AWS managed policies for Amazon SageMaker Cluster - Amazon SageMaker
AmazonSageMakerClusterInstanceRolePolicySageMaker Cluster policy updates

AWS managed policies for Amazon SageMaker Cluster

These AWS managed policies add permissions required to use SageMaker Cluster. The policies are available in your AWS account and are used by execution roles created from the SageMaker console.

AWS managed policy: AmazonSageMakerClusterInstanceRolePolicy

This policy grants permissions commonly needed to use Amazon SageMaker Cluster.

Permissions details

This AWS managed policy includes the following permissions.

  • cloudwatch – Allows principals to post Amazon CloudWatch metrics.

  • logs – Allows principals to publish CloudWatch log streams.

  • s3 – Allows principals to list and retrieve lifecycle script files from an Amazon S3 bucket in your account. These buckets are limited to those whose name starts with "sagemaker-".

  • ssmmessages – Allows principals to open a connection to AWS Systems Manager.

{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Sid" : "CloudwatchLogStreamPublishPermissions",
      "Effect" : "Allow",
      "Action" : [
        "logs:PutLogEvents",
        "logs:CreateLogStream",
        "logs:DescribeLogStreams"
      ],
      "Resource" : [
        "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*"
      ]
    },
    {
      "Sid" : "CloudwatchLogGroupCreationPermissions",
      "Effect" : "Allow",
      "Action" : [
        "logs:CreateLogGroup"
      ],
      "Resource" : [
        "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*"
      ]
    },
    {
      "Sid" : "CloudwatchPutMetricDataAccess",
      "Effect" : "Allow",
      "Action" : [
        "cloudwatch:PutMetricData"
      ],
      "Resource" : [
        "*"
      ],
      "Condition" : {
        "StringEquals" : {
          "cloudwatch:namespace" : "/aws/sagemaker/Clusters"
        }
      }
    },
    {
      "Sid" : "DataRetrievalFromS3BucketPermissions",
      "Effect" : "Allow",
      "Action" : [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource" : [
        "arn:aws:s3:::sagemaker-*"
      ],
      "Condition" : {
        "StringEquals" : {
          "aws:ResourceAccount" : "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid" : "SSMConnectivityPermissions",
      "Effect" : "Allow",
      "Action" : [
        "ssmmessages:CreateControlChannel",
        "ssmmessages:CreateDataChannel",
        "ssmmessages:OpenControlChannel",
        "ssmmessages:OpenDataChannel"
      ],
      "Resource" : "*"
    }
  ]
}

Amazon SageMaker updates to Amazon SageMaker Cluster managed policies

View details about updates to AWS managed policies for SageMaker Cluster since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker Document history page.

Policy Version Change Date

AmazonSageMakerClusterInstanceRolePolicy - New policy

1

Initial policy

 November 29, 2023