# Guide to getting set up with Amazon SageMaker AI
To use the features in Amazon SageMaker AI, you must have access to Amazon SageMaker AI. To set up Amazon SageMaker AI and its features, use one of the following options.
+ **[Use quick setup](onboard-quick-start.md)**: Fastest setup for individual users with default settings.
+ **[Use custom setup](onboard-custom.md)**: Advanced setup for enterprise Machine Learning (ML) administrators. Ideal option for ML administrators setting up SageMaker AI for many users or an organization.
**Note**
You do not need to set up SageMaker AI if:
An email is sent to you inviting you to create a password to use the IAM Identity Center authentication. The email also contains the AWS access portal URL you use to sign in. For more information about signing in to the AWS access portal, see [Sign in to the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosignin.html).
You intend to use the Amazon SageMaker Studio Lab ML environment. Studio Lab does not require you to have an AWS account. For information about Studio Lab, see [Amazon SageMaker Studio Lab](studio-lab.md).
If you are using the AWS CLI, SageMaker APIs, or SageMaker SDKs
You do not need to set up SageMaker AI if any of the prior situations apply. You can skip the rest of this [Guide to getting set up with Amazon SageMaker AI](#gs) chapter and navigate to the following:
[Automated ML, no-code, or low-code](use-auto-ml.md)
[Machine learning environments offered by Amazon SageMaker AI](machine-learning-environments.md)
[APIs, CLI, and SDKs](api-and-sdk-reference-overview.md)
**Topics**
+ [
# Complete Amazon SageMaker AI prerequisites
](gs-set-up.md)
+ [
# Use quick setup for Amazon SageMaker AI
](onboard-quick-start.md)
+ [
# Use custom setup for Amazon SageMaker AI
](onboard-custom.md)
+ [
# Amazon SageMaker AI domain overview
](gs-studio-onboard.md)
+ [
# Supported Regions and Quotas
](regions-quotas.md)
# Complete Amazon SageMaker AI prerequisites
Before you can set up Amazon SageMaker AI, you must complete the following prerequisites.
+ **Required**: You will need to create an Amazon Web Services (AWS) account to get access to all of the AWS services and resources for the account.
+ **Highly recommended**: We highly recommend that you create an administrative user to manage AWS resources for the account, to adhere to the [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). It is assumed that you have an administrative user for many of the administrative tasks throughout the SageMaker AI developer guide.
+ **Optional**: Configure the AWS Command Line Interface (AWS CLI) if you intend to manage your AWS services and resources for the account using the AWS CLI.
**Topics**
+ [
## Sign up for an AWS account
](#sign-up-for-aws)
+ [
## Create a user with administrative access
](#create-an-admin)
+ [
## (Optional) Configure the AWS CLI
](#gs-cli-prereq)
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
When you create an administrative user to set up SageMaker AI, the administrative user should include specific permissions to create SageMaker AI resources. To view the permissions, expand the following administrator permissions section.
## Administrator permissions
When you create your administrative user using the preceding instructions, your administrative user should already include the permissions contained in the [AmazonSageMakerFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AmazonSageMakerFullAccess) policy, as well as the following permissions. These policies are needed to create a SageMaker AI domain among other tasks.
If you intend to create your own custom policy, these permissions are required to create a domain and get set up with SageMaker AI. For information about adding policies, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *AWS Identity and Access Management User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:*"
],
"Resource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:flow-definition/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"servicecatalog:*"
],
"Resource": [
"*"
]
}
]
}
```
------
**Optional**: If you intend to manage your AWS services and resources for the account using the AWS CLI, proceed to the following instructions ([(Optional) Configure the AWS CLI](#gs-cli-prereq)).
**After you have completed your prerequisites**, continue on to the setup instructions. You can continue on to your setup instructions by choosing one of the following options.
+ **[Use quick setup](onboard-quick-start.md)**: Fastest setup for individual users with default settings.
+ **[Use custom setup](onboard-custom.md)**: Advanced setup for enterprise Machine Learning (ML) administrators. Ideal option for ML administrators setting up SageMaker AI for many users or an organization.
## (Optional) Configure the AWS CLI
To manage your domain and other AWS services and resources using the AWS CLI, complete the setup in [Set up the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) in the *AWS Command Line Interface User Guide for Version 2*.
**After you have completed your prerequisites**, continue on to the setup instructions. You can continue on to your setup instructions by choosing one of the following options.
+ **[Use quick setup](onboard-quick-start.md)**: Fastest setup for individual users with default settings.
+ **[Use custom setup](onboard-custom.md)**: Advanced setup for enterprise Machine Learning (ML) administrators. Ideal option for ML administrators setting up SageMaker AI for many users or an organization.
# Use quick setup for Amazon SageMaker AI
The **Set up for single users** (quick setup) procedure gets you set up with default settings. Use this option if you want to get started with SageMaker AI quickly and you do not intend to customize your settings at this time. The default settings include granting access to the common SageMaker AI services for individual users to get started. For example, Amazon SageMaker Studio and Amazon SageMaker Canvas.
## Setup for single users (Quick setup)
After satisfying the prerequisites in [Complete Amazon SageMaker AI prerequisites](gs-set-up.md), use the following instructions.
1. Open the [SageMaker AI console](https://console.aws.amazon.com/sagemaker/).
1. Open the left navigation pane.
1. Under **Admin configurations**, choose **Domains**.
1. Choose **Create domain**.
1. Choose **Set up for single user (Quick setup)**. Your domain and user profile are created automatically.
The **Set up for single user** process creates a domain and user profile for you automatically. If you want to learn about how the domain is set up for you when using the quick setup option, expand the following section.
### Default settings
When you onboard to Amazon SageMaker AI domain using the **Set up for single user** procedure, your domain is automatically set up with the following default settings. For information about domains, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md).
+ **Domain name**: SageMaker AI automatically assigns the name of the domain with a timestamp in the following format.
```
QuickSetupDomain-YYYYMMDDTHHMMSS
```
+ **User profile name**: SageMaker AI automatically assigns the name of the user profile with a timestamp in the following format.
```
default-YYYYMMDDTHHMMSS
```
+ **Domain execution role**: SageMaker AI creates a new IAM role and attaches the [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerFullAccess.html) policy. When using the quick setup and the updated Amazon SageMaker Studio is your default experience, your IAM role also includes the [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerCanvasFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerCanvasFullAccess.html), [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerCanvasAIServicesAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerCanvasAIServicesAccess.html), [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3FullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3FullAccess.html) policies.
+ **User profile execution role**: SageMaker AI sets the user profile execution role to the same IAM role used for the domain execution role.
+ **Shared space execution role**: SageMaker AI sets the shared space execution role to the same IAM role used for the domain execution role.
+ **SageMaker Canvas time series forecasting role**: SageMaker AI creates a new IAM role with the permissions required to use the SageMaker Canvas time series forecasting feature.
+ **Amazon S3 bucket**: SageMaker AI creates an Amazon S3 bucket named with the following format.
```
sagemaker-studio-XXXXXXXXXXXXXXX
```
+ **Amazon VPC**: SageMaker AI selects a public VPC with the following logic.
1. If there is a default VPC with associated subnets in the Region, SageMaker AI uses it.
1. If there is no default VPC or the default VPC has no associated subnets, then SageMaker AI uses any existing VPC with associated subnets. If there are multiple existing VPCs, SageMaker AI can select any of them.
+ **Studio experience**: Amazon SageMaker Studio is set as the UI default experience and Studio Classic is made hidden. That is, in [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UserSettings.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UserSettings.html):
+ `DefaultLandingUri` is set to `studio::`.
+ [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html) `HiddenAppTypes` is set to `["JupyterServer"]`
For information about hidden applications, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md).
After the domain is set up, the administrative user can [Edit domain settings](domain-edit.md).
## After quick setup
Do you want to start SageMaker AI features right away, and do not intend to learn about domains or customize your domain? If so, skip the rest of this [Guide to getting set up with Amazon SageMaker AI](gs.md) chapter and do the following:
+ Open the [SageMaker AI console](https://console.aws.amazon.com/sagemaker) and choose an environment from the left navigation pane.
For example, choose **Studio** from the left navigation pane and choose **Open Studio**.
+ Begin learning how to:
+ [Automated ML, no-code, or low-code](use-auto-ml.md)
+ [Machine learning environments offered by Amazon SageMaker AI](machine-learning-environments.md)
RStudio support is not currently available when onboarding using the **Set up for single users** ([Use quick setup for Amazon SageMaker AI](#onboard-quick-start)) option. To use RStudio, you must onboard using the **Set up for organizations** ([Use custom setup for Amazon SageMaker AI](onboard-custom.md)) option. For more information, see [Use custom setup for Amazon SageMaker AI](onboard-custom.md).
# Use custom setup for Amazon SageMaker AI
The **Set up for organizations** (custom setup) guides you through an advanced setup for your Amazon SageMaker AI domain. This option provides information and recommendations to help you understand and control all aspects of the account configuration, including permissions, integrations, and encryption. Use this option if you want to set up a custom domain. For information about domains, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md).
**Topics**
+ [
## Authentication methods
](#onboard-custom-authentication-details)
+ [
## Setup for organizations (custom setup)
](#onboard-custom-instructions)
+ [
## Access the domain after onboarding
](#onboard-custom-users-accesss-domain)
## Authentication methods
Before you set up the domain consider the authentication methods for your users to access the domain.
**AWS Identity Center**:
+ **Helps simplify administration of access permissions to groups of users.** You can grant or deny permissions to groups of users, instead of applying those permissions to each individual user. If a user moves to a different organization, you can move that user to a different AWS Identity and Access Management Identity center (AWS IAM Identity Center) group. The user then automatically receives the permissions that are needed for the new organization.
Note that the IAM Identity Center needs to be in the same AWS Region as the domain.
To set up with IAM Identity Center, use the following instructions from the *AWS IAM Identity Center User Guide*:
+ Begin with [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html).
+ [Create a permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-create-a-permission-set.html) that follows the best practice of applying least-privilege permissions.
+ [Add groups](https://docs.aws.amazon.com/singlesignon/latest/userguide/addgroups.html) to your IAM Identity Center directory.
+ [Assign single sign-on access](https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers) to users and groups.
+ View the basic workflows to [get started with common tasks in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html).
+ The users in IAM Identity Center can access the domain using an AWS access portal URL that is emailed to them. The email provides instructions to create an account to access the domain. For more information, see [Sign in to the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosignin.html).
As an administrator you can find the AWS access portal URL by navigating to the [IAM Identity Center](https://console.aws.amazon.com/singlesignon) and finding the **AWS access portal URL** under **Settings summary**.
+ Your domain must use AWS Identity and Access Management (IAM) authentication if you wish to restrict access to your domains exclusively to particular Amazon Virtual Private Clouds (VPCs), interface endpoints, or a predefined set of IP addresses. This feature is not supported for domains that use IAM Identity Center authentication. You can still use IAM Identity Center to enable centralized workforce identity control. For instructions on how to implement these restrictions while keeping IAM Identity Center to provide a consistent user sign-in experience, see [Secure access to Amazon SageMaker Studio Classic with IAM Identity Center and a SAML application](https://aws.amazon.com/blogs/machine-learning/secure-access-to-amazon-sagemaker-studio-with-aws-sso-and-a-saml-application/) in the *AWS machine learning blog*. Note that AWS SSO is IAM Identity Center in this blog.
**Login through IAM**:
+ The user profiles can access the domain through the SageMaker AI console after logging into the account.
+ You can restrict access to your domains exclusively to particular Amazon Virtual Private Clouds (VPCs), interface endpoints, or a predefined set of IP addresses when using AWS Identity and Access Management (IAM) authentication. For more information, see [Allow Access Only from Within Your VPC](studio-interface-endpoint.md#studio-private-link-restrict).
## Setup for organizations (custom setup)
### Custom setup using the console
After satisfying the prerequisites in [Complete Amazon SageMaker AI prerequisites](gs-set-up.md), open the **Set up SageMaker AI Domain** (custom setup) page and expand the following sections for information on the setup.
**Open the **Set up SageMaker AI Domain** from the SageMaker AI console**
1. Open the [SageMaker AI console](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations** to expand the options.
1. Under **Admin configurations**, choose **Domains**.
1. From the **Domains** page, choose **Create domain**.
1. On the **Set up SageMaker AI domain** page, choose **Set up for organizations**.
1. Choose **Set up**.
Once you opened the **Set up SageMaker AI Domain** page, use the following instructions:
#### Step 1: Domain details
1. For **Domain name**, enter a unique name for your domain. For example, this can be your project or team name.
1. Choose **Next**.
#### Step 2: Users and ML Activities
In this step you set up the authentication method, users, and permissions for your domain.
1. Under **How do you want to access Studio?**, you can choose one of two options. For information on the authentication methods, see [Authentication methods](#onboard-custom-authentication-details). Details on the options are provided in the following:
+ **AWS Identity Center**:
Under **Who will use Studio?** choose an AWS IAM Identity Center group that will access the domain.
If you choose **No Identity Center user group** you create a domain with no users. You can add IAM Identity Center groups to the domain after the domain's creation. For more information, see [Edit domain settings](domain-edit.md).
+ **Login through IAM**:
Under **Who will use Studio?** choose **\$1 Add user**, enter a new user profile name, and choose **Add** to create and add a user profile name.
You can repeat this process to create multiple user profiles.
1. Under **Who will use Studio?** select the IAM Identity Center users or groups, then choose **Select**. You need to set up Amazon SageMaker Studio within the same Region in which your IAM Identity Center is configured. You can change the Region of your domain by choosing the Region from the dropdown list on the top right of the console or you can change your IAM Identity Center Region by navigating to the [AWS access portal](https://console.aws.amazon.com/singlesignon).
1. Under **What ML activities do they perform?** you can use an existing role by choosing **Use an existing role** or you can create a new role by choosing **Create a new role** and checking the ML activities you want the role to have access.
1. While selecting ML activities, you may need to satisfy requirements. To satisfy a requirement, choose **Add** and complete the requirement.
1. After all requirements are satisfied, choose **Next**.
#### Step 3: Applications
In this step, you can configure the applications you have enabled in the previous step. For more information on the ML activities, see [ML activity reference](role-manager-ml-activities.md).
If the application has not been enabled, you receive a warning for that application. To enable an application that has not been enabled, return to the previous step by choosing **Back** and follow the previous instructions.
+ **Studio** configuration:
Under **Studio**, you have the option to choose between the newer and classic version of Studio as your default experience. This means choosing which ML environment you interact with when you open Studio.
+ **Studio** includes multiple integrated development environments (IDEs) and applications, including Amazon SageMaker Studio Classic. If chosen, the Studio Classic IDE has default settings. For information on the default settings, see [Default settings](onboard-quick-start.md#onboard-quick-start-defaults).
For information on Studio, see [Amazon SageMaker Studio](studio-updated.md).
+ **Studio Classic** includes the Jupyter IDE. If chosen, you may configure your Studio Classic configuration.
For information on Studio Classic, see [Amazon SageMaker Studio Classic](studio.md).
+ **SageMaker Canvas** configuration:
If you have Amazon SageMaker Canvas enabled, see [Getting started with using Amazon SageMaker Canvas](canvas-getting-started.md) for the instructions and configuration details for onboarding.
+ **Studio Classic** configuration:
If you chose **Studio** (recommended) as your default experience, the Studio Classic IDE has default settings. For information on the default settings, see [Default settings](onboard-quick-start.md#onboard-quick-start-defaults).
If you chose Studio Classic as your default experience, you can choose to enable or disable notebook resource sharing. Notebook resources include artifacts such as cell output and Git repositories. For more information on Notebook resources, see [Share and Use an Amazon SageMaker Studio Classic Notebook](notebooks-sharing.md).
If you enabled notebook resource sharing:
1. Under **S3 location for shareable notebook resources**, input your Amazon S3 location.
1. Under **Encryption key - *optional***, leave as **No Custom Encryption** or choose an existing AWS KMS key or choose **Enter a KMS key ARN** and enter your AWS KMS key's ARN.
1. Under **Notebook cell output sharing preference**, choose **Allow users to share cell output** or **Disable cell output sharing**.
+ **RStudio** configuration:
To enable RStudio, you need an RStudio license. To set that up, see [Get an RStudio license](rstudio-license.md).
1. Under **RStudio Workbench**, verify that your RStudio license is automatically detected. For more information about getting an RStudio license and activating it with SageMaker AI, see [Get an RStudio license](rstudio-license.md).
1. Select an instance type to launch your RStudio Server on. For more information, see [RStudioServerPro instance type](rstudio-select-instance.md).
1. Under **Permission**, create your role or select an existing role. The role must have the following permissions policy. This policy allows the RStudioServerPro application to access necessary resources. It also allows Amazon SageMaker AI to automatically launch an RStudioServerPro application when the existing RStudioServerPro application is in a `Deleted` or `Failed` status. For information about adding permissions to a role, see [Modifying a role permissions policy (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"license-manager:ExtendLicenseConsumption",
"license-manager:ListReceivedLicenses",
"license-manager:GetLicense",
"license-manager:CheckoutLicense",
"license-manager:CheckInLicense",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery",
"sagemaker:CreateApp"
],
"Resource": "*"
}
]
}
```
------
1. Under **RStudio Connect**, add the URL for your RStudio Connect server. RStudio Connect is a publishing platform for Shiny applications, R Markdown reports, dashboards, plots, and more. When you onboard to RStudio on SageMaker AI, an RStudio Connect server is not created. For more information, see [Add an RStudio Connect URL](rstudio-configure-connect.md).
1. Under **RStudio Package Manager**, add the URL for your RStudio Package Manager. SageMaker AI creates a default package repository for the Package Manager when you onboard RStudio. For more information about RStudio Package Manager, see [Update the RStudio Package Manager URL](rstudio-configure-pm.md).
1. Select **Next**.
+ **Code Editor** configuration:
If you have Code Editor enabled, see [Code Editor in Amazon SageMaker Studio](code-editor.md) for an overview and the configuration details.
#### Step 4: Customize Studio UI
In this section you can customize the viewable applications and machine learning (ML) tools displayed in Studio. This customization only hides the applications and ML tools in the left navigation pane in Studio. For information on the Studio UI, see [Amazon SageMaker Studio UI overview](studio-updated-ui.md).
For information about the applications, see [Applications supported in Amazon SageMaker Studio](studio-updated-apps.md).
The customize Studio UI feature is not available in Studio Classic. If you wish to set Studio as your default experience, choose **Previous** and to return to the previous step.
1. On the **Customize Studio UI** page you can hide applications and ML tools displayed in Studio by toggling them off.
1. Once you have reviewed your changes, choose **Next**.
#### Step 5: Set up network settings
Choose how you want Studio to connect to other AWS services.
You can choose to disable internet access to your Studio by specifying using **Virtual Private Cloud (VPC) Only** network access type. If you choose this option, you cannot run a Studio notebook unless your VPC has an interface endpoint to the SageMaker API and runtime, or a Network Address Translation (NAT) gateway with internet access, and your security groups allow outbound connections. For more information on Amazon VPCs, see [Choose an Amazon VPC](onboard-vpc.md).
If you choose Virtual Private Cloud (VPC) Only the following steps are required. If you choose **Public internet access**, the first two of the following steps are required.
1. Under **VPC**, choose the Amazon VPC ID.
1. Under **Subnet**, choose one or more subnets. If you don't choose any subnets, SageMaker AI uses all the subnets in the Amazon VPC. We recommend that you use multiple subnets that are not created in constrained Availability Zones. Using subnets in these constrained Availability Zones can result in insufficient capacity errors and longer application creation times. For more information about constrained Availability Zones, see [Availability Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones).
1. Under **Security group(s)**, choose one or more subnets.
If **VPC only** is selected, SageMaker AI automatically applies the security group settings defined for the domain to all shared spaces created in the domain. If **Public internet only** is selected, SageMaker AI does not apply the security group settings to shared spaces created in the domain.
#### Step 6: Configure storage
You have the option to encrypt your data. The [Amazon Elastic File System (Amazon EFS)](https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html) and [Amazon Elastic Block Store (Amazon EBS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html) file systems that are created for you when you create a domain. Amazon EBS sizes are used by both Code Editor and JupyterLab spaces.
You cannot change the encryption key after you encrypt your Amazon EFS and Amazon EBS file systems. To encrypt your Amazon EFS and Amazon EBS file systems, you can use the following configurations.
+ Under **Encryption key - *optional***, leave as **No Custom Encryption** or choose an existing KMS key or choose **Enter a KMS key ARN** and enter the ARN of your KMS key.
+ Under **Default space size - *optional***, enter the default space size.
+ Under **Maximum space size - *optional***, enter the maximum space size.
#### Step 7: Review and create
Review your domain settings. If you need to change the settings, choose **Edit** next to the relevant step. Once you confirm that your domain settings are accurate, choose **Submit** and the domain is created for you. This process may take a few minutes.
### Custom setup using the AWS CLI
The following sections provide AWS CLI instructions for the custom setup your domain using the IAM Identity Center or IAM authentication methods.
After satisfying the prerequisites, including setting up your AWS CLI credentials, in [Complete Amazon SageMaker AI prerequisites](gs-set-up.md), use the following the steps.
1. Create an execution role that is used to create a domain and attach the [AmazonSageMakerFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AmazonSageMakerFullAccess) policy. You can also use an existing role that has, at a minimum, an attached trust policy that grants SageMaker AI permission to assume the role. For more information, see [How to use SageMaker AI execution roles](sagemaker-roles.md).
```
aws iam create-role --role-name execution-role-name --assume-role-policy-document file://execution-role-trust-policy.json
aws iam attach-role-policy --role-name execution-role-name --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
```
1. Get the default Amazon Virtual Private Cloud (Amazon VPC) of your account.
```
aws --region region ec2 describe-vpcs --filters Name=isDefault,Values=true --query "Vpcs[0].VpcId" --output text
```
1. Get the list of subnets in the default Amazon VPC.
```
aws --region region ec2 describe-subnets --filters Name=vpc-id,Values=default-vpc-id --query "Subnets[*].SubnetId" --output json
```
1. Create a domain by passing the default Amazon VPC ID, subnets, and execution role ARN. You must also pass a SageMaker image ARN. For information on the available JupyterLab version ARNs, see [Setting a default JupyterLab version](studio-jl.md#studio-jl-set).
For `authentication-mode`, use `SSO` for IAM Identity Center authentication or `IAM` for IAM authentication.
```
aws --region region sagemaker create-domain --domain-name domain-name --vpc-id default-vpc-id --subnet-ids subnet-ids --auth-mode authentication-mode --default-user-settings "ExecutionRole=arn:aws:iam::account-number:role/execution-role-name,JupyterServerAppSettings={DefaultResourceSpec={InstanceType=system,SageMakerImageArn=image-arn}}" \ --query DomainArn --output text
```
You can use the AWS CLI to customize the applications and ML tools displayed in Studio for the domain, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenAppTypes` to hide applications and `HiddenMlTools` to hide ML tools. For more information on customizing the left navigation of the Studio UI, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md). This feature is not available for Studio Classic.
1. Verify that the domain has been created.
```
aws --region region sagemaker list-domains
```
### Custom setup using AWS CloudFormation
For information about creating a domain using AWS CloudFormation, see [AWS::SageMaker::Domain](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-domain.html) in the *CloudFormation User Guide.*
For an example of an CloudFormation template that you can use to set up your domain, see [ Creating Amazon SageMaker AI domains using CloudFormation](https://github.com/aws-samples/cloudformation-studio-domain) in the `aws-samples` GitHub repository.
After the domain is set up, the administrative user can view and edit the domain. For information, see [View domains](domain-view.md) and [Edit domain settings](domain-edit.md).
## Access the domain after onboarding
The users can access SageMaker AI using:
+ The sign-in URL if the domain was set up using the IAM Identity Center authentication. For information, see [How to sign in to the user portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosignin.html).
+ The [SageMaker AI console](https://console.aws.amazon.com/sagemaker).
# Amazon SageMaker AI domain overview
Amazon SageMaker AI uses domains to organize user profiles, applications, and their associated resources. An Amazon SageMaker AI domain consists of the following:
+ An associated Amazon Elastic File System (Amazon EFS) volume
+ A list of authorized users
+ A variety of security, application, policy, and Amazon Virtual Private Cloud (Amazon VPC) configurations
The following diagram provides an overview of private apps and shared spaces within each domain.
![\[Overview of a domain.\]](http://docs.aws.amazon.com/sagemaker/latest/dg/images/domains/private-apps-shared-spaces.png)
To have access to most Amazon SageMaker AI environments and resources, you must complete the Amazon SageMaker AI domain onboarding process using the SageMaker AI console or the AWS CLI. For a guide describing how to get started using SageMaker AI based on how you want to access SageMaker AI, and if necessary how to set up a domain, see [Guide to getting set up with Amazon SageMaker AI](gs.md).
**Topics**
+ [
# Amazon SageMaker AI domain entities and statuses
](sm-domain.md)
+ [
# Choose an Amazon VPC
](onboard-vpc.md)
# Amazon SageMaker AI domain entities and statuses
Amazon SageMaker AI domain supports SageMaker AI machine learning (ML) environments. A SageMaker AI domain is composed of the following entities and their associated status values. For onboarding steps to create a domain, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md).
+ **Domain**: A domain consists of the following.
+ An associated Amazon Elastic File System (Amazon EFS) volume.
+ A list of authorized users.
+ A variety of security, application, policy, and Amazon Virtual Private Cloud (Amazon VPC) configurations.
Users within a domain can share notebook files and other artifacts with each other. An account can have multiple domains. For more information about multiple domains, see [Multiple domains overview](domain-multiple.md).
+ **User profile**: A user profile represents a single user within a domain. It is the main way to reference a user for the purposes of sharing, reporting, and other user-oriented features. This entity is created when a user onboards to the Amazon SageMaker AI domain. For more information about user profiles, see [Domain user profiles](domain-user-profile.md).
+ **Shared space**: A shared space consists of a shared JupyterServer application and shared directory. All users within the domain have access to the shared space. All user profiles in a domain have access to all shared spaces in the domain. For more information about shared spaces, see [Collaboration with shared spaces](domain-space.md).
+ **App**: An app represents an application that supports the reading and execution experience of the user’s notebooks, terminals, and consoles. The type of app can be JupyterServer, KernelGateway, RStudioServerPro, or RSession. A user may have multiple apps active simultaneously.
The following tables describe the status values for the `domain`, `UserProfile`, `shared space`, and `App` entities. Where applicable, they also give troubleshooting steps.
domain status values
| Value | Description |
| --- | --- |
| Pending | Ongoing creation of domain. |
| InService | Successful creation of domain. |
| Updating | Ongoing update of domain. |
| Deleting | Ongoing deletion of domain. |
| Failed | Unsuccessful creation of domain. Call the DescribeDomain API to see the failure reason for domain creation. Delete the failed domain and recreate the domain after fixing the error mentioned in FailureReason. |
| Update\$1Failed | Unsuccessful update of domain. Call the DescribeDomain API to see the failure reason for domain update. Call the UpdateDomain API after fixing the error mentioned in FailureReason. |
| Delete\$1Failed | Unsuccessful deletion of domain. Call the DescribeDomain API to see the failure reason for domain deletion. Because deletion failed, you might have some resources that are still running, but you cannot use or update the domain. Call the DeleteDomain API again after fixing the error mentioned in FailureReason. |
`UserProfile` status values
| Value | Description |
| --- | --- |
| Pending | Ongoing creation of UserProfile. |
| InService | Successful creation of UserProfile. |
| Updating | Ongoing update of UserProfile. |
| Deleting | Ongoing deletion of UserProfile. |
| Failed | Unsuccessful creation of UserProfile. Call the DescribeUserProfile API to see the failure reason for UserProfile creation. Delete the failed UserProfile and recreate it after fixing the error mentioned in FailureReason. |
| Update\$1Failed | Unsuccessful update of UserProfile. Call the DescribeUserProfile API to see the failure reason for UserProfile update. Call the UpdateUserProfile API again after fixing the error mentioned in FailureReason. |
| Delete\$1Failed | Unsuccessful deletion of UserProfile. Call the DescribeUserProfile API to see the failure reason for UserProfile deletion. Because deletion failed, you might have some resources that are still running, but you cannot use or update the UserProfile. Call the DeleteUserProfile API again after fixing the error mentioned in FailureReason. |
shared space status values
| Value | Description |
| --- | --- |
| Pending | Ongoing creation of shared space. |
| InService | Successful creation of shared space. |
| Deleting | Ongoing deletion of shared space. |
| Failed | Unsuccessful creation of shared space. Call the DescribeSpace API to see the failure reason for shared space creation. Delete the failed shared space and recreate it after fixing the error mentioned in FailureReason. |
| Update\$1Failed | Unsuccessful update of shared space. Call the DescribeSpace API to see the failure reason for shared space update. Call the UpdateSpace API again after fixing the error mentioned in FailureReason. |
| Delete\$1Failed | Unsuccessful deletion of shared space. Call the DescribeSpace API to see the failure reason for shared space deletion. Because deletion failed, you might have some resources that are still running, but you cannot use or update the shared space. Call the DeleteSpace API again after fixing the error mentioned in FailureReason. |
| Deleted | Successful deletion of shared space. |
`App` status values
| Value | Description |
| --- | --- |
| Pending | Ongoing creation of App. |
| InService | Successful creation of App. |
| Deleting | Ongoing deletion of App. |
| Failed | Unsuccessful creation of App. Call the DescribeApp API to see the failure reason for App creation. Call the CreateApp API again after fixing the error mentioned in FailureReason. |
| Deleted | Successful deletion of App. |
## Maintenance of applications
At least once every 90 days, SageMaker AI performs security and performance updates to the underlying software for Amazon SageMaker Studio Classic JupyterServer and KernelGateway, SageMaker Canvas, and Amazon SageMaker Data Wrangler applications. Some maintenance items, such as operating system upgrades, require that SageMaker AI takes your application offline for a short time during the maintenance window. Because this maintenance takes the application offline, you cannot perform any operations while the underlying software is being updated. When the maintenance activity is in progress, the state of the application transitions from **InService** to **Pending**. When maintenance is complete, the status of the application transitions back to **InService**. If patching fails, then the status of the application becomes **Failed**. If an application is in the **Failed** state, we recommend creating a new application of the same type. For information about creating Studio Classic applications, see [Shut Down and Update Amazon SageMaker Studio Classic and Apps](studio-tasks-update.md). For information about creating SageMaker Canvas applications, see [Applications management](canvas-manage-apps.md).
For more information, contact https://aws.amazon.com/premiumsupport/.
**Topics**
+ [
## Maintenance of applications
](#domain-maintenance)
+ [
# Complete prerequisites
](domain-prerequisites.md)
+ [
# Hide machine learning tools and applications in the Amazon SageMaker Studio UI
](studio-updated-ui-customize-tools-apps.md)
+ [
# Hide instance types and images in the Amazon SageMaker Studio UI
](studio-updated-ui-customize-instances-images.md)
+ [
# Multiple domains overview
](domain-multiple.md)
+ [
# Isolate domain resources
](domain-resource-isolation.md)
+ [
# Default settings for Amazon SageMaker AI domains
](domain-set-defaults.md)
+ [
# Custom tag propagation
](custom-tags.md)
+ [
# Adding a custom file system to a domain
](domain-custom-file-system.md)
+ [
# View domain environment details
](domain-space-environment.md)
+ [
# View domains
](domain-view.md)
+ [
# Edit domain settings
](domain-edit.md)
+ [
# Delete an Amazon SageMaker AI domain
](gs-studio-delete-domain.md)
+ [
# Domain user profiles
](domain-user-profile.md)
+ [
# IAM Identity Center groups in a domain
](domain-groups.md)
+ [
# Understanding domain space permissions and execution roles
](execution-roles-and-spaces.md)
+ [
# View SageMaker AI resources in your domain
](sm-console-domain-resources-view.md)
+ [
# Shut down SageMaker AI resources in your domain
](sm-console-domain-resources-shut-down.md)
+ [
# Where to shut down resources per SageMaker AI features
](sm-shut-down-resources-per-feature.md)
# Complete prerequisites
To use the features available in an Amazon SageMaker AI domain, you must complete the following prerequisites.
+ Onboard to a domain. For more information, see [Onboard to Amazon SageMaker AI domain](https://docs.aws.amazon.com/sagemaker/latest/dg/gs-studio-onboard.html).
+ (Optional) If you are interacting with your domain using the AWS CLI, you must also complete the following prerequisites.
+ Update the AWS CLI by following the steps in [Installing the current AWS CLI Version](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html#install-tool-bundled).
+ From your local machine, run `aws configure` and provide your AWS credentials. For information about AWS credentials, see [Understanding and getting your AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html).
# Hide machine learning tools and applications in the Amazon SageMaker Studio UI
**Important**
As of November 30, 2023, the previous Amazon SageMaker Studio experience is now named Amazon SageMaker Studio Classic. The following section is specific to using the updated Studio experience. For information about using the Studio Classic application, see [Amazon SageMaker Studio Classic](studio.md).
This topic shows how to hide applications and machine learning (ML) tools displayed in the Amazon SageMaker Studio user interface (UI). For information on the Studio UI, see [Amazon SageMaker Studio UI overview](studio-updated-ui.md).
This customization does not block access to these resources. If, instead, you want to block access to an application, see [Amazon SageMaker Role Manager](role-manager.md).
For information about the applications, see [Applications supported in Amazon SageMaker Studio](studio-updated-apps.md).
The customize Studio UI feature is not available in Amazon SageMaker Studio Classic.
You can customize the Studio UI on a domain level and a user level:
+ Customization on a domain level sets the default for all users in the domain.
These default settings apply for all users in the domain who have *not* had these changes made to their individual user settings.
+ Customization on a user level will take priority over the domain level settings.
Use the following topics to learn more on the different customization levels and how to apply them.
**Topics**
+ [
# Hide machine learning tools and applications on a domain level
](studio-updated-ui-customize-tools-apps-domain.md)
+ [
# Hide machine learning tools and applications on a user level
](studio-updated-ui-customize-tools-apps-user.md)
# Hide machine learning tools and applications on a domain level
The following shows how to use the console to customize the applications and ML tools displayed in Studio on a domain level. For more information, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md).
This feature is not available if Amazon SageMaker Studio Classic is set as your default experience.
## Hide machine learning tools and applications on a domain level instructions (console)
**To hide machine learning tools and applications Studio UI on a domain level (console)**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, choose the link to the domain you wish to edit.
1. On the **Domain details** page, choose the **App Configurations** tab.
1. In the **SageMaker Studio** section, choose **Customize Studio UI**.
1. On the **Customize Studio UI** page you can hide applications and ML tools displayed in Studio by toggling them off.
Note that not all ML features are available in all regions.
1. Once you have reviewed your changes, choose **Save**.
Once completed, you will see a green banner containing a success message at the top of the page.
## Hide machine learning tools and applications on a domain level instructions (AWS CLI)
**Note**
To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
You can use the AWS CLI to customize the applications and ML tools displayed in Studio on a domain level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenAppTypes` to hide applications and `HiddenMlTools` to hide ML tools.
In the following example, SageMaker Canvas and Code Editor are being hidden for users in the domain `domainId`.
```
aws sagemaker update-domain \
--domain-id domainId \
--default-user-settings '{"StudioWebPortalSettings": {"HiddenAppTypes": ["Canvas", "CodeEditor"]}}'
```
Note that not all ML features are available in all AWS Regions.
# Hide machine learning tools and applications on a user level
The following shows how to customize the applications and ML tools displayed in Studio on a user level. For more information, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md).
This feature is not available if Studio Classic is set as your default experience.
## Hide machine learning tools and applications on a user level instructions (console)
**To hide machine learning tools and applications Studio UI on a user level (console)**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, choose the link to the domain you wish to edit.
1. On the **Domain details** page, choose the **User profiles** tab.
1. In the **User profiles** section, choose the link to the user profile you wish to edit.
1. Choose the **App Configurations** tab.
1. In the **SageMaker Studio** section, choose **Customize Studio UI**.
1. On the **Customize Studio UI** page you can hide applications and ML tools displayed in Studio by toggling them off.
Note that not all ML features are available in all regions.
1. Once you have reviewed your changes, choose **Save**. This will take you back to the user profile edit flow.
1. Choose **Save changes**.
Once completed, you will see a green banner containing a success message at the top of the page.
## Hide machine learning tools and applications on a user level instructions (AWS CLI)
**Note**
To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
You can use the AWS CLI to customize the applications and ML tools displayed in Studio on a user level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenAppTypes` to hide applications and `HiddenMlTools` to hide ML tools.
In the following example, SageMaker Canvas and Code Editor are being hidden for user *userProfileName* in the domain `domainId`.
```
aws sagemaker update-user-profile \
--domain-id domainId \
--user-profile-name userProfileName \
--user-settings '{"StudioWebPortalSettings": {"HiddenAppTypes": ["Canvas", "CodeEditor"]}}'
```
Note that not all ML features are available in all AWS Regions.
# Hide instance types and images in the Amazon SageMaker Studio UI
**Important**
As of November 30, 2023, the previous Amazon SageMaker Studio experience is now named Amazon SageMaker Studio Classic. The following section is specific to using the updated Studio experience. For information about using the Studio Classic application, see [Amazon SageMaker Studio Classic](studio.md).
This topic shows how to hide Amazon SageMaker AI instance types and images displayed in the Amazon SageMaker Studio user interface (UI). For information on the Studio UI, see [Amazon SageMaker Studio UI overview](studio-updated-ui.md).
When you hide SageMaker AI instance types and images:
+ The impacted users will not be able to view the hidden resources in the Studio UI.
+ The impacted users will not be able to run or create a new space with the hidden configurations.
+ Any currently running spaces for the impacted users will not be effected.
+ When an impacted user attempts to run a space with the hidden resources, they will be notified that the relevant resources have been disabled by the administrator.
**Note**
If, instead of *hiding*, you would like to *restrict* the instance types available to users through an AWS Identity and Access Management policy, see:
[Can I limit the type of instances that data scientists can launch for training jobs in SageMaker AI?](https://repost.aws/questions/QUd77APmdHTx-2FZCvZfS6Qg/can-i-limit-the-type-of-instances-that-data-scientists-can-launch-for-training-jobs-in-sagemaker) in AWS re:Post.
[Limiting instances types on Amazon SageMaker AI via IAM policy](https://stackoverflow.com/questions/76426316/limiting-instances-types-on-aws-sagemaker-via-iam-policy) in StackOverflow.
The customize Studio UI feature is not available in Amazon SageMaker Studio Classic.
You can customize the Studio UI on a domain level and a user level:
+ Customization on a domain level sets the default for all users in the domain.
+ Customization on a user level will take priority over the domain level settings.
Use the following topics to learn more on the different customization levels and how to apply them.
**Topics**
+ [
# Hide instance types and images on a domain level
](studio-updated-ui-customize-instances-images-domain.md)
+ [
# Hide instance types and images on a user level
](studio-updated-ui-customize-instances-images-user.md)
# Hide instance types and images on a domain level
The following shows how to use the console to set rules to hide Amazon SageMaker AI instance types and images from being displayed in the Amazon SageMaker Studio Classic UI on a *domain level*. For more information, see [Hide instance types and images in the Amazon SageMaker Studio UI](studio-updated-ui-customize-instances-images.md).
Once these changes are made on a domain level:
+ These changes will not effect any currently open spaces.
+ These changes will impact the domain’s users’ *default* visibility from that point onward.
These default settings apply for all users in the domain who have *not* had these changes made to their individual user settings.
+ User level settings take priority over the domain level settings.
The customize Studio UI feature is not available in Amazon SageMaker Studio Classic.
## Hide instance types and images on a domain level instructions (console)
**To hide instance types and images Studio UI on a domain level (console)**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, choose the link to the domain you wish to edit.
1. On the **Domain details** page, choose **Domain settings**.
1. In the **Domain settings** tab, you can view the domain rules in the **Domain rules** section.
1. In the **Domain rules** section choose **Manage rules**.
1. On the **Manage domain rules** page choose a **Rule type**.
Note that not all instance types and images are available in all AWS Regions.
1. If you choose **Instance type**, you can use the **Hide** action to hide SageMaker AI instance types you choose in the dropdown list under **Instance types**.
1. If you choose **Image**, you can use the **Hide** action to hide SageMaker images you choose under the dropdown list under **Image**.
1. (Optional) Choose **\$1 Add new rule** to add more rules.
1. Once you have reviewed your changes, choose **Submit**.
Once completed, you will see a green banner containing a success message at the top of the page.
## Hide instance types and images on a domain level instructions (AWS CLI)
**Note**
To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
You can use the AWS CLI to customize the SageMaker AI instances and images displayed in the Studio UI on a domain level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenInstanceTypes` to hide instance types and use `HiddenSageMakerImageVersionAliases` to hide SageMaker images.
Note that when you use `HiddenSageMakerImageVersionAliases`:
+ The API only accepts minor `VersionAliases` (for example, `1.9`), rather than patch versions (For example, `1.9.1`).
+ You may enter unpublished versions through the CLI or SDK. However, these versions will not be displayed in the console and will be overwritten after the rules are edited through the console.
In the following example, for Code Editor, based on Code-OSS, Visual Studio Code - Open Source and JupyterLab, the following are being hidden for users by default in the domain `domainId`:
+ The instance types `ml.r6id.24xlarge` and `ml.r6id.32xlarge`.
+ The image `sagemaker_distribution` versions `1.9` and `1.8`.
```
aws sagemaker update-domain \
--domain-id domainId \
--default-user-settings '{
"StudioWebPortalSettings": {
"HiddenInstanceTypes": [ "ml.r6id.24xlarge", "ml.r6id.32xlarge" ],
"HiddenSageMakerImageVersionAliases": [
{
"SageMakerImageName": "sagemaker_distribution",
"VersionAliases": [ "1.9", "1.8" ]
}
]
}
}'
```
Note that not all instance types and images are available in all AWS Regions.
# Hide instance types and images on a user level
**Warning**
Customizing a user profile is a permanent action. If custom settings are saved, this user profile will overwrite the domain settings, and no longer dynamically update with the domain in the future.
The following shows how to use the console to set rules to hide Amazon SageMaker AI instance types and images from being displayed in the Amazon SageMaker Studio Classic UI on a *user level*. For more information, see [Hide instance types and images in the Amazon SageMaker Studio UI](studio-updated-ui-customize-instances-images.md).
This setting will take priority over the domain level settings.
The customize Studio UI feature is not available in Studio Classic.
## Hide instance types and images on a user level instructions (console)
**To hide instance types and images Studio UI on a user level (console)**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, choose the link to the domain you wish to edit.
1. On the **Domain details** page, choose the **User profiles** tab.
1. In the **User profiles** section, choose the link to the user profile you wish to edit.
1. On the User details tab, you can view the rules applied to the user in the User profile rules section.
1. In the User profile rules section choose Manage rules.
1. On the Manage user profile rules page choose a Rule type.
Note that not all instance types and images are available in all AWS Regions.
1. If you choose **Instance type**, you can use the **Hide** action to hide SageMaker AI instance types you choose in the dropdown list under **Instance types**.
1. If you choose **Image**, you can use the **Hide** action to hide SageMaker images you choose under the dropdown list under **Image**.
1. (Optional) Choose **\$1 Add new rule** to add more rules.
1. Once you have reviewed your changes, choose **Submit**.
Once completed, you will see a green banner containing a success message at the top of the page.
## Hide instance types and images on a user level instructions (AWS CLI)
**Note**
To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
You can use the AWS CLI to customize the applications and ML tools displayed in Studio on a user level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenInstanceTypes` to hide instance types and use `HiddenSageMakerImageVersionAliases` to hide SageMaker images.
Note that when you use `HiddenSageMakerImageVersionAliases`:
+ The API only accepts minor `VersionAliases` (for example, `1.9`), rather than patch versions (For example, `1.9.1`).
+ You may enter unpublished versions through the CLI or SDK. However, these versions will not be displayed in the console and will be overwritten after the rules are edited through the console.
In the following example, for Code Editor, based on Code-OSS, Visual Studio Code - Open Source and JupyterLab, the following are being hidden for user `userProfileName` in the domain `domainId`:
+ The instance types `ml.r6id.24xlarge` and `ml.r6id.32xlarge`.
+ The image `sagemaker_distribution` versions `1.9` and `1.8`.
```
aws sagemaker update-user-profile \
--domain-id domainId \
--user-profile-name userProfileName \
--user-settings '{
"StudioWebPortalSettings": {
"HiddenInstanceTypes": [ "ml.r6id.24xlarge", "ml.r6id.32xlarge" ],
"HiddenSageMakerImageVersionAliases": [
{
"SageMakerImageName": "sagemaker_distribution",
"VersionAliases": [ "1.9", "1.8" ]
}
]
}
}'
```
Note that not all instance types and images are available in all AWS Regions.
# Multiple domains overview
**Important**
Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see [Provide permissions for tagging SageMaker AI resources](security_iam_id-based-policy-examples.md#grant-tagging-permissions).
[AWS managed policies for Amazon SageMaker AI](security-iam-awsmanpol.md) that give permissions to create SageMaker resources already include permissions to add tags while creating those resources.
Having multiple Amazon SageMaker AI domain simplifies managing machine learning workflows for administrators of enterprises with diverse business units, teams, or projects. Each domain acts as a logically separate environment with its own configurations, settings, and user access controls. This compartmentalization enables organizations to enforce clear boundaries between different groups, teams, or use cases, enhancing the ability to securely allocate AWS resources and permissions on a broad and granular level.
The following provides information about creating multiple domains.
+ Amazon SageMaker AI supports the creation of multiple Amazon SageMaker AI domains in a single AWS Region for each account.
+ Additional domains in an AWS Region have the same features and capabilities as the first domain in a Region.
+ Each domain can have distinct domain settings.
+ The same user profile cannot be added to multiple domains in a single Region within the same account.
For information about domain limits, see [Amazon SageMaker AI endpoints and quotas](https://docs.aws.amazon.com//general/latest/gr/sagemaker.html).
The following topics provides information on how to use tags for your domain.
**Topics**
+ [
# Automatic tag propagation
](domain-multiple-tag.md)
+ [
# How domain resource display filtering works
](domain-multiple-filtering.md)
+ [
# Backfill domain tags
](domain-multiple-backfill.md)
# Automatic tag propagation
Tags allow you to categorize and label your resources based on various criteria, such as project, team, environment (For example, dev, staging, prod), or any other custom metadata. You can tag resources by your domain automatically when they are created within your domain. This makes it easier to identify and manage your resources across your domains. You can also use these tags for cost allocation using AWS Billing and Cost Management. For more information, see [Using AWS cost allocation tags](https://docs.aws.amazon.com//awsaccountbilling/latest/aboutv2/cost-alloc-tags.html).
By default, any SageMaker AI resources that support tagging and are created from within the Amazon SageMaker Studio or Amazon SageMaker Studio Classic UI after 11/30/2022 are automatically tagged with a domain ARN tag. The domain ARN tag is based on the domain ID of the domain that the resource is created in.
To backfill your SageMaker AI resources, you can add the `sagemaker:domain-arn` tag to untagged resources by following the steps in [Backfill domain tags](domain-multiple-backfill.md).
The following list describes the only SageMaker AI resources that *do not* support automatic tag propagation, as well as the impacted API calls where the tag is not returned because it was not automatically set.
**Note**
All SageMaker `List` APIs do not support tag-based resource isolation.
The `default` app, which manages the Studio UI, is not automatically tagged.
| SageMaker AI resource | Affected API calls |
| --- | --- |
| ImageVersionArn | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/domain-multiple-tag.html) |
| ModelCardExportJobArn | [describe-model-card-export-job](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/describe-model-card-export-job.html) |
| ModelPackageArn | [describe-model-package](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/describe-model-package.html) |
# How domain resource display filtering works
Amazon SageMaker AI automatically filters the resources displayed in Studio or Studio Classic based on the Amazon SageMaker AI domain. This filtering is done by using the `sagemaker:domain-arn` tag attached to SageMaker AI resources. Resources created in other domains are automatically hidden.
**Note**
This only applies to the Studio or Studio Classic UI. SageMaker AI does not support resource filtering using the AWS CLI by default.
In Amazon SageMaker Studio or Amazon SageMaker Studio Classic, you'll only see resources that:
+ Were created within the current domain.
+ Don't have the `sagemaker:domain-arn` tag associated with them. These untagged resources are either created outside the context of a domain or were created before 11/30/2022.
To improve resource filtering, you can add the `sagemaker:domain-arn` tag to untagged resources by following the steps in [Backfill domain tags](domain-multiple-backfill.md).
Additionally, all resources created in shared spaces are automatically filtered to that particular shared space.
# Backfill domain tags
You can improve resource filtering by adding domain tags to untagged resources. If you have resources that are not tagged, you can backfill them.
If you have created resources in a domain before 11/30/2022, those resources are not automatically tagged with the domain Amazon Resource Name (ARN) tag.
To accurately attribute resources to their respective domain, you must add the domain tag to existing resources using the AWS CLI, as follows.
1. Map all existing SageMaker AI resources and their respective ARNs to the domains that exist in your account.
1. Run the following command from your local machine to tag the resource with the ARN of the resource's respective domain. This must be repeated for every SageMaker AI resource in your account.
```
aws resourcegroupstaggingapi tag-resources \
--resource-arn-list arn:aws:sagemaker:region:account-id:space/domain-id/space-name \
--tags sagemaker:domain-arn=arn:aws:sagemaker:region:account-id:domain/domain-id
```
# Isolate domain resources
**Important**
Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see [Provide permissions for tagging SageMaker AI resources](security_iam_id-based-policy-examples.md#grant-tagging-permissions).
[AWS managed policies for Amazon SageMaker AI](security-iam-awsmanpol.md) that give permissions to create SageMaker resources already include permissions to add tags while creating those resources.
You can isolate resources between each of the domains in your account and AWS Region using an AWS Identity and Access Management (IAM) policy. The isolated resources will no longer be accessed from other domains. In this topic we will discuss the conditions required for the IAM policy and how to apply them.
The resources that can be isolated by this policy are the resource types that have condition keys containing `aws:ResourceTag/${TagKey}` or `sagemaker:ResourceTag/${TagKey}`. For a reference on the SageMaker AI resources and associated condition keys, see [Actions, resources, and condition keys for Amazon SageMaker AI](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html).
**Warning**
The resource types that *do not *contain the above condition keys (and therefore the [Actions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-actions-as-permissions) that use the resource types) are *not* impacted by this resource isolation policy. For example, the [pipeline-execution](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-pipeline-execution) resource type does *not* contain the above condition keys and is *not* impacted by this policy. Therefore, the following are a few actions, with the pipeline-execution resource type, are *not* supported for resource isolation:
DescribePipelineExecution
StopPipelineExecution
UpdatePipelineExecution
RetryPipelineExecution
DescribePipelineDefinitionForExecution
ListPipelineExecutionSteps
SendPipelineExecutionStepSuccess
SendPipelineExecutionStepFailure
The following topic shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain. You must repeat this process for each domain in your account. For more information about domain tags and backfilling these tags, see [Multiple domains overview](domain-multiple.md)
## Console
The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain, from the Amazon SageMaker AI console.
**Note**
This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.
1. Create an IAM policy named `StudioDomainResourceIsolationPolicy-domain-id` with the following JSON policy document by completing the steps in [Creating IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateAPIs",
"Effect": "Allow",
"Action": "sagemaker:Create*",
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:space/*"
]
},
{
"Sid": "ResourceAccessRequireDomainTag",
"Effect": "Allow",
"Action": [
"sagemaker:Update*",
"sagemaker:Delete*",
"sagemaker:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:domain-arn": "domain-arn"
}
}
},
{
"Sid": "AllowActionsThatDontSupportTagging",
"Effect": "Allow",
"Action": [
"sagemaker:DescribeImageVersion",
"sagemaker:UpdateImageVersion",
"sagemaker:DeleteImageVersion",
"sagemaker:DescribeModelCardExportJob",
"sagemaker:DescribeAction"
],
"Resource": "*"
},
{
"Sid": "DeleteDefaultApp",
"Effect": "Allow",
"Action": "sagemaker:DeleteApp",
"Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default"
}
]
}
```
------
1. Attach the `StudioDomainResourceIsolationPolicy-domain-id` policy to the domain's execution role by completing the steps in [Modifying a role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy).
## AWS CLI
The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the execution role of the domain, from the AWS CLI.
**Note**
This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.
1. Create a file named `StudioDomainResourceIsolationPolicy-domain-id` with the following content from your local machine.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateAPIs",
"Effect": "Allow",
"Action": "sagemaker:Create*",
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:space/*"
]
},
{
"Sid": "ResourceAccessRequireDomainTag",
"Effect": "Allow",
"Action": [
"sagemaker:Update*",
"sagemaker:Delete*",
"sagemaker:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/sagemaker:domain-arn": "domain-arn"
}
}
},
{
"Sid": "AllowActionsThatDontSupportTagging",
"Effect": "Allow",
"Action": [
"sagemaker:DescribeImageVersion",
"sagemaker:UpdateImageVersion",
"sagemaker:DeleteImageVersion",
"sagemaker:DescribeModelCardExportJob",
"sagemaker:DescribeAction"
],
"Resource": "*"
},
{
"Sid": "DeleteDefaultApp",
"Effect": "Allow",
"Action": "sagemaker:DeleteApp",
"Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default"
}
]
}
```
------
1. Create a new IAM policy using the `StudioDomainResourceIsolationPolicy-domain-id` file.
```
aws iam create-policy --policy-name StudioDomainResourceIsolationPolicy-domain-id --policy-document file://StudioDomainResourceIsolationPolicy-domain-id
```
1. Attach the newly created policy to a new or existing role that is used as the domain's execution role.
```
aws iam attach-role-policy --policy-arn arn:aws:iam:account-id:policy/StudioDomainResourceIsolationPolicy-domain-id --role-name domain-execution-role
```
# Default settings for Amazon SageMaker AI domains
With SageMaker AI, you can set default settings for your resources at the Amazon SageMaker AI domain level. These default settings are used in the creation of resources within the domain. The following sections list default settings for domain and give information on using context keys when setting defaults.
**Topics**
+ [
## Domain default settings
](#domain-set-defaults-domains)
+ [
## Context keys
](#domain-set-defaults-context)
## Domain default settings
You can set the following defaults when creating or updating a domain. Values passed at the user profile and shared space level override defaults set at the domain level.
+ [ DefaultUserSettings ](https://docs.aws.amazon.com//sagemaker/latest/APIReference/API_UserSettings.html)
+ DefaultSpaceSettings
**Note**
`DefaultSpaceSettings` only supports the use of JupyterLab 3 image ARNs for `SageMakerImageArn`. For more information, see [JupyterLab Versioning in Amazon SageMaker Studio Classic](studio-jl.md).
```
"DefaultSpaceSettings": {
"ExecutionRole": "string",
"JupyterServerAppSettings": {
"DefaultResourceSpec": {
"InstanceType": "string",
"LifecycleConfigArn": "string",
"SageMakerImageArn": "string",
"SageMakerImageVersionArn": "string"
},
"LifecycleConfigArns": [ "string" ]
},
"KernelGatewayAppSettings": {
"CustomImages": [
{
"AppImageConfigName": "string",
"ImageName": "string",
"ImageVersionNumber": number
}
],
"DefaultResourceSpec": {
"InstanceType": "string",
"LifecycleConfigArn": "string",
"SageMakerImageArn": "string",
"SageMakerImageVersionArn": "string"
},
"LifecycleConfigArns": [ "string" ]
},
"SecurityGroups": [ "string" ]
}
```
## Context keys
You can add context keys to the IAM policy that creates a domain. This restricts the values that users can pass for those fields. The following list shows the context keys that domain supports and where they're implemented.
+ `sagemaker:ImageArns`
+ **Implemented as part of `DefaultUserSettings`:**`SagemakerImageArn` in `DefaultUserSettings.JupyterServerAppSettings` and `DefaultUserSettings.KernelGatewayAppSettings`. `CustomImages` in `DefaultUserSettings.KernelGatewayAppSettings`.
+ **Implemented as part of `DefaultSpaceSettings`:**`SagemakerImageArn` in `DefaultSpaceSettings.JupyterServerAppSettings` and `DefaultSpaceSettings.KernelGatewayAppSettings`. `CustomImages` in `DefaultSpaceSettings.KernelGatewayAppSettings`.
+ `sagemaker:VpcSecurityGroupIds`
+ **Implemented as part of `DefaultUserSettings`:**`SecurityGroups` in `DefaultUserSettings`.
+ **Implemented as part of `DefaultSpaceSettings`:**`SecurityGroups` in `DefaultSpaceSettings`.
+ `sagemaker:DomainSharingOutputKmsKey`
**Implemented as part of `DefaultUserSettings`:**`S3KmsKeyId` in `DefaultSpaceSettings.SharingSettings`.
You cannot restrict users to passing incompatible values when using context keys for the defaults. For example, the values for `SageMakerImageArn` set as part of `DefaultUserSettings` and `DefaultSpaceSettings` must be compatible. You cannot set incompatible default values.
# Custom tag propagation
Amazon SageMaker AI supports the ability to propagate custom tags set at the domain, user profile, and space level to all of the SageMaker AI resources created in the context of Amazon SageMaker Studio, JupyterLab, Code Editor, based on Code-OSS, Visual Studio Code - Open Source, and Amazon SageMaker Canvas. With custom tag propagation, users can propagate their own custom tags to resources to improve cost tracking and tie resources to specific projects and teams.
To activate this feature, use the `TagPropagation` attribute in the [CreateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html) and [UpdateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html) APIs. Custom tag propagation can only be set at the domain level, which means that all users and spaces in a domain use the feature when it is activated. It is not possible to modify custom tag propagation settings at the user profile or space level. For more information about using custom tag propagation, see [Add custom tags to resources](custom-tags-add.md).
**Note**
System tags added by AWS services on a domain, user profile, and space are not propagated.
## Example use cases
Custom tag propagation is particularly useful for the following use cases.
+ Track cost across all of the SageMaker AI resources created in Amazon SageMaker Studio.
+ Track cost for SageMaker AI resources that are created in Amazon SageMaker Canvas. This includes models deployed on a SageMaker AI endpoint.
+ Track cost incurred for an Amazon DataZone project by propagating the Amazon DataZone project ID to all the resources created by Amazon SageMaker Studio.
## Tag merging
With custom tag propagation activated, resources created at the user profile and space level take on the tags specified at the domain level, as well as those specified during user profile or space creation.
SageMaker AI resources have a 50 tag limit. If the number of tags added to a resource exceeds 50, SageMaker AI returns an error during resource creation. We recommend limiting the number of tags to avoid this. For example, assume a user has 25 tags for their domain and 30 tags for their user profile. When the user creates a resource, a total of 55 tags propagate to the resource. Because the aggregate tag total exceeds 50, resource creation fails until the user removes at least 5 tags.
**Note**
By default, SageMaker AI automatically adds the `sagemaker:user-profile-arn`, `sagemaker:domain-arn`, or `sagemaker:space-arn` tag to SageMaker AI resources. SageMaker AI adds the ARN tag regardless of whether or not the domain is using custom tag propagation. These ARN tags also contribute toward the 50 tag limit.
# Add custom tags to resources
The following page demonstrates the steps needed to use custom tag propagation. Custom tag propagation requires the following steps:
+ Opt-in to custom tag propagation
+ Add custom tags to resources
When you activate custom tag propagation in an existing domain, tag propagation does not work for existing applications until the application is restarted. Similarly, tags are not updated on an existing resource when new custom tags are added. For example, assume a domain has two tags and a user creates a resource in that domain. The resource then has two tags. If a new tag is added to the domain, then that new tag is not added to the existing resource. However, any new resource created will have the new tag attached to the resource.
## Prerequisites
+ Users must have the `sagemaker:AddTags` permission for any resource creation.
+ For new domains created with the `SageMakerFullAccess` managed policy or using the SageMaker Role Manager, the `sagemaker:AddTags` permission is pre-populated.
+ For existing domains using custom AWS Identity and Access Management policies, you must update the policies to include the `sagemaker:AddTags` permission to allow users to create resources.
## Opt-in to custom tag propagation
The process to opt-in to custom tag propagation differs based on if you are opting-in from the console or from the AWS CLI. From the console, you can only opt-in to custom tag propagation by updating an existing domain. From the AWS CLI, you can opt-in to custom tag propagation when creating a domain or updating an existing domain.
### Opt-in from the console
The following steps outline how to opt-in to custom tag propagation from the console. You can only opt-in to custom tag propagation from the console by updating an existing domain.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**.
1. On the **Domains** page, select the domain that you want to activate custom tag propagation for.
1. From the **Domain details** page, select the **Domain settings** tab.
1. On the **Domain settings** tab, navigate to **Custom Tag Propagation**.
1. Select **Edit**.
1. From the **Edit custom tag propagation** page, select **Automatically propagate custom tags**
1. Select **Submit**.
### Opt-in using the AWS CLI
To opt-in to custom tag propagation using the AWS CLI, use the `TagPropagation` attribute in the [CreateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html) and [UpdateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html) APIs. By default, the value of this field is `DISABLED`. An empty value also defaults to `DISABLED`. The following example shows how to activate custom tag propagation.
```
aws sagemaker update-domain \
--domain-id domain-id \
--region region \
--tag-propagation ENABLED
```
## Add custom tags
The process to add custom tags propagation differs based on if you are adding them from the console or from the AWS CLI.
### Add from the console
The following steps outline how to add custom tags to a domain from the console.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**.
1. On the **Domains** page, select the domain that you want to add custom tags to.
1. From the **Domain details** page, select the **Domain settings** tab.
1. On the **Domain settings** tab, navigate to **Tags**.
1. Select **Edit**.
1. From the **Tags** page, select **Add tag**. Add a key and value pair for the custom tag.
1. Select **Save**. This custom tag is now propagated to the SageMaker AI resources created in the domain.
The following steps outline how to add custom tags to a user profile from the console.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**.
1. On the **Domains** page, select the domain containing the user profile that you want to add custom tags to.
1. From the **Domain details** page, select the **User profiles** tab.
1. On the **User profiles** tab, select the user profile you want to add custom tags to.
1. On the **User Details** tab, navigate to the **Details** section.
1. Select **Edit**.
1. From the **Tags** section, select **Add tag**. Add a key and value pair for the custom tag.
1. Select **Submit**. This custom tag is now propagated to the SageMaker AI resources created in the domain.
### Add using the AWS CLI
After you have activated custom tag propagation, you can add custom tags using the AWS CLI at the domain, user profile, or space level during creation or update. The method to add custom tags differs depending on you are creating a new resource or adding tags to an existing resource.
The following example shows how to add custom tags at the domain level during creation.
```
aws sagemaker create-domain \
--domain-name domain-id \
--auth-mode IAM \
--default-user-settings '{"ExecutionRole": "execution-role"}' \
--subnet-ids subnet-id \
--vpc-id vpc-id \
--tags Key=key,Value=value \
--tag-propagation ENABLED
```
You must use the [AddTags](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_AddTags.html) API to add custom tags for existing domain, user profile, and spaces as follows.
```
aws sagemaker add-tags \
--resource-arn resource-arn-to-attach-tags \
--tags Key=key, Value=value
```
# Opt-out of custom tag propagation
The process to opt-out of custom tag propagation differs based on if you are opting-out from the console or from the AWS CLI.
## Opt-out from the console
The following steps outline how to opt-out of custom tag propagation from the console. You can only opt-out of custom tag propagation from the console by updating an existing domain.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**.
1. On the **Domains** page, select the domain that you want to opt-out of custom tag propagation for.
1. From the **Domain details** page, select the **Domain settings** tab.
1. On the **Domain settings** tab, navigate to **Custom Tag Propagation**.
1. Select **Edit**.
1. From the **Edit custom tag propagation** page, select **Automatically propagate custom tags**
1. Select **Submit**.
## Opt-out using the AWS CLI
To opt-out of custom tag propagation, set the `TagPropagation` attribute in the [CreateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html) and [UpdateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html) APIs to `DISABLED` as shown in the following example. By default, the value of this field is `DISABLED`. An empty value also defaults to `DISABLED`.
**Note**
Tag propagation is not automatically turned off for existing applications when `TagPropagation` is set to `DISABLED`. Applications must be restarted for opt-out to take effect for existing apps.
```
aws sagemaker update-domain \
--domain-id domain-id \
--region region \
--tag-propagation DISABLED
```
# Adding a custom file system to a domain
When you create a domain, Amazon SageMaker AI adds a default Amazon Elastic File System (Amazon EFS) volume to the domain. SageMaker AI creates this volume for you. You also have the option to add a custom Amazon EFS or a custom Amazon FSx for Lustre file system that you've created. After you add it, your file system is available to users who belong to your domain. Your users can access the file system when they use Amazon SageMaker Studio. They can attach the file system to spaces that they create for the following supported applications:
+ JupyterLab
+ Code Editor
After running a space and starting the application, your users can access any data, code, or other artifacts that your file system contains.
You can enable your users to access your file system in the following ways:
+ Through *shared spaces* – A shared space can be created by any user who belongs to your domain. Then, it can used by any user who belongs to your domain.
+ Through *private spaces* – A private space can be created by any user who belongs to your domain. Then, it can be used by only that user.
+ Exclusively as an individual user – If you don't want to enable all of your users to access the file system, you can enable only a specific user to access it. If you do that, the file system is available only in private spaces that the specific user creates.
You can add a custom file system by using the Amazon SageMaker API, the AWS SDKs, or the AWS CLI. You can't add a custom file system by using the SageMaker AI console.
## Prerequisites
Before you can add a custom file system to a domain, you must meet the following requirements:
+ You have a domain in SageMaker AI. Before you can add a file system, you need the domain ID. You can look up the ID by using the SageMaker AI console. You can also run the [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/list-domains.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/list-domains.html) command with the AWS CLI.
+ You have an Amazon EFS or FSx for Lustre file system in your AWS account.
------
#### [ For Amazon EFS ]
+ For the steps to create an Amazon EFS, see [Create your Amazon EFS file system](https://docs.aws.amazon.com/efs/latest/ug/gs-step-two-create-efs-resources.html) in the *Amazon Elastic File System User Guide*.
+ Before Studio can access your file system, it must have a mount target in each of the subnets that you associate with the domain. For more information about assigning mount targets to subnets, see [Creating and managing mount targets and security groups](https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html) in the *Amazon Elastic File System User Guide*.
+ For each mount target, you must add the security group that Amazon SageMaker AI created in your AWS account when you created the domain. The security group name has the format `security-group-for-inbound-nfs-domain-id`. For instructions on how to obtain your domain ID, see [View domains](domain-view.md).
+ Your IAM permissions must allow you to use the `elasticfilesystem:DescribeMountTargets` action. For more information about this action, see [Actions, resources, and condition keys for Amazon Elastic File System](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticfilesystem.html) in the *Service Authorization Reference*.
------
#### [ For FSx for Lustre ]
+ For the steps to create a FSx for Lustre file system, see [Getting started with Amazon FSx for Lustre](https://docs.aws.amazon.com/fsx/latest/LustreGuide/getting-started.html.html) in the *Amazon FSx for Lustre User Guide*. Ensure that the FSx for Lustre file system exists in:
+ The same Amazon VPC as your domain.
+ One of the subnets present in your domain.
+ Before Studio can access the FSx for Lustre file system, you must add your domain's security group to all of the elastic network interfaces (ENIs) in your FSx for Lustre file system. Without this step, the app creation fails with an error. Use the following instructions to add the domain security group to your FSx for Lustre file system ENIs.
**Add your domain security group to FSx for Lustre file system ENIs (console)**
1. Navigate to the [Amazon FSx console](https://console.aws.amazon.com/fsx).
1. Choose **File systems**.
1. Choose your FSx for Lustre file system by using the corresponding link under **File system ID**.
1. If not selected already, choose the **Network & security** tab.
1. Under **Subnet** choose **To see all the ENIs, see the Amazon EC2 console**. This will take you to the Amazon EC2 console and shows all of the ENIs linked to your FSx for Lustre file system.
1. For each ENI:
1. Choose the ENI by choosing the corresponding link under **Network interface ID**.
1. Choose **Actions** at the top right of the summary page to expand a drop-down menu.
1. In the drop-down menu, choose **Choose security group**.
1. Search for your domain security group.
The security group name has the format `security-group-for-inbound-nfs-domain-id`. For instructions on how to obtain your domain ID, see [View domains](domain-view.md).
1. Choose **Add security group**.
------
## Adding a custom file system to a domain with the AWS CLI
To add a custom file system to a domain or user profile with the AWS CLI, you pass a `CustomFileSystemConfigs` definition when you use any of the following commands:
+ [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-domain.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-domain.html)
+ [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-domain.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-domain.html)
+ [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-user-profile.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-user-profile.html)
+ [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-user-profile.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-user-profile.html)
The following examples show how to add a file system to an existing domain or user profile.
**To add a file system that is accessible in shared spaces**
+ Update the default space settings for your domain. The following example adds the file system settings to the default space settings:
```
aws sagemaker update-domain --domain-id domain-id \
--default-space-settings file://file-system-settings.json
```
This example passes the file system configuration as a JSON file, which is shown in a later example.
**To add a file system that is accessible in private spaces**
+ Update the default user settings for your domain. The following example adds the file system settings to the default user settings:
```
aws sagemaker update-domain --domain-id domain-id \
--default-user-settings file://file-system-settings.json
```
This example passes the file system configuration as a JSON file, which is shown in a later example.
**To add a file system that is accessible only to an individual user**
+ Update the user profile for the user. The following example adds the file system settings to a user profile:
```
aws sagemaker update-user-profile --domain-id domain-id \
--user-profile-name user-profile-name \
--user-settings file://file-system-settings.json
```
This example passes the file system configuration as a JSON file, which is shown in the following example.
**Example file system settings file**
The file in the preceding examples, `file-system-settings.json`, has the following settings:
```
{
"CustomFileSystemConfigs":
[
{
"FSxLustreFileSystemConfig":
{
"FileSystemId": "file-system-id",
"FileSystemPath": "/"
}
}
]
}
```
This example configuration has the following keys:
`CustomFileSystemConfigs`
Settings for custom file systems (only Amazon EFS file systems are supported).
`FSxLustreFileSystemConfig`
Settings for custom FSx for Lustre file systems.
`FileSystemId`
The ID of your Amazon EFS file system.
`FileSystemPath`
The path to the file system directory that is accessible to the domain users in their spaces in Studio. Permitted users can access only this directory and below. The default path is the file system root: `/`.
```
{
"CustomFileSystemConfigs":
[
{
"EFSFileSystemConfig":
{
"FileSystemId": "file-system-id",
"FileSystemPath": "/"
}
}
]
}
```
This example configuration has the following keys:
`CustomFileSystemConfigs`
Settings for custom file systems (only Amazon EFS file systems are supported).
`EFSFileSystemConfig`
Settings for custom Amazon EFS file systems.
`FileSystemId`
The ID of your Amazon EFS file system.
`FileSystemPath`
The path to the file system directory that is accessible to the domain users in their spaces in Studio. Permitted users can access only this directory and below. The default path is the file system root: `/`.
When you assign a file system to the default space settings for a domain, you must also include the execution role in the settings:
```
{
"ExecutionRole": "execution-role-arn"
}
```
This example configuration has the following key:
`ExecutionRole`
The default execution role for the users of the domain.
If you want to apply POSIX permissions for your file system, you can also pass the following settings to the `create-domain` or `create-user-profile` commands:
```
{
"CustomPosixUserConfig":
{
"Uid": UID,
"Gid": GID
}
}
```
This example configuration has the following keys:
`CustomPosixUserConfig`
The default POSIX identities that are used for file system operations. You can use these settings to apply your existing POSIX permission structure to the user profiles that access the custom file system. At a POSIX permissions level, you can control which users can access the file system and which files or data they can access.
You can also apply `CustomPosixUserConfig` settings when you create a user profile by using the `create-user-profile` command. The settings that you apply to a user profile override those that you apply to the associated domain.
You can apply `CustomPosixUserConfig` settings when you use the `create-domain` and `create-user-profile` commands. However, you can't apply these settings when you do the following:
+ Use the `update-domain` command for a domain that is already associated with any user profiles. You can apply these settings only to domains that have no user profiles.
+ Use the `update-user-profile` command. To apply these settings to profile that you've already created, delete the profile, and create a new one that has the updated settings.
`Uid`
The POSIX user ID. The default is 200001.
`Gid`
The POSIX group ID. The default is 1001.
## Attaching a custom file system to a space with the AWS CLI
After you add a custom file system to a domain, the domain users can attach the file system to spaces that they create. For instance, they can attach the file system when they use Studio or the [create-space](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-space.html) command with the AWS CLI.
**To attach a custom file system to a space**
+ Add the file system configuration to the space settings. The following example command attaches a file system to a new space.
```
aws sagemaker create-space \
--space-name space-name \
--domain-id domain-id \
--ownership-settings "OwnerUserProfileName=user-profile-name" \
--space-sharing-settings "SharingType=Private" \
--space-settings file://space-settings.json
```
In this example, the file `space-settings.json` has the following settings, which include the `CustomFileSystems` configuration with the `FileSystemId` key.
------
#### [ For your FSx for Lustre file systems ]
```
{
"AppType": "JupyterLab",
"JupyterLabAppSettings":
{
"DefaultResourceSpec":
{
"InstanceType": "instance-type"
}
},
"CustomFileSystems":
[
{
"FSxLustreFileSystem":
{
"FileSystemId": "file-system-id"
}
}
]
}
```
------
#### [ For your Amazon EFS file systems ]
```
{
"AppType": "JupyterLab",
"JupyterLabAppSettings":
{
"DefaultResourceSpec":
{
"InstanceType": "instance-type"
}
},
"CustomFileSystems":
[
{
"EFSFileSystem":
{
"FileSystemId": "file-system-id"
}
}
]
}
```
------
SageMaker AI creates a symbolic link at the following path: `/home/sagemaker-user/custom-file-systems/file-system-type/file-system-id`. With this, the domain users can navigate to the custom file system from within their home directory, `/home/sagemaker-user`.
# View domain environment details
This page gives information about modifications to the Amazon SageMaker AI domain environment. Complete the following procedure to view the custom images, lifecycle configurations, and git repositories attached to a domain environment.
**Open the Environment page**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, select a domain to open the **Environment** page.
1. On the **domain details** page, choose the **Environment** tab.
For more information about bringing a custom Amazon SageMaker Studio Classic image, see [Bring your own SageMaker image](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-byoi.html).
For more information about bringing a custom RStudio image, see [Bring your own image to RStudio on SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/rstudio-byoi.html).
For instructions on using a lifecycle configuration with Studio Classic, see [Use Lifecycle Configurations with Amazon SageMaker Studio](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-lcc.html).
For information about attaching a git repository to a domain, see [Attach Suggested Git Repos to SageMaker AI](https://docs.aws.amazon.com//sagemaker/latest/dg/studio-git-attach.html).
These can also be attached to a shared space using the AWS CLI by passing values to the [create-space](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sagemaker/create-space.html) command using the `space-settings` parameter.
# View domains
The following section shows how to view a list of your domains, and details of an individual domain from the SageMaker AI console or the AWS CLI.
## Console
The console's domain overview page gives information about the structure of a domain, and it provides a list of your domains. The page's domain structure diagram describes domain components and how they interact with each other.
The following procedure shows how to view a list of your domains from the SageMaker AI console.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
To view the details of the domain, complete the following procedure. This page gives information about the general settings for the domain, including the name, domain ID, execution role used to create the domain, and the authentication method of the domain.
1. From the list of domains, select the domain for which you want to open the **domain settings** page.
1. On the **domain details** page, choose the **domain settings** tab.
## AWS CLI
Run the following command from the terminal of your local machine to view a list of domains from the AWS CLI.
```
aws sagemaker list-domains --region region
```
# Edit domain settings
You can edit the settings of a domain from the SageMaker AI console or the AWS CLI. The following considerations apply when updating the settings of a domain.
+ If `DefaultUserSettings` and `DefaultSpaceSettings` are set, they cannot be unset.
+ `DefaultUserSettings.ExecutionRole` can only be updated if there are no applications running in any user profile within the domain. This value cannot be unset.
+ `DefaultSpaceSettings.ExecutionRole` can only be updated if there are no applications running in any of shared spaces within the domain. This value cannot be unset.
+ If the domain was created in **VPC only** mode, SageMaker AI automatically applies updates to the security group settings defined for the domain to all shared spaces created in the domain.
+ `DomainId` and `DomainName` cannot be edited.
The following section shows how to edit domain settings from the SageMaker AI console or the AWS CLI.
## Console
You can edit the domain from the SageMaker AI console using the following procedure.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, select the domain for which you want to open the **domain settings** page.
1. On the **domain details** page, you can configure and manage your domain details by choosing the appropriate tab.
1. To configure the general settings, on the **domain details** page choose the **domain settings** tab then choose **Edit**.
## AWS CLI
Run the following command from the terminal of your local machine to update a domain from the AWS CLI. For more information about the structure of `default-user-settings`, see [CreateDomain](https://docs.aws.amazon.com//sagemaker/latest/APIReference/API_CreateDomain.html#API_CreateDomain_RequestSyntax).
```
aws sagemaker update-domain \
--domain-id domain-id \
--default-user-settings default-user-settings \
--default-space-settings default-space-settings \
--domain-settings-for-update settings-for-update \
--region region
```
# Delete an Amazon SageMaker AI domain
This page explains how to delete a domain and the requirements needed. A domain consists of a list of authorized users, configuration settings, and an Amazon Elastic File System (Amazon EFS) volume. The Amazon EFS volume contains data for the users, including notebooks, resources, and artifacts. A user can have multiple applications (apps) which support the reading and execution experience of the user’s notebooks, terminals, and consoles. You can delete your domain using one of the following:
+ AWS console
+ AWS Command Line Interface (AWS CLI)
+ SageMaker SDK
## Requirements
You must satisfy the following requirements to delete a domain.
+ You must have admin permission to delete a domain.
+ You can only delete an app with the status `InService` displayed as **Ready** in the domain. To delete the containing domain, you don't need to delete an app whose status is `Failed`. In the domain, an attempt to delete an app in the failed state results in an error.
+ To delete a domain, the domain cannot contain any user profiles or shared spaces. To delete a user profile or shared space, the user profile or space cannot contain any non-failed apps.
When you delete these resources, the following occurs:
+ App – The data (files and notebooks) in a user's home directory is saved. Unsaved notebook data is lost.
+ User profile – The user can no longer sign in to the domain. The user loses access to their home directory, but the data is not deleted. An admin can retrieve the data from the Amazon EFS volume where it is stored under the user's AWS account.
+ To switch authentication modes from IAM to IAM Identity Center, you must delete the domain.
## EFS files
Your files are kept in an Amazon EFS volume as a backup. This backup includes the files in the mounted directory, which is `/home/sagemaker-user` for Amazon SageMaker Studio Classic and `/root` for kernels.
When you delete files from these mounted directories, the kernel or app may move the deleted files into a hidden trash folder. If the trash folder is inside the mounted directory, those files are copied into the Amazon EFS volume and will incur charges. To avoid these Amazon EFS charges, you must identify and clean the trash folder location. The trash folder location for default apps and kernels is `~/.local/`. This may vary depending on the Linux distribution used for custom apps or kernels. For more information about the Amazon EFS volume, see [Manage Your Amazon EFS Storage Volume in Amazon SageMaker Studio Classic](studio-tasks-manage-storage.md).
When you use the SageMaker AI console to delete the domain, the Amazon EFS volume is detached but not deleted. The same behavior occurs by default when you use the AWS CLI or the SageMaker Python SDK to delete the domain. However, when you use the AWS CLI or the SageMaker Python SDK, you can set the `RetentionPolicy` to `HomeEfsFileSystem=Delete`. This deletes the Amazon EFS volume along with the domain.
## Delete an Amazon SageMaker AI domain (console)
**Important**
When a user, space, or domain is deleted, the Amazon EFS volume that contains the corresponding data will be lost. This includes notebooks and other artifacts.
**To delete a domain**
1. Open the [SageMaker AI console](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations** to expand the options, if not already expanded.
1. Under **Admin configurations**, choose **Domains**.
1. Select the domain name link that you want to delete.
1. Choose the **User profiles** tab.
1. Repeat the following steps for each user in the **User profiles** list.
1. Choose the user name link.
1. If not already selected, choose the **User Details** tab
1. Find any apps and spaces and choose **Delete** under the corresponding **Action** column.
1. Follow the delete instructions.
1. Once all of the app and spaces have **Status** as **Deleted**, choose **Delete** at the top right of the page.
1. Follow the delete instructions.
1. When all users are deleted, choose the **Space management** tab.
1. Repeat the following steps for each space in the **Spaces** list.
1. Select the bubble corresponding to the space.
1. Choose **Delete**.
1. Follow the delete instructions.
1. When all users and spaces are deleted, choose the **Domain settings** tab.
1. Find the **Delete domain** section.
1. Choose **Delete domain**. If this button is not available, you must repeat the previous steps to delete all spaces and users.
1. Follow the delete instructions.
## Delete an Amazon SageMaker AI domain (AWS CLI)
**To delete a domain**
1. Retrieve the list of domains in your account.
```
aws --region Region sagemaker list-domains
```
1. Retrieve the list of applications for the domain to be deleted.
```
aws --region Region sagemaker list-apps \
--domain-id-equals DomainId
```
1. Delete each application in the list.
```
aws --region Region sagemaker delete-app \
--domain-id DomainId \
--app-name AppName \
--app-type AppType \
--user-profile-name UserProfileName
```
1. Retrieve the list of user profiles in the domain.
```
aws --region Region sagemaker list-user-profiles \
--domain-id-equals DomainId
```
1. Delete each user profile in the list.
```
aws --region Region sagemaker delete-user-profile \
--domain-id DomainId \
--user-profile-name UserProfileName
```
1. Retrieve the list of shared spaces in the domain.
```
aws --region Region sagemaker list-spaces \
--domain-id DomainId
```
1. Delete each shared space in the list.
```
aws --region Region sagemaker delete-space \
--domain-id DomainId \
--space-name SpaceName
```
1. Delete the domain. To also delete the Amazon EFS volume, specify `HomeEfsFileSystem=Delete`.
```
aws --region Region sagemaker delete-domain \
--domain-id DomainId \
--retention-policy HomeEfsFileSystem=Retain
```
# Domain user profiles
A user profile represents a single user within an Amazon SageMaker AI domain. The user profile is the main way to reference a user for the purposes of sharing, reporting, and other user-oriented features. This entity is created when a user onboards to the Amazon SageMaker AI domain. A user profile can have (at most) a single JupyterServer application outside the context of a shared space. The user profile's Studio Classic application is directly associated with the user profile and has an isolated Amazon EFS directory, an execution role associated with the user profile, and Kernel Gateway applications. A user profile can also create other applications from the console or from Amazon SageMaker Studio.
**Topics**
+ [
# Add user profiles
](domain-user-profile-add.md)
+ [
# Remove user profiles
](domain-user-profile-remove.md)
+ [
# View user profiles in a domain
](domain-user-profile-view.md)
+ [
# View user profile details
](domain-user-profile-describe.md)
# Add user profiles
The following section shows how to add user profiles to a domain using the SageMaker AI console or the AWS CLI.
After you add a user profile to the domain, users can login using a URL. If the domain uses AWS IAM Identity Center for authentication, users receive an email that contains the URL to sign in to the domain. If the domain uses AWS Identity and Access Management, you can create a URL for a user profile using [CreatePresignedDomainUrl](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreatePresignedDomainUrl.html)
## Add user profiles from the console
You can add user profiles to a domain from the SageMaker AI console by following this procedure.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, select the domain that you want to add a user profile to.
1. On the **domain details** page, choose the **User profiles** tab.
1. Choose **Add user**. This opens a new page.
1. Use the default name for your user profile or add a custom name.
1. For **Execution role**, choose an option from the role selector. If you choose **Enter a custom IAM role ARN**, the role must have, at a minimum, an attached trust policy that grants SageMaker AI permission to assume the role. For more information, see [SageMaker AI Roles](https://docs.aws.amazon.com//sagemaker/latest/dg/sagemaker-roles.html).
If you choose **Create a new role**, the **Create an IAM role** dialog box opens:
1. For **S3 buckets you specify**, specify additional Amazon S3 buckets that users of your notebooks can access. If you don't want to add access to more buckets, choose **None**.
1. Choose **Create role**. SageMaker AI creates a new IAM role, `AmazonSageMaker-ExecutionPolicy`, with the [AmazonSageMakerFullAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AmazonSageMakerFullAccess) policy attached.
1. (Optional) Add tags to the user profile. All resources that the user profile creates will have a domain ARN tag and a user profile ARN tag. The domain ARN tag is based on domain ID, while the user profile ARN tag is based on the user profile name.
1. Choose **Next**.
1. In the **SageMaker Studio** section, you have the option to choose between the newer and classic version of Studio as your default experience.
+ If you choose **SageMaker Studio** (recommended) as your default experience, the Studio Classic IDE has default settings. For information on the default settings, see [Default settings](onboard-quick-start.md#onboard-quick-start-defaults).
For information on Studio, see [Amazon SageMaker Studio](studio-updated.md).
+ If you choose **Studio Classic** as your default experience, you can choose to enable or disable notebook resource sharing. Notebook resources include artifacts such as cell output and Git repositories. For more information on Notebook resources, see [Share and Use an Amazon SageMaker Studio Classic Notebook](notebooks-sharing.md).
1. Under **SageMaker Canvas **, you can configure your SageMaker Canvas settings. For the instructions and configuration details for onboarding, see [Getting started with using Amazon SageMaker Canvas](canvas-getting-started.md).
1. For the **Canvas base permissions configuration**, select whether to establish the minimum required permissions to use the SageMaker Canvas application.
1. Under **RStudio**, if RStudio license, select whether you want to create the user with one of the following authorizations:
+ Unauthorized
+ RStudio Admin
+ RStudio User
1. Choose **Next**.
1. In the **Customize Studio UI** page you can customize the viewable applications and machine learning (ML) tools displayed in Studio. This customization only hides the applications and ML tools in the left navigation pane in Studio. For information on the Studio UI, see [Amazon SageMaker Studio UI overview](studio-updated-ui.md).
For information about the applications, see [Applications supported in Amazon SageMaker Studio](studio-updated-apps.md).
The customize Studio UI feature is not available in Studio Classic. If you wish to set Studio as your default experience, choose **Previous** and to return to the previous step.
1. Choose **Next**.
1. After you have reviewed your changes, choose **Create user profile**.
## Create user profiles from the AWS CLI
To create a user profile in a domain from the AWS CLI, run the following command from the terminal of your local machine. For information about the available JupyterLab version ARNs, see [Setting a default JupyterLab version](studio-jl.md#studio-jl-set).
```
aws --region region \
sagemaker create-user-profile \
--domain-id domain-id \
--user-profile-name user-name \
--user-settings '{
"JupyterServerAppSettings": {
"DefaultResourceSpec": {
"SageMakerImageArn": "sagemaker-image-arn",
"InstanceType": "system"
}
}
}'
```
You can use the AWS CLI to customize the applications and ML tools displayed in Studio for the user, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenAppTypes` to hide applications and `HiddenMlTools` to hide ML tools. For more information on customizing the left navigation of the Studio UI, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md). This feature is not available for Studio Classic.
# Remove user profiles
All apps launched by a user profile and all spaces owned by the user profile must be deleted to delete the user profile. The following section shows how to remove user profiles from a domain using the SageMaker AI console or AWS CLI.
## Remove user profiles from the console
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, select the domain that you want to remove a user profile from.
1. On the **domain details** page, choose the **User profiles** tab.
1. Select the user profile that you want to delete.
1. On the **User Details** page, for each non-failed app in the **Apps** list, choose **Action**.
1. From the dropdown list, choose **Delete**.
1. On the **Delete app** dialog box, choose **Yes, delete app**. Then enter *delete* in the confirmation field, and choose **Delete**.
1. When **Status** shows as **Deleted** for all apps, navigate back to the **domain details** page and choose the **Space management** tab.
1. Delete any spaces owned by the user profile. For each space where the user profile is the owner, select the space and choose **Delete**. For detailed steps, see [Delete a Studio space](studio-updated-running-stop.md#studio-updated-running-stop-space).
1. Return to the **User profiles** tab and choose **Edit**.
1. On the **Edit User** page, choose **Delete user**.
1. On the **Delete user** pop-up, choose **Yes, delete user**.
1. Enter *delete* in the field to confirm deletion.
1. Choose **Delete**.
## Remove user profiles from the AWS CLI
To delete a user profile from the AWS CLI, first delete any spaces owned by the user profile, then delete the user profile. Run the following commands from the terminal of your local machine.
```
# Delete spaces owned by the user profile
aws sagemaker delete-space \
--region region \
--domain-id domain-id \
--space-name space-name
# Delete the user profile
aws sagemaker delete-user-profile \
--region region \
--domain-id domain-id \
--user-profile-name user-name
```
# View user profiles in a domain
The following section describes how to view a list of user profiles in a domain from the SageMaker AI console or the AWS CLI.
## View user profiles from the console
Complete the following procedure to view a list of user profiles in the domain from the SageMaker AI console.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, select the domain that you want to view a list of user profiles for.
1. On the **domain details** page, choose the **User profiles** tab.
## View user profiles from the AWS CLI
To view the user profiles in a domain from the AWS CLI, run the following command from the terminal of your local machine.
```
aws sagemaker list-user-profiles \
--region region \
--domain-id domain-id
```
# View user profile details
The following section describes how to view the details of a user profile from the SageMaker AI console or the AWS CLI.
## View user profile details from the console
Complete the following procedure to view the details of a user profile from the SageMaker AI console.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, select the domain that you want to view a list of user profiles for.
1. On the **domain details** page, choose the **User profiles** tab.
1. Select the user profile that you want to view details for.
## View user profile details from the AWS CLI
To describe a user profile from the AWS CLI, run the following command from the terminal of your local machine.
```
aws sagemaker describe-user-profile \
--region region \
--domain-id domain-id \
--user-profile-name user-name
```
# IAM Identity Center groups in a domain
AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your users consistent access to multiple AWS accounts and applications. For more information about IAM Identity Center authentication, see [What is IAM Identity Center?](https://docs.aws.amazon.com//singlesignon/latest/userguide/what-is.html).
If you use AWS IAM Identity Center authentication for your Amazon SageMaker AI domain, you can use the following topics to learn how to view, add, and remove IAM Identity Center groups and users to a domain.
**Topics**
+ [
# View groups and users
](domain-groups-view.md)
+ [
# Add groups and users
](domain-groups-add.md)
+ [
# Remove groups
](domain-groups-remove.md)
# View groups and users
Complete the following procedure to view a list of IAM Identity Center groups and users from the Amazon SageMaker AI console.
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. From the list of domains, select the domain that you want to open the **domain settings** page for.
1. On the **domain details** page, choose the **Groups** tab.
# Add groups and users
The following sections show how to add groups and users to a domain from the SageMaker AI console or AWS CLI.
**Note**
If the domain was created before October 1st, 2023, you can only add groups and users to the domain from the SageMaker AI console.
## SageMaker AI console
Complete the following procedure to add groups and users to your domain from the SageMaker AI console.
1. On the **Groups** tab, choose **Assign users and groups**.
1. On the **Assign users and groups** page, select the users and groups that you want to add.
1. Choose **Assign users and groups**.
## AWS CLI
Complete the following procedure to add groups and users to your domain from the AWS CLI.
1. Fetch the `SingleSignOnApplicationArn` of the domain with a call to [describe-domain](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/swf/describe-domain.html). `SingleSignOnApplicationArn` is the ARN of the application managed in IAM Identity Center.
```
aws sagemaker describe-domain \
--region region \
--domain-id domain-id
```
1. Associate the user or group with the domain. To accomplish this, pass the `SingleSignOnApplicationArn` value returned from the [describe-domain](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/swf/describe-domain.html) command as the `application-arn` parameter in a call to [create-application-assignment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso-admin/create-application-assignment.html).You must also pass the type and ID of the entity to associate.
```
aws sso-admin create-application-assignment \
--application-arn application-arn \
--principal-id principal-id \
--principal-type principal-type
```
# Remove groups
Complete the following procedure to remove groups from your domain from the SageMaker AI console. For information about deleting a user, see [Remove user profiles](domain-user-profile-remove.md).
1. On the **Groups** tab, choose the group that you want to remove.
1. Choose **Unassign groups**.
1. On the pop-up window, choose **Yes, unassign groups**.
1. Enter *unassign* in the field.
1. Choose **Unassign groups**.
# Understanding domain space permissions and execution roles
For many SageMaker AI applications, when you start up a SageMaker AI application within a domain, a space is created for the application. When a user profile creates a space, that space assumes an AWS Identity and Access Management (IAM) role that defines the permissions granted to that space. The following page gives information about space types and the execution roles that define permissions for the space.
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
**Note**
When you start up Amazon SageMaker Canvas or RStudio, it does not create a space that assumes an IAM role. Instead, you change the role associated with the user profile to manage their permissions for the application. For information on obtaining a SageMaker AI user profile’s role, see [Get user execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-user).
For SageMaker Canvas, see [Amazon SageMaker Canvas setup and permissions management (for IT administrators)](canvas-setting-up.md).
For RStudio, see [Create Amazon SageMaker AI domain with RStudio App](rstudio-create-cli.md#rstudio-create-cli-domain).
Users can access their SageMaker AI applications within a shared or private space.
**Shared spaces**
+ There can only be one space associated with an application. A shared space can be accessed by all of the user profiles within the domain. This grants all user profiles in the domain access to the same underlying file storage system for the application.
+ The shared space will be granted the permissions defined by the **space default execution role**. If you wish to modify the shared space's execution role, you must modify the space default execution role.
For information on obtaining the space default execution role, see [Get space execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-space).
For information on modifying your execution role, see [Modify permissions to execution role](sagemaker-roles.md#sagemaker-roles-modify-to-execution-role).
+ For information about shared spaces, see [Collaboration with shared spaces](domain-space.md).
+ To create a shared space, see [Create a shared space](domain-space-create.md#domain-space-create-app).
**Private spaces**
+ There can only be one space associated with an application. A private space can only be accessed by the user profile who created it. This space cannot be shared with other users.
+ The private space will assume the **user profile execution role** of the user profile that created it. If you wish to modify the private space's execution role, you must modify the user profile's execution role.
For information on obtaining the user profile's execution role, see [Get user execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-user).
For information on modifying your execution role, see [Modify permissions to execution role](sagemaker-roles.md#sagemaker-roles-modify-to-execution-role).
+ All applications that support spaces also support private spaces.
+ A private space for Studio Classic is already created for each user profile by default.
**Topics**
+ [
## SageMaker AI execution roles
](#sagemaker-execution-roles)
+ [
## Example of flexible permissions with execution roles
](#sagemaker-execution-roles-example)
## SageMaker AI execution roles
A SageMaker AI execution role is an [AWS Identity and Access Management (IAM) role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that is assigned to an IAM identity that is performing executions in SageMaker AI. An [IAM identity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) provides access to an AWS account and represents a human user or programmatic workload that can be authenticated and then authorized to perform actions in AWS, that grants permissions to SageMaker AI to access other AWS resources on your behalf. This role allows SageMaker AI to perform actions like launching compute instances, accessing data and model artifacts stored in Amazon S3, or writing logs to CloudWatch. SageMaker AI assumes the execution role at runtime and is temporarily granted the permissions defined in the role's policy. The role should contain the necessary permissions that define the actions the identity can perform and resources the identity has access to. You can assign roles to various identities to provide a flexible and granular approach to managing permissions and access within your domain. For more information on domains, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md). For example, you can assign IAM roles to the:
+ **Domain execution role** to grant broad permissions to all of the user profiles within the domain.
+ **Space execution role** to grant broad permissions for a shared spaces within the domain. All user profiles in the domain can access shared spaces and will use the space's execution role while within the shared space.
+ **User profile execution role** to grant fine-grained permissions for specific user profiles. A private space created by a user profile will assume that user profile's execution role.
This enables you to grant the necessary permissions to the domain while still maintaining the principle of least-privilege permissions for user profiles, to adhere to the [security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *AWS IAM Identity Center User Guide*.
Any changes or modifications to the execution roles may take a few minutes to propagate. For more information, see [Change your execution role](sagemaker-roles.md#sagemaker-roles-change-execution-role) or [Modify permissions to execution role](sagemaker-roles.md#sagemaker-roles-modify-to-execution-role), respectively.
## Example of flexible permissions with execution roles
With [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) you can manage and grant permissions on broad and granular levels. The following example includes granting permissions on a space-level and a user-level.
Suppose you are an administrator setting up a domain for a team of data scientists. You can allow the user profiles within the domain to have full access to Amazon Simple Storage Service (Amazon S3) buckets, run SageMaker training jobs, and deploy models using an application in a *shared space*. In this example, you can create an IAM role called "DataScienceTeamRole" with broad permissions. Then you can assign "DataScienceTeamRole" as the *space default execution role*, granting broad permissions for your team. When a user profile creates a *shared space*, that space will assume the *space default execution role*. For information on assigning an execution role to an existing domain, see [Get space execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-space).
Instead of allowing any individual user profile working in their own *private space* to have full access to Amazon S3 buckets, you can restrict a user profile’s permissions and not allow them to alter the Amazon S3 buckets. In this example, you can give them read access to Amazon S3 buckets to retrieve data, run SageMaker training jobs, and deploy models in their *private space*. You can create a user-level execution role called "DataScientistRole" with the relatively more limited permissions. Then you can assign "DataScientistRole" to the *user profile execution role*, granting the necessary permissions to perform their specific data science tasks within the defined scope. When a user profile creates a *private space*, that space will assume the *user execution role*. For information on assigning an execution role to an existing user profile, see [Get user execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-user).
For information on SageMaker AI execution roles and adding additional permissions to them, see [How to use SageMaker AI execution roles](sagemaker-roles.md).
# View SageMaker AI resources in your domain
## Use the SageMaker AI console to view your domain resources
You can view Amazon SageMaker AI resources in your Amazon SageMaker AI domain using the SageMaker AI console. Use the following instructions to learn how to view the resources tagged by the domain ARN.
The displayed SageMaker resources following this procedure are those that have the relevant `sagemaker:domain-arn` tag associated to them. Untagged resources may have been created outside the context of a domain or were created before 11/30/2022, when resources were not automatically tagged with the domain ARN. You can add a tag to untagged resources for better filtration by following the steps in [Backfill domain tags](domain-multiple-backfill.md). Resources created in other domains are automatically filtered out.
**Note**
This is not a complete list of active resources on your domain. For all active SageMaker resources, see [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/).
**To view SageMaker AI resources in your domain using the console**
1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/).
1. Expand the left navigation pane, if not already expanded.
1. Under **Admin configurations**, choose **Domains**.
1. From the list of domains, select the domain that you want to open the **Domain settings** page for.
1. On the **Domain details** page, choose the **Resources** tab.
1. On the **Domain resources** page, you can view the details of the resources tagged with the relative domain ARN. The running resources are displayed by default.
1. (Optional) You can filter the displayed resources for each resource type by using the search icon or **Filter status** at the top of each resource type.
## Use the AWS CLI to view the SageMaker AI spaces in your domain
The following section provides instructions on how to view the spaces in your domain using the AWS CLI.
You will need to know your *domain-id*. To obtain your domain details, see [View domains](domain-view.md).
```
aws sagemaker list-spaces \
--region region
--domain-id domain-id
```
## Use the AWS CLI to view the SageMaker AI applications in your domain
The following section provides instructions on how to view the applications in your domain using the AWS CLI.
You will need to know your *domain-id*. To obtain your domain details, see [View domains](domain-view.md).
```
aws sagemaker list-apps \
--domain-id-equals domain-id
```
If you do not see the applications or your domain, you may need to change your AWS Region. To do so, use `aws configure` to update your AWS credentials. For more information, see [configure](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/index.html).
# Shut down SageMaker AI resources in your domain
You can shut down Amazon SageMaker AI resources in your Amazon SageMaker AI domain using the SageMaker AI console. Use the following instructions to learn how to shut down the resources tagged by the domain ARN.
The displayed SageMaker resources following this procedure are those that have the relevant `sagemaker:domain-arn` tag associated to them. Untagged resources may have been created outside the context of a domain or were created before 11/30/2022, when resources were not automatically tagged with the domain ARN. You can add a tag to untagged resources for better filtration by following the steps in [Backfill domain tags](domain-multiple-backfill.md). Resources created in other domains are automatically filtered out.
**Note**
This is not a complete list of active resources on your domain. For all active SageMaker resources, see [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/).
**To shut down SageMaker AI resources in your domain using the console**
1. [View SageMaker AI resources in your domain](sm-console-domain-resources-view.md)
1. Under a resource type section, check the boxes for the resources you wish to shut down.
1. Once the resources are selected, a shutdown option will become available at the top of the resource type section. Choose the option and follow the instructions to shut down the selected resources.
For instructions on how to delete your resources per SageMaker AI feature, see [Where to shut down resources per SageMaker AI features](sm-shut-down-resources-per-feature.md).
# Where to shut down resources per SageMaker AI features
You can shut down your Amazon SageMaker AI resources to avoid incurring unwanted charges. In the following table we list the SageMaker AI features or resources and provide links to the documentation on how to shut down SageMaker AI resources.
You can also use the [APIs, CLI, and SDKs](api-and-sdk-reference-overview.md) provided by SageMaker AI. For example, you can search the [Amazon SageMaker API Reference](https://docs.aws.amazon.com/sagemaker/latest/APIReference/Welcome.html) for `Delete*` commands to delete some of the resources you have created. More specifically, you can search for the [DeleteDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DeleteDomain.html) API to learn how to delete a Amazon SageMaker AI domain.
**Note**
This is not a complete list of active resources on your domain. For all active SageMaker AI resources, see [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/).
| SageMaker AI feature, infrastructure, resources | Instructions to shutting down |
| --- | --- |
| [Canvas](canvas.md) | [Logging out of Amazon SageMaker Canvas](canvas-log-out.md) |
| [Code Editor](code-editor.md) | [Shut down Code Editor resources](code-editor-use-log-out.md) |
| [Domain](sm-domain.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) |
| [EMR in Studio Classic](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-emr-cluster.html) | [Terminate an Amazon EMR cluster from Studio or Studio Classic](terminate-emr-clusters.md) |
| [Experiments](mlflow.md) | [Clean up MLflow resources](mlflow-cleanup.md) |
| [HyperPod](sagemaker-hyperpod.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) |
| [Inference endpoints](realtime-endpoints-options.md) | [Delete Endpoints and Resources](realtime-endpoints-delete-resources.md) |
| [JupyterLab](studio-updated-jl.md) | [Delete unused resources](studio-updated-jl-admin-guide-clean-up.md) |
| [MLOps](mlops.md) | [Delete a MLOps Project using Amazon SageMaker Studio or Studio Classic](sagemaker-projects-delete.md) |
| [Notebook instances](nbi.md) | [Clean up Amazon SageMaker notebook instance resources](ex1-cleanup.md) |
| [Pipelines](pipelines.md) | [Stop a pipeline](pipelines-studio-stop.md) |
| [Projects](sagemaker-projects.md) | [Delete a MLOps Project using Amazon SageMaker Studio or Studio Classic](sagemaker-projects-delete.md) |
| [RStudio on Amazon SageMaker AI](rstudio.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) |
| [Studio](studio-updated.md) | [View your Studio running instances, applications, and spaces](studio-updated-running.md) |
| [Studio Classic](studio.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) |
| [Stacks in AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) | [Deleting a stack on the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) |
| [TensorBoard in SageMaker AI](tensorboard-on-sagemaker.md) | [Delete unused TensorBoard applications](debugger-htb-delete-app.md) |
# Choose an Amazon VPC
This topic provides detailed information about choosing an Amazon Virtual Private Cloud (Amazon VPC) when you onboard to Amazon SageMaker AI domain. For more information about onboarding to SageMaker AI domain, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md).
By default, SageMaker AI domain uses two Amazon VPCs. One Amazon VPC is managed by Amazon SageMaker AI and provides direct internet access. You specify the other Amazon VPC, which provides encrypted traffic between the domain and your Amazon Elastic File System (Amazon EFS) volume.
You can change this behavior so that SageMaker AI sends all traffic over your specified Amazon VPC. When you choose this option, you must provide the subnets, security groups, and interface endpoints that are necessary to communicate with the SageMaker API and SageMaker AI runtime, and various AWS services, such as Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch, that are used by Studio.
When you onboard to SageMaker AI domain, you tell SageMaker AI to send all traffic over your Amazon VPC by setting the network access type to **VPC only**.
**To specify the Amazon VPC information**
When you specify the Amazon VPC entities (that is, the Amazon VPC, subnet, or security group) in the following procedure, one of three options is presented based on the number of entities you have in the current AWS Region. The behavior is as follows:
+ One entity – SageMaker AI uses that entity. This can't be changed.
+ Multiple entities – You must choose the entities from the dropdown list.
+ No entities – You must create one or more entities in order to use domain. Choose **Create ** to open the VPC console in a new browser tab. After you create the entities, return to the domain **Get started** page to continue the onboarding process.
This procedure is part of the Amazon SageMaker AI domain onboarding process when you choose **Set up for organizations**. Your Amazon VPC information is specified under the **Network** section.
1. Select the network access type.
**Note**
If **VPC only** is selected, SageMaker AI automatically applies the security group settings defined for the domain to all shared spaces created in the domain. If **Public internet only** is selected, SageMaker AI does not apply the security group settings to shared spaces created in the domain.
+ **Public internet only** – Non-Amazon EFS traffic goes through a SageMaker AI managed Amazon VPC, which allows internet access. Traffic between the domain and your Amazon EFS volume is through the specified Amazon VPC.
+ **VPC only** – All SageMaker AI traffic is through the specified Amazon VPC and subnets. You must use a subnet that does not have direct internet access in **VPC only** mode. Internet access is disabled by default.
1. Choose the Amazon VPC.
1. Choose one or more subnets. If you don't choose any subnets, SageMaker AI uses all the subnets in the Amazon VPC. We recommend that you use multiple subnets that are not created in constrained Availability Zones. Using subnets in these constrained Availability Zones can result in insufficient capacity errors and longer application creation times. For more information about constrained Availability Zones, see [Constrained Availability Zones](https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-availability-zones.html#constrained-zones) in the *AWS Regions and Availability Zones User Guide*.
1. Choose the security groups. If you chose **Public internet only**, this step is optional. If you chose **VPC only**, this step is required.
**Note**
For the maximum number of allowed security groups, see [UserSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UserSettings.html).
For Amazon VPC requirements in **VPC only** mode, see [Connect Studio notebooks in a VPC to external resources](studio-notebooks-and-internet-access.md).
# Supported Regions and Quotas
This page gives information about the AWS Regions supported by Amazon SageMaker AI and the Amazon Elastic Compute Cloud (Amazon EC2) instance types, as well as quotas for Amazon SageMaker AI resources.
For information about the instance types that are available in each Region, see [Amazon SageMaker Pricing](https://aws.amazon.com/sagemaker/pricing/).
For a list of the SageMaker AI service endpoints for each Region, see [Amazon SageMaker AI endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sagemaker.html) in the *AWS General Reference*.
## Quotas
For a list of SageMaker AI quotas, see [Amazon SageMaker AI endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sagemaker.html#limits_sagemaker) in the *AWS General Reference*.
The [ Service Quotas console](https://console.aws.amazon.com/servicequotas/home/services/sagemaker/quotas) provides information about your service quotas. You can use the Service Quotas console to view your default service quotas or to request quota increases. To request a quota increase for adjustable quotas, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html).
You can set up a quota request template for your AWS Organization that automatically requests quota increases during account creation. For more information, see [Using Service Quotas request templates](https://docs.aws.amazon.com/servicequotas/latest/userguide/organization-templates.html).