ML activity reference
ML activities are common AWS tasks related to machine learning with SageMaker that require specific IAM permissions. Each persona suggests related ML activities when creating a role with Amazon SageMaker Role Manager. You can select any additional ML activities or deselect any suggested ML activities to create a role that meets your unique business needs.
Amazon SageMaker Role Manager provides predefined permissions for the following ML activities:
| ML activity | Description |
|---|---|
| Access Required AWS Services | Permissions to access Amazon S3, Amazon ECR, Amazon CloudWatch, and Amazon EC2. Required for execution roles for jobs and endpoints. |
| Run Studio Classic Applications | Permissions to operate within a Studio Classic environment. Required for domain and user profile execution roles. |
| Manage ML Jobs | Permissions to audit, query lineage, and visualize experiments. |
| Manage Models | Permissions to manage SageMaker jobs across their lifecycles. |
| Manage Pipelines | Permissions to manage SageMaker pipelines and pipeline executions. |
| Search and visualize experiments | Permissions to audit, query lineage, and visualize SageMaker experiments. |
| Manage Model Monitoring | Permissions to manage monitoring schedules for SageMaker Model Monitor. |
| Amazon S3 Full Access | Permissions to perform all Amazon S3 operations. |
| Amazon S3 Bucket Access | Permissions to perform operations on specified Amazon S3 buckets. |
| Query Athena Workgroups | Permissions to run and manage Amazon Athena queries. |
| Manage AWS Glue Tables | Permissions to create and manage AWS Glue tables for SageMaker Feature Store and Data Wrangler. |
| SageMaker Canvas Core Access | Permissions to perform experimentation in SageMaker Canvas (i.e, basic data prep, model build, validation). |
| SageMaker Canvas Data Preparation (powered by Data Wrangler) | Permissions to perform end-to-end data preparation in SageMaker Canvas (i.e, aggregate, transform and analyze data, create and schedule data preparation jobs on large datasets). |
| SageMaker Canvas AI Services | Permissions to access ready-to-use models from Amazon Bedrock, Amazon Textract, Amazon Rekognition, and Amazon Comprehend. Additionally, user can fine-tune foundation models from Amazon Bedrock and Amazon SageMaker JumpStart. |
| SageMaker Canvas MLOps | Permission for SageMaker Canvas users to directly deploy model to endpoint. |
| SageMaker Canvas Kendra Access | Permission for SageMaker Canvas to access Amazon Kendra for enterprise document search. The permission is only given to your selected index names in Amazon Kendra. |
| Use MLflow | Permissions to manage experiments, runs, and models in MLflow. |
| Manage MLflow Tracking Servers | Permissions to manage, start, and stop MLflow Tracking Servers. |
| Access required to AWS Services for MLflow | Permissions for MLflow Tracking Servers to access S3, Secrets Manager, and Model Registry. |
| Run Studio EMR Serverless Applications | Permissions to Create and Manage EMR Serverless Applications on Amazon SageMaker Studio. |
