" ], "Resource" : "*" }, { "Sid" : "IamSts", "Effect" : "Allow", "Action" : [ "iam:GetRole", "iam:ListRoles", "iam:GetUser", "iam:ListUsers", "sts:AssumeRole" ], "Resource" : "*" }, { "Sid" : "CreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : [ "arn:aws:iam::*:role/aws-service-role/neptune-graph.amazonaws.com/AWSServiceRoleForNeptuneGraph", "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks", "arn:aws:iam::*:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWSServiceRoleForAmazonEMRServerless", "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA", "arn:aws:iam::*:role/aws-service-role/airflow-serverless.amazonaws.com/AWSServiceRoleForAmazonMWAAServerless", "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com/AWSServiceRoleForEMRCleanup", "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless", "arn:aws:iam::*:role/aws-service-role/ops.athena.amazonaws.com/AWSServiceRoleForAmazonAthena" ] }, { "Sid" : "TagRoleAndSession", "Effect" : "Allow", "Action" : [ "iam:TagRole", "sts:TagSession" ], "Resource" : "*", "Condition" : { "ForAllValues:StringLike" : { "aws:TagKeys" : [ "AmazonDataZone*" ] } } }, { "Sid" : "CreateRole", "Effect" : "Allow", "Action" : [ "iam:CreateRole" ], "Resource" : [ "arn:aws:iam::*:role/service-role/AmazonSageMaker*" ] }, { "Sid" : "AttachPolicy", "Effect" : "Allow", "Action" : "iam:AttachRolePolicy", "Resource" : "arn:aws:iam::*:role/service-role/AmazonSageMaker*", "Condition" : { "ArnEquals" : { "iam:PolicyARN" : [ "arn:aws:iam::aws:policy/SageMakerStudioUserIAMDefaultExecutionPolicy", "arn:aws:iam::aws:policy/SageMakerStudioUserIAMPermissiveExecutionPolicy", "arn:aws:iam::aws:policy/service-role/AmazonS3TablesLakeFormationServiceRole" ] } } }, { "Sid" : "SourceIdentity", "Effect" : "Allow", "Action" : "sts:SetSourceIdentity", "Resource" : "*", "Condition" : { "StringLike" : { "sts:SourceIdentity" : "${aws:PrincipalTag/datazone:userId}" } } }, { "Sid" : "PassRoleForProvisioning", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "*", "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "sagemaker.amazonaws.com", "lakeformation.amazonaws.com", "athena.amazonaws.com", "glue.amazonaws.com", "datazone.amazonaws.com", "airflow-serverless.amazonaws.com" ], "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "PassRole", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : [ "arn:aws:iam::*:role/service-role/AmazonSageMaker*", "arn:aws:iam::*:role/${aws:PrincipalTag/AmazonDataZonePassedRolePath}" ], "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "datazone.amazonaws.com", "bedrock.amazonaws.com", "scheduler.amazonaws.com", "emr-serverless.amazonaws.com", "redshift.amazonaws.com", "airflow-serverless.amazonaws.com" ] } } }, { "Sid" : "Q", "Effect" : "Allow", "Action" : [ "glue:StartCompletion", "q:Get*", "q:List*", "q:PassRequest", "q:SendMessage", "q:StartConversation" ], "Resource" : "*" }, { "Sid" : "SSMParameter", "Effect" : "Allow", "Action" : [ "ssm:DeleteParameter", "ssm:GetParameter*", "ssm:PutParameter" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/amazon/datazone/q*", "arn:aws:ssm:*:*:parameter/amazon/datazone/genAI/*", "arn:aws:ssm:*::parameter/aws/service/sagemaker-distribution/*" ] }, { "Sid" : "ManageSageMakerSpace", "Effect" : "Allow", "Action" : "sagemaker:*", "Resource" : [ "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid" : "ResourceGroupsPermissions", "Effect" : "Allow", "Action" : [ "resource-groups:GetGroupQuery", "resource-groups:ListGroupResources" ], "Resource" : "*" }, { "Sid" : "SageMakerPermissions", "Effect" : "Allow", "Action" : [ "sagemaker:AddTags", "sagemaker:Batch*", "sagemaker:DeleteTags", "sagemaker:Describe*", "sagemaker:List*", "sagemaker:Search", "sagemaker:*Endpoint*", "sagemaker:*Model*", "sagemaker:*Context*", "sagemaker:*Artifact*", "sagemaker:*Action*", "sagemaker:*Association*", "sagemaker:QueryLineage", "sagemaker:*InferenceComponent*", "sagemaker:*Job*", "sagemaker:StartMlflowTrackingServer", "sagemaker:StopMlflowTrackingServer", "sagemaker:CreatePresignedMlflowTrackingServerUrl", "sagemaker-mlflow:*" ], "Resource" : "*" }, { "Sid" : "CreateBucket", "Effect" : "Allow", "Action" : [ "s3:CreateBucket", "s3:DeleteBucketPolicy", "s3:Get*", "s3:Put*" ], "Resource" : [ "arn:aws:s3:::amazon-sagemaker*" ] }, { "Sid" : "S3List", "Effect" : "Allow", "Action" : [ "s3:GetBucketAcl", "s3:List*" ], "Resource" : "*" }, { "Sid" : "S3CrossAccount", "Effect" : "Allow", "Action" : [ "s3:GetObject*", "s3:List*", "s3:PutObject*" ], "Resource" : "*", "Condition" : { "StringNotEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "CfnManage", "Effect" : "Allow", "Action" : [ "cloudformation:*" ], "Resource" : [ "arn:aws:cloudformation:*:*:stack/DataZone*" ] }, { "Sid" : "ValidateCfn", "Effect" : "Allow", "Action" : "cloudformation:ValidateTemplate", "Resource" : "*" }, { "Sid" : "LogsAndMetrics", "Effect" : "Allow", "Action" : [ "cloudwatch:PutMetricData", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:Describe*", "logs:Get*", "logs:PutLogEvents", "logs:StopQuery" ], "Resource" : "*" }, { "Sid" : "LFManage", "Effect" : "Allow", "Action" : [ "lakeformation:BatchGrantPermissions", "lakeformation:BatchRevokePermissions", "lakeformation:DeregisterResource", "lakeformation:DescribeResource", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:ListResources", "lakeformation:PutDataLakeSettings", "lakeformation:RegisterResource", "lakeformation:RevokePermissions", "lakeformation:ListLakeFormationOptIns", "lakeformation:CreateLakeFormationOptIn", "lakeformation:DeleteLakeFormationOptIn" ], "Resource" : "*" }, { "Sid" : "GlueDatabase", "Effect" : "Allow", "Action" : [ "glue:*" ], "Resource" : [ "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:catalog/*", "arn:aws:glue:*:*:connection/*" ] }, { "Sid" : "GlueLakeFormation", "Effect" : "Allow", "Action" : [ "glue:*" ], "Resource" : "*", "Condition" : { "StringEquals" : { "glue:LakeFormationPermissions" : "Enabled" } } }, { "Sid" : "Glue", "Effect" : "Allow", "Action" : [ "glue:CancelStatement", "glue:CreateSession", "glue:DeleteSession", "glue:Describe*", "glue:Get*", "glue:List*", "glue:NotifyEvent", "glue:RunStatement", "glue:StartCompletion", "glue:StopSession", "glue:TagResource", "glue:UntagResource", "glue:UseGlueStudio", "glue:*Job*", "glue:TestConnection" ], "Resource" : "*" }, { "Sid" : "GlueSessionIsolation", "Effect" : "Deny", "Action" : [ "glue:CancelStatement", "glue:CreateSession", "glue:DeleteSession", "glue:GetSession", "glue:GetStatement", "glue:RunStatement", "glue:StopSession", "glue:GetDashboardUrl" ], "Resource" : [ "arn:aws:glue:*:*:session/*" ], "Condition" : { "StringNotEquals" : { "aws:RequestTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}", "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DenyTaggingUntaggingForeignSessions", "Effect" : "Deny", "Action" : [ "glue:TagResource", "glue:UntagResource" ], "Resource" : "arn:aws:glue:*:*:session/*", "Condition" : { "StringNotEquals" : { "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "SQLWorkBench", "Effect" : "Allow", "Action" : [ "sqlworkbench:*" ], "Resource" : "*" }, { "Sid" : "RedshiftData", "Effect" : "Allow", "Action" : "redshift-data:*", "Resource" : "*", "Condition" : { "StringEquals" : { "redshift-data:statement-owner-iam-userid" : "${aws:userid}" } } }, { "Sid" : "RedShiftActions", "Effect" : "Allow", "Action" : [ "redshift-data:BatchExecuteStatement", "redshift-data:Describe*", "redshift-data:ExecuteStatement", "redshift-data:List*", "redshift-serverless:GetManagedWorkgroup", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:List*", "redshift:Describe*", "redshift:GetClusterCredentialsWithIAM", "redshift-serverless:GetCredentials" ], "Resource" : "*" }, { "Sid" : "Bedrock", "Effect" : "Allow", "Action" : "bedrock:*", "Resource" : "*" }, { "Sid" : "FederatedConn", "Effect" : "Allow", "Action" : [ "dynamodb:List*", "dynamodb:Describe*", "dynamodb:Scan", "dynamodb:PartiQLSelect", "dynamodb:Query", "secretsmanager:ListSecrets" ], "Resource" : "*" }, { "Sid" : "Athena", "Effect" : "Allow", "Action" : [ "athena:*" ], "Resource" : "*" }, { "Sid" : "AthenaSessionIsolation", "Effect" : "Deny", "Action" : [ "athena:StartSession", "athena:GetSession", "athena:TerminateSession", "athena:GetSessionStatus", "athena:GetSessionEndpoint", "athena:GetResourceDashboard" ], "Resource" : [ "arn:aws:athena:*:*:workgroup/*/session/*" ], "Condition" : { "StringNotEquals" : { "aws:RequestTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}", "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DenyTaggingUntaggingForeignAthenaSessions", "Effect" : "Deny", "Action" : [ "athena:TagResource", "athena:UntagResource" ], "Resource" : "arn:aws:athena:*:*:workgroup/*/session/*", "Condition" : { "StringNotEquals" : { "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "AirflowServerless", "Effect" : "Allow", "Action" : [ "airflow-serverless:List*", "airflow-serverless:Get*", "airflow-serverless:CreateWorkflow", "airflow-serverless:UpdateWorkflow", "airflow-serverless:DeleteWorkflow", "airflow-serverless:StartWorkflowRun", "airflow-serverless:StopWorkflowRun", "airflow-serverless:TagResource", "airflow-serverless:UntagResource" ], "Resource" : "*" }, { "Sid" : "ManagePrivateSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:TagResource", "secretsmanager:UpdateSecret", "secretsmanager:PutResourcePolicy" ], "Resource" : "*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonDataZoneProject" : "false" } } }, { "Sid" : "ManageSharedSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:TagResource", "secretsmanager:UpdateSecret" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/for-use-with-all-datazone-projects" : "true" }, "Null" : { "aws:ResourceTag/AmazonDataZoneProject" : "true" } } }, { "Sid" : "RedshiftSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:RotateSecret", "secretsmanager:DescribeSecret", "secretsmanager:UpdateSecret", "secretsmanager:DeleteSecret", "secretsmanager:TagResource" ], "Resource" : "arn:aws:secretsmanager:*:*:secret:redshift!*" }, { "Sid" : "GenerateRecommendations", "Effect" : "Allow", "Action" : [ "codewhisperer:GenerateRecommendations" ], "Resource" : "*" }, { "Sid" : "ManageScheduler", "Effect" : "Allow", "Action" : "scheduler:*", "Resource" : "*" }, { "Sid" : "Ecr", "Effect" : "Allow", "Action" : [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer" ], "Resource" : "*" }, { "Sid" : "CodeConnectionsAdmin", "Effect" : "Allow", "Action" : [ "codeconnections:*", "codestar-connections:*" ], "Resource" : "*" }, { "Sid" : "KmsListAndDescribe", "Effect" : "Allow", "Action" : [ "kms:DescribeKey", "kms:ListAliases", "kms:ListGrants" ], "Resource" : "*" }, { "Sid" : "DataZoneKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "datazone.*.amazonaws.com" }, "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:datazone:domainId" } } }, { "Sid" : "S3Kms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "s3.*.amazonaws.com" }, "Null" : { "kms:EncryptionContext:aws:s3:arn" : "false" } } }, { "Sid" : "SchedulerKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "Null" : { "kms:EncryptionContext:aws:scheduler:schedule:arn" : "false" } } }, { "Sid" : "SecretsKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "secretsmanager.*.amazonaws.com" }, "Null" : { "kms:EncryptionContext:SecretARN" : "false" } } }, { "Sid" : "SageMakerKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sagemaker.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "SageMakerCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sagemaker.*.amazonaws.com" } } }, { "Sid" : "DataZoneCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "datazone.*.amazonaws.com" }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Encrypt", "Decrypt", "ReEncryptFrom", "ReEncryptTo", "GenerateDataKeyWithoutPlaintext", "GenerateDataKey", "DescribeKey", "RetireGrant", "CreateGrant" ] } } }, { "Sid" : "GlueKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "glue.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "BedrockKms", "Effect" : "Allow", "Action" : [ "kms:CreateGrant", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "bedrock.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "WorkflowsCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "arn:*:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:ViaService" : "airflow-serverless.*.amazonaws.com" }, "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:airflow-serverless:workflow-arn" }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "RetireGrant" ] } } }, { "Sid" : "WorkflowsKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "arn:*:kms:*:*:key/*", "Condition" : { "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:airflow-serverless:workflow-arn" } } }, { "Sid" : "CreateSG", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:vpc/*" ] }, { "Sid" : "SGManage", "Effect" : "Allow", "Action" : [ "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid" : "SGAuth", "Effect" : "Allow", "Action" : [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "Null" : { "aws:ResourceTag/AmazonDataZoneProject" : "false" } } }, { "Sid" : "Ec2DescribeOnly", "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, { "Sid" : "SGCreateTags", "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : "arn:aws:ec2:*:*:security-group/*", "Condition" : { "ForAllValues:StringLike" : { "aws:TagKeys" : [ "AmazonDataZone*", "aws:cloudformation:*" ] } } }, { "Sid" : "VpcAccess", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission" ], "Resource" : "*" }, { "Sid" : "EC2TagAccessForVpc", "Effect" : "Allow", "Action" : [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource" : [ "arn:aws:ec2:*:*:network-interface/*" ] }, { "Sid" : "EMRServerless", "Effect" : "Allow", "Action" : [ "emr-serverless:ListApplications", "emr-serverless:GetApplication" ], "Resource" : "*" } ] }
Learn more
