AWS Amazon SageMaker Canvas 的 受管政策 - Amazon SageMaker
AmazonSageMakerCanvasFullAccessAmazonSageMakerCanvasDataPrepFullAccessAmazonSageMakerCanvasDirectDeployAccessAmazonSageMakerCanvasAIServicesAccessAmazonSageMakerCanvasBedrockAccessAmazonSageMakerCanvasForecastAccessAmazonSageMakerCanvasEMRServerlessExecutionRolePolicySageMaker Canvas 政策更新

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

AWS Amazon SageMaker Canvas 的 受管政策

這些 AWS 受管政策會新增使用 Amazon SageMaker Canvas 所需的許可。這些政策可在您的帳戶中使用, AWS 並由從主控台建立的 SageMaker執行角色使用。

AWS 受管政策: AmazonSageMakerCanvasFullAccess

此政策授予許可,允許透過 AWS Management Console 和 完整存取 Amazon SageMaker CanvasSDK。此政策也提供相關服務的選取存取權 【例如,Amazon Simple Storage Service (Amazon S3)、 AWS Identity and Access Management (IAM)、Amazon Virtual Private Cloud (Amazon VPC)、Amazon Elastic Container Registry (Amazon ECR)、Amazon CloudWatch Logs、Amazon Redshift AWS Secrets Manager、Amazon SageMaker Autopilot、 SageMaker Model Registry 和 Amazon Forecast】。

此政策旨在協助客戶實驗並開始使用 SageMaker Canvas 的所有功能。為了獲得更精細的控制,我們建議客戶在移至生產工作負載時建立自己的範圍縮減版本。如需詳細資訊,請參閱IAM政策類型:如何使用和何時使用它們。

許可詳細資訊

此 AWS 受管政策包含下列許可。

  • sagemaker – 允許主體在ARN包含「Canvas」、「canvas」或「model-compilation-」的 資源上建立和託管 SageMaker模型。此外,使用者可以在相同 AWS 帳戶中將 SageMaker Canvas 模型註冊至 SageMaker模型登錄檔。也允許主體建立和管理 SageMaker 訓練、轉換和 AutoML 任務。

  • application-autoscaling – 允許主體自動擴展 SageMaker 推論端點。

  • athena – 允許主體查詢來自 Amazon Athena 的資料目錄、資料庫和資料表中繼資料清單,並存取目錄中的資料表。

  • cloudwatch – 允許主體建立和管理 Amazon CloudWatch 警示。

  • ec2 – 允許主體建立 Amazon VPC端點。

  • ecr - 讓主體取得容器映像的相關資訊。

  • emr-serverless – 允許主體建立和管理 Amazon EMR Serverless 應用程式和任務執行。也允許主體標記 SageMaker Canvas 資源。

  • forecast - 讓主體使用 Amazon Forecast。

  • glue – 允許主體擷取 AWS Glue 目錄中的資料表、資料庫和分割區。

  • iam – 允許委託人將IAM角色傳遞至 Amazon SageMaker、Amazon Forecast 和 Amazon EMR Serverless。也允許主體建立服務連結角色。

  • kms – 允許主體讀取已標記 的 AWS KMS 金鑰Source:SageMakerCanvas

  • logs - 允許主體從訓練任務和端點發佈日誌。

  • quicksight – 允許主體列出 Amazon QuickSight 帳戶中的命名空間。

  • rds – 允許主體傳回有關佈建 Amazon RDS執行個體的資訊。

  • redshift - 如果該使用者存在,則讓主體取得任何 Amazon Redshift 叢集上 “sagemaker_access*” dbuser 的憑證。

  • redshift-data – 允許委託人使用 Amazon Redshift 資料 在 Amazon Redshift 上執行查詢API。這只會提供對 Redshift 資料的存取權APIs,不會直接提供對 Amazon Redshift 叢集的存取權。如需詳細資訊,請參閱使用 Amazon Redshift Data API

  • s3 - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包含 "SageMaker"、"Sagemaker" 或 "sagemaker" 的物件。也允許主體從在特定區域中以 "jumpstart-cache-prod-" ARN開頭的 Amazon S3 儲存貯體擷取物件。

  • secretsmanager - 讓主體儲存客戶認證,以便使用 Secrets Manager 連接至 Snowflake 資料庫。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SageMakerUserDetailsAndPackageOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribeDomain",
                "sagemaker:DescribeUserProfile",
                "sagemaker:ListTags",
                "sagemaker:ListModelPackages",
                "sagemaker:ListModelPackageGroups",
                "sagemaker:ListEndpoints"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SageMakerPackageGroupOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateModelPackageGroup",
                "sagemaker:CreateModelPackage",
                "sagemaker:DescribeModelPackageGroup",
                "sagemaker:DescribeModelPackage"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:model-package/*",
                "arn:aws:sagemaker:*:*:model-package-group/*"
            ]
        },
        {
            "Sid": "SageMakerTrainingOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateCompilationJob",
                "sagemaker:CreateEndpoint",
                "sagemaker:CreateEndpointConfig",
                "sagemaker:CreateModel",
                "sagemaker:CreateProcessingJob",
                "sagemaker:CreateAutoMLJob",
                "sagemaker:CreateAutoMLJobV2",
                "sagemaker:CreateTrainingJob",
                "sagemaker:CreateTransformJob",
                "sagemaker:DeleteEndpoint",
                "sagemaker:DescribeCompilationJob",
                "sagemaker:DescribeEndpoint",
                "sagemaker:DescribeEndpointConfig",
                "sagemaker:DescribeModel",
                "sagemaker:DescribeProcessingJob",
                "sagemaker:DescribeAutoMLJob",
                "sagemaker:DescribeAutoMLJobV2",
                "sagemaker:DescribeTrainingJob",
                "sagemaker:DescribeTransformJob",
                "sagemaker:ListCandidatesForAutoMLJob",
                "sagemaker:StopAutoMLJob",
                "sagemaker:StopTrainingJob",
                "sagemaker:StopTransformJob",
                "sagemaker:AddTags",
                "sagemaker:DeleteApp"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:*Canvas*",
                "arn:aws:sagemaker:*:*:*canvas*",
                "arn:aws:sagemaker:*:*:*model-compilation-*"
            ]
        },
        {
            "Sid": "SageMakerHostingOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DeleteEndpointConfig",
                "sagemaker:DeleteModel",
                "sagemaker:InvokeEndpoint",
                "sagemaker:UpdateEndpointWeightsAndCapacities",
                "sagemaker:InvokeEndpointAsync"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:*Canvas*",
                "arn:aws:sagemaker:*:*:*canvas*"
            ]
        },
        {
            "Sid": "EC2VPCOperation",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECROperations",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMGetOperations",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Sid": "IAMPassOperation",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "sagemaker.amazonaws.com"
                }
            }
        },
        {
            "Sid": "LoggingOperation",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
        },
        {
            "Sid": "S3Operations",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:CreateBucket",
                "s3:GetBucketCors",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Sid": "ReadSageMakerJumpstartArtifacts",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*",
                "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*",
                "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*",
                "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*"
            ]
        },
        {
            "Sid": "S3ListOperations",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "GlueOperations",
            "Effect": "Allow",
            "Action": "glue:SearchTables",
            "Resource": [
                "arn:aws:glue:*:*:table/*/*",
                "arn:aws:glue:*:*:database/*",
                "arn:aws:glue:*:*:catalog"
            ]
        },
        {
            "Sid": "SecretsManagerARNBasedOperation",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutResourcePolicy"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
            ]
        },
        {
            "Sid": "SecretManagerTagBasedOperation",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "secretsmanager:ResourceTag/SageMaker": "true"
                }
            }
        },
        {
            "Sid": "RedshiftOperations",
            "Effect": "Allow",
            "Action": [
                "redshift-data:ExecuteStatement",
                "redshift-data:DescribeStatement",
                "redshift-data:CancelStatement",
                "redshift-data:GetStatementResult",
                "redshift-data:ListSchemas",
                "redshift-data:ListTables",
                "redshift-data:DescribeTable"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RedshiftGetCredentialsOperation",
            "Effect": "Allow",
            "Action": [
                "redshift:GetClusterCredentials"
            ],
            "Resource": [
                "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
                "arn:aws:redshift:*:*:dbname:*"
            ]
        },
        {
            "Sid": "ForecastOperations",
            "Effect": "Allow",
            "Action": [
                "forecast:CreateExplainabilityExport",
                "forecast:CreateExplainability",
                "forecast:CreateForecastEndpoint",
                "forecast:CreateAutoPredictor",
                "forecast:CreateDatasetImportJob",
                "forecast:CreateDatasetGroup",
                "forecast:CreateDataset",
                "forecast:CreateForecast",
                "forecast:CreateForecastExportJob",
                "forecast:CreatePredictorBacktestExportJob",
                "forecast:CreatePredictor",
                "forecast:DescribeExplainabilityExport",
                "forecast:DescribeExplainability",
                "forecast:DescribeAutoPredictor",
                "forecast:DescribeForecastEndpoint",
                "forecast:DescribeDatasetImportJob",
                "forecast:DescribeDataset",
                "forecast:DescribeForecast",
                "forecast:DescribeForecastExportJob",
                "forecast:DescribePredictorBacktestExportJob",
                "forecast:GetAccuracyMetrics",
                "forecast:InvokeForecastEndpoint",
                "forecast:GetRecentForecastContext",
                "forecast:DescribePredictor",
                "forecast:TagResource",
                "forecast:DeleteResourceTree"
            ],
            "Resource": [
                "arn:aws:forecast:*:*:*Canvas*"
            ]
        },
        {
            "Sid": "RDSOperation",
            "Effect": "Allow",
            "Action": "rds:DescribeDBInstances",
            "Resource": "*"
        },
        {
            "Sid": "IAMPassOperationForForecast",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "forecast.amazonaws.com"
                }
            }
        },
        {
            "Sid": "AutoscalingOperations",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget"
            ],
            "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*",
            "Condition": {
                "StringEquals": {
                    "application-autoscaling:service-namespace": "sagemaker",
                    "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount"
                }
            }
        },
        {
            "Sid": "AsyncEndpointOperations",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DescribeAlarms",
                "sagemaker:DescribeEndpointConfig"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DescribeScalingOperations",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:DescribeScalingActivities"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "SageMakerCloudWatchUpdate",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DeleteAlarms"
            ],
            "Resource": [
                "arn:aws:cloudwatch:*:*:alarm:TargetTracking*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:CalledViaLast": "application-autoscaling.amazonaws.com"
                }
            }
        },
        {
            "Sid": "AutoscalingSageMakerEndpointOperation",
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
                }
            }
        }
        {
            "Sid": "AthenaOperation",
            "Action": [
                "athena:ListTableMetadata",
                "athena:ListDataCatalogs",
                "athena:ListDatabases"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            },
        },
        {
            "Sid": "GlueOperation",
            "Action": [
                "glue:GetDatabases",
                "glue:GetPartitions",
                "glue:GetTables"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:glue:*:*:table/*",
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "QuicksightOperation",
            "Action": [
                "quicksight:ListNamespaces"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "AllowUseOfKeyInAccount",
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Source": "SageMakerCanvas",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessCreateApplicationOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:CreateApplication",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessListApplicationOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:ListApplications",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessApplicationOperations",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:UpdateApplication",
                "emr-serverless:StopApplication",
                "emr-serverless:GetApplication",
                "emr-serverless:StartApplication"
            ],
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessStartJobRunOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:StartJobRun",
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessListJobRunOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:ListJobRuns",
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessJobRunOperations",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:GetJobRun",
                "emr-serverless:CancelJobRun"
            ],
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessTagResourceOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:TagResource",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "IAMPassOperationForEMRServerless",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
                "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
            ],            
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "emr-serverless.amazonaws.com",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        }
    ]
}
顯示較多顯示較少

AWS 受管政策: AmazonSageMakerCanvasDataPrepFullAccess

此政策授予許可,允許完整存取 Amazon SageMaker Canvas 的資料準備功能。此政策也為與資料準備功能整合的服務提供最低權限許可 【例如,Amazon Simple Storage Service (Amazon S3)、 AWS Identity and Access Management (IAM)、Amazon EMR、Amazon EventBridge、Amazon Redshift、 AWS Key Management Service (AWS KMS) 和 AWS Secrets Manager】。

許可詳細資訊

此 AWS 受管政策包含下列許可。

  • sagemaker – 允許主體存取處理任務、訓練任務、推論管道、AutoML 任務和功能群組。

  • athena – 允許主體查詢來自 Amazon Athena 的資料目錄、資料庫和資料表中繼資料清單。

  • elasticmapreduce – 允許主體讀取和列出 Amazon EMR叢集。

  • emr-serverless – 允許主體建立和管理 Amazon EMR Serverless 應用程式和任務執行。也允許主體標記 SageMaker Canvas 資源。

  • events – 允許主體建立、讀取、更新和新增 Amazon EventBridge 規則的目標,以進行排程任務。

  • glue – 允許主體從 AWS Glue 目錄中的資料庫取得和搜尋資料表。

  • iam – 允許主體將IAM角色傳遞至 Amazon SageMaker、 EventBridge和 Amazon EMR Serverless。也允許主體建立服務連結角色。

  • kms – 允許主體擷取儲存在任務和端點中的 AWS KMS 別名,並存取相關聯的KMS金鑰。

  • logs - 允許主體從訓練任務和端點發佈日誌。

  • redshift – 允許主體取得憑證以存取 Amazon Redshift 資料庫。

  • redshift-data – 允許主體執行、取消、描述、列出和取得 Amazon Redshift 查詢的結果。也允許主體列出 Amazon Redshift 結構描述和資料表。

  • s3 - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於其名稱包含 "SageMaker"、"Sagemaker" 或 "sagemaker" 的物件;或標記了不區分大小寫的 "SageMaker" 的物件。

  • secretsmanager – 允許主體使用 Secrets Manager 儲存和擷取客戶資料庫憑證。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SageMakerListFeatureGroupOperation",
            "Effect": "Allow",
            "Action": "sagemaker:ListFeatureGroups",
            "Resource": "*"
        },
        {
            "Sid": "SageMakerFeatureGroupOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateFeatureGroup",
                "sagemaker:DescribeFeatureGroup"
            ],
            "Resource": "arn:aws:sagemaker:*:*:feature-group/*"
        },
        {
            "Sid": "SageMakerProcessingJobOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateProcessingJob",
                "sagemaker:DescribeProcessingJob",
                "sagemaker:AddTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
        },
        {
            "Sid": "SageMakerProcessingJobListOperation",
            "Effect": "Allow",
            "Action": "sagemaker:ListProcessingJobs",
            "Resource": "*"
        },
        {
            "Sid": "SageMakerPipelineOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribePipeline",
                "sagemaker:CreatePipeline",
                "sagemaker:UpdatePipeline",
                "sagemaker:DeletePipeline",
                "sagemaker:StartPipelineExecution",
                "sagemaker:ListPipelineExecutionSteps",
                "sagemaker:DescribePipelineExecution"
            ],
            "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
        },
        {
            "Sid": "KMSListOperations",
            "Effect": "Allow",
            "Action": "kms:ListAliases",
            "Resource": "*"
        },
        {
            "Sid": "KMSOperations",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "arn:aws:kms:*:*:key/*"
        },
        {
            "Sid": "S3Operations",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketCors",
                "s3:GetBucketLocation",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "S3GetObjectOperation",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
                },
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "S3ListOperations",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMListOperations",
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "*"
        },
        {
            "Sid": "IAMGetOperations",
            "Effect": "Allow",
            "Action": "iam:GetRole",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Sid": "IAMPassOperation",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "sagemaker.amazonaws.com",
                        "events.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "EventBridgePutOperation",
            "Effect": "Allow",
            "Action": [
                "events:PutRule"
            ],
            "Resource": "arn:aws:events:*:*:rule/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true"
                }
            }
        },
        {
            "Sid": "EventBridgeOperations",
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule",
                "events:PutTargets"
            ],
            "Resource": "arn:aws:events:*:*:rule/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
                }
            }
        },
        {
            "Sid": "EventBridgeTagBasedOperations",
            "Effect": "Allow",
            "Action": [
                "events:TagResource"
            ],
            "Resource": "arn:aws:events:*:*:rule/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true",
                    "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true"
                }
            }
        },
        {
            "Sid": "EventBridgeListTagOperation",
            "Effect": "Allow",
            "Action": "events:ListTagsForResource",
            "Resource": "*"
        },
        {
            "Sid": "GlueOperations",
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables",
                "glue:SearchTables"
            ],
            "Resource": [
                "arn:aws:glue:*:*:table/*",
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/*"
            ]
        },
        {
            "Sid": "EMROperations",
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:ListInstanceGroups"
            ],
            "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*"
        },
        {
            "Sid": "EMRListOperation",
            "Effect": "Allow",
            "Action": "elasticmapreduce:ListClusters",
            "Resource": "*"
        },
        {
            "Sid": "AthenaListDataCatalogOperation",
            "Effect": "Allow",
            "Action": "athena:ListDataCatalogs",
            "Resource": "*"
        },
        {
            "Sid": "AthenaQueryExecutionOperations",
            "Effect": "Allow",
            "Action": [
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution"
            ],
            "Resource": "arn:aws:athena:*:*:workgroup/*"
        },
        {
            "Sid": "AthenaDataCatalogOperations",
            "Effect": "Allow",
            "Action": [
                "athena:ListDatabases",
                "athena:ListTableMetadata"
            ],
            "Resource": "arn:aws:athena:*:*:datacatalog/*"
        },
        {
            "Sid": "RedshiftOperations",
            "Effect": "Allow",
            "Action": [
                "redshift-data:DescribeStatement",
                "redshift-data:CancelStatement",
                "redshift-data:GetStatementResult"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RedshiftArnBasedOperations",
            "Effect": "Allow",
            "Action": [
                "redshift-data:ExecuteStatement",
                "redshift-data:ListSchemas",
                "redshift-data:ListTables"
            ],
            "Resource": "arn:aws:redshift:*:*:cluster:*"
        },
        {
            "Sid": "RedshiftGetCredentialsOperation",
            "Effect": "Allow",
            "Action": "redshift:GetClusterCredentials",
            "Resource": [
                "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
                "arn:aws:redshift:*:*:dbname:*"
            ]
        },
        {
            "Sid": "SecretsManagerARNBasedOperation",
            "Effect": "Allow",
            "Action": "secretsmanager:CreateSecret",
            "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
        },
        {
            "Sid": "SecretManagerTagBasedOperation",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/SageMaker": "true",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "RDSOperation",
            "Effect": "Allow",
            "Action": "rds:DescribeDBInstances",
            "Resource": "*"
        },
        {
            "Sid": "LoggingOperation",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
        },
        {
            "Sid": "EMRServerlessCreateApplicationOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:CreateApplication",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessListApplicationOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:ListApplications",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessApplicationOperations",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:UpdateApplication",
                "emr-serverless:GetApplication"
            ],
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessStartJobRunOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:StartJobRun",
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessListJobRunOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:ListJobRuns",
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessJobRunOperations",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:GetJobRun",
                "emr-serverless:CancelJobRun"
            ],
            "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "EMRServerlessTagResourceOperation",
            "Effect": "Allow",
            "Action": "emr-serverless:TagResource",
            "Resource": "arn:aws:emr-serverless:*:*:/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/sagemaker:is-canvas-resource": "True",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "IAMPassOperationForEMRServerless",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
                "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
            ],            
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "emr-serverless.amazonaws.com",
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        }
    ]
}
顯示較多顯示較少

AWS 受管政策: AmazonSageMakerCanvasDirectDeployAccess

此政策會授予 Amazon SageMaker Canvas 建立和管理 Amazon SageMaker 端點所需的許可。

許可詳細資訊

此 AWS 受管政策包含下列許可。

  • sagemaker – 允許主體建立和管理 SageMaker資源ARN名稱開頭為「Canvas」或「canvas」的端點。

  • cloudwatch – 允許主體擷取 Amazon CloudWatch 指標資料。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SageMakerEndpointPerms",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateEndpoint",
                "sagemaker:CreateEndpointConfig",
                "sagemaker:DeleteEndpoint",
                "sagemaker:DescribeEndpoint",
                "sagemaker:DescribeEndpointConfig",
                "sagemaker:InvokeEndpoint",
                "sagemaker:UpdateEndpoint"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:Canvas*",
                "arn:aws:sagemaker:*:*:canvas*"
            ]
        },
        {
            "Sid": "ReadCWInvocationMetrics",
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        }
    ]
}

AWS 受管政策: AmazonSageMakerCanvasAIServicesAccess

此政策授予 Amazon SageMaker Canvas 使用 Amazon Textract、Amazon Rekognition 、Amazon Comprehend 和 Amazon Bedrock 的許可。

許可詳細資訊

此 AWS 受管政策包含下列許可。

  • textract - 讓主體使用 Amazon Textract 偵測影像中的文件、費用和身分。

  • rekognition - 讓主體使用 Amazon Rekognition 偵測影像中的標籤和文字。

  • comprehend – 允許主體使用 Amazon Comprehend 來偵測情緒和慣用語言,以及文字文件中具名和個人身分的資訊 (PII) 實體。

  • bedrock - 讓主體使用 Amazon Bedrock 列出和調用基礎模型。

  • iam – 允許主體將IAM角色傳遞給 Amazon Bedrock。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Textract",
            "Effect": "Allow",
            "Action": [
                "textract:AnalyzeDocument",
                "textract:AnalyzeExpense",
                "textract:AnalyzeID",
                "textract:StartDocumentAnalysis",
                "textract:StartExpenseAnalysis",
                "textract:GetDocumentAnalysis",
                "textract:GetExpenseAnalysis"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Rekognition",
            "Effect": "Allow",
            "Action": [
                "rekognition:DetectLabels",
                "rekognition:DetectText"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Comprehend",
            "Effect": "Allow",
            "Action": [
                "comprehend:BatchDetectDominantLanguage",
                "comprehend:BatchDetectEntities",
                "comprehend:BatchDetectSentiment",
                "comprehend:DetectPiiEntities",
                "comprehend:DetectEntities",
                "comprehend:DetectSentiment",
                "comprehend:DetectDominantLanguage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Bedrock",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:ListFoundationModels",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateBedrockResourcesPermission",
            "Effect": "Allow",
            "Action": [
                "bedrock:CreateModelCustomizationJob",
                "bedrock:CreateProvisionedModelThroughput",
                "bedrock:TagResource"
            ],
            "Resource": [
                "arn:aws:bedrock:*:*:model-customization-job/*",
                "arn:aws:bedrock:*:*:custom-model/*",
                "arn:aws:bedrock:*:*:provisioned-model/*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "SageMaker",
                        "Canvas"
                    ]
                },
                "StringEquals": {
                    "aws:RequestTag/SageMaker": "true",
                    "aws:RequestTag/Canvas": "true",
                    "aws:ResourceTag/SageMaker": "true",
                    "aws:ResourceTag/Canvas": "true"
                }
            }
        },
        {
            "Sid": "GetStopAndDeleteBedrockResourcesPermission",
            "Effect": "Allow",
            "Action": [
                "bedrock:GetModelCustomizationJob",
                "bedrock:GetCustomModel",
                "bedrock:GetProvisionedModelThroughput",
                "bedrock:StopModelCustomizationJob",
                "bedrock:DeleteProvisionedModelThroughput"
            ],
            "Resource": [
                "arn:aws:bedrock:*:*:model-customization-job/*",
                "arn:aws:bedrock:*:*:custom-model/*",
                "arn:aws:bedrock:*:*:provisioned-model/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/SageMaker": "true",
                    "aws:ResourceTag/Canvas": "true"
                }
            }
        },
        {
            "Sid": "FoundationModelPermission",
            "Effect": "Allow",
            "Action": [
                "bedrock:CreateModelCustomizationJob"
            ],
            "Resource": [
                "arn:aws:bedrock:*::foundation-model/*"
            ]
        },
        {
            "Sid": "BedrockFineTuningPassRole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "bedrock.amazonaws.com"
                }
            }
        }
    ]
}
顯示較多顯示較少

AWS 受管政策: AmazonSageMakerCanvasBedrockAccess

此政策會授予將 Amazon SageMaker Canvas 與 Amazon Bedrock 搭配使用時通常需要的許可。

許可詳細資訊

此 AWS 受管政策包含下列許可。

  • s3 – 允許委託人從 "sagemaker-*/Canvas" 目錄中的 Amazon S3 儲存貯體新增和擷取物件。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3CanvasAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*/Canvas",
                "arn:aws:s3:::sagemaker-*/Canvas/*"
            ]
        },
        {
            "Sid": "S3BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*"
            ]
        }
    ]
}

AWS 受管政策: AmazonSageMakerCanvasForecastAccess

此政策會授予 Amazon SageMaker Canvas 與 Amazon Forecast 搭配使用時通常需要的許可。

許可詳細資訊

此 AWS 受管政策包含下列許可。

  • s3 - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱以 “sagemaker-” 開頭的物件。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*/Canvas",
                "arn:aws:s3:::sagemaker-*/canvas"
            ]
        }
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-*"
            ]
        }
    ]
}

AWS 受管政策: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy

此政策將 Amazon EMR SageMaker Canvas 用於大型資料處理的 Amazon Serverless for AWS 服務,例如 Amazon S3。 Amazon S3

許可詳細資訊

此 AWS 受管政策包含下列許可。

  • s3 - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包含 "SageMaker" 或 "sagemaker" 的物件;或標記了不區分大小寫的 "SageMaker"。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3Operations",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketCors",
                "s3:GetBucketLocation",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*sagemaker*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "S3GetObjectOperation",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
                },
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },
        {
            "Sid": "S3ListOperations",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        }
    ]
}

Amazon SageMaker Canvas 受管政策的 Amazon SageMaker 更新

檢視自此服務開始追蹤這些變更以來, SageMaker Canvas 受 AWS 管政策更新的詳細資訊。

政策 版本 變更 日期

AmazonSageMakerCanvasDataPrepFullAccess - 更新現有政策

4

將資源新增至IAMPassOperationForEMRServerless許可。

 2024 年 8 月 16 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

11

將資源新增至IAMPassOperationForEMRServerless許可。

 2024 年 8 月 15 日

AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy – 新政策

1

初始政策

 2024 年 7 月 26 日

AmazonSageMakerCanvasDataPrepFullAccess - 更新現有政策

3

新增 emr-serverless:CreateApplicationemr-serverless:ListApplicationsemr-serverless:UpdateApplicationemr-serverless:GetApplicationemr-serverless:StartJobRunemr-serverless:ListJobRunsemr-serverless:GetJobRunemr-serverless:CancelJobRunemr-serverless:TagResource許可。

 2024 年 7 月 18 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

10

新增 application-autoscaling:DescribeScalingActivities iam:PassRolekms:DescribeKeyquicksight:ListNamespaces許可。

新增 sagemaker:CreateTrainingJobsagemaker:CreateTransformJobsagemaker:DescribeTrainingJobsagemaker:DescribeTransformJobsagemaker:StopAutoMLJobsagemaker:StopTrainingJobsagemaker:StopTransformJob許可。

新增 athena:ListTableMetadataathena:ListDataCatalogsathena:ListDatabases 許可。

新增 glue:GetDatabasesglue:GetPartitionsglue:GetTables 許可。

新增 emr-serverless:CreateApplicationemr-serverless:ListApplicationsemr-serverless:UpdateApplicationemr-serverless:StopApplicationemr-serverless:GetApplicationemr-serverless:StartApplicationemr-serverless:StartJobRunemr-serverless:ListJobRunsemr-serverless:GetJobRun、、 emr-serverless:CancelJobRunemr-serverless:TagResource許可。

 2024 年 7 月 9 日

AmazonSageMakerCanvasBedrockAccess – 新政策

1

初始政策

 2024 年 2 月 2 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

9

新增 sagemaker:ListEndpoints 許可。

 2024 年 1 月 24 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

8

新增 sagemaker:UpdateEndpointWeightsAndCapacitiessagemaker:DescribeEndpointConfigsagemaker:InvokeEndpointAsyncathena:ListDataCatalogsathena:GetQueryExecutionathena:GetQueryResultsathena:StartQueryExecutionathena:StopQueryExecutionathena:ListDatabases、、cloudwatch:DescribeAlarms、、cloudwatch:PutMetricAlarmcloudwatch:DeleteAlarmsiam:CreateServiceLinkedRole許可。

 2023 年 12 月 8 日

AmazonSageMakerCanvasDataPrepFullAccess - 更新現有政策

2

小型更新以強制執行先前政策第 1 版的意圖;未新增或刪除任何許可。

 2023 年 12 月 7 日

AmazonSageMakerCanvasAIServicesAccess - 更新現有政策

3

新增 bedrock:InvokeModelWithResponseStreambedrock:GetModelCustomizationJobbedrock:StopModelCustomizationJobbedrock:GetCustomModelbedrock:GetProvisionedModelThroughputbedrock:DeleteProvisionedModelThroughputbedrock:TagResourcebedrock:CreateModelCustomizationJobbedrock:CreateProvisionedModelThroughputiam:PassRole許可。

 2023 年 11 月 29 日

AmazonSageMakerCanvasDataPrepFullAccess - 新政策

1

初始政策

 2023 年 10 月 26 日

AmazonSageMakerCanvasDirectDeployAccess – 新政策

1

初始政策

 2023 年 10 月 6 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

7

新增 sagemaker:DeleteEndpointConfigsagemaker:DeleteModelsagemaker:InvokeEndpoint 許可。同時新增特定區域中資源的s3:GetObject JumpStart許可。

 2023 年 9 月 29 日

AmazonSageMakerCanvasAIServicesAccess - 更新現有政策

2

新增 bedrock:InvokeModelbedrock:ListFoundationModels 許可。

 2023 年 9 月 29 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

6

新增 rds:DescribeDBInstances 許可。

 2023 年 8 月 29 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

5

新增 application-autoscaling:PutScalingPolicyapplication-autoscaling:RegisterScalableTarget 許可。

 2023 年 7 月 24 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

4

新增 sagemaker:CreateModelPackagesagemaker:CreateModelPackageGroupsagemaker:DescribeModelPackagesagemaker:DescribeModelPackageGroupsagemaker:ListModelPackagessagemaker:ListModelPackageGroups 許可。

 2023 年 5 月 4 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

3

新增 sagemaker:CreateAutoMLJobV2sagemaker:DescribeAutoMLJobV2glue:SearchTables 許可。

 2023 年 3 月 24 日

AmazonSageMakerCanvasAIServicesAccess - 新政策

1

初始政策

 2023 年 3 月 23 日

AmazonSageMakerCanvasFullAccess - 更新現有政策

2

新增 forecast:DeleteResourceTree 許可。

 2022 年 12 月 6 日

AmazonSageMakerCanvasFullAccess - 新政策

1

初始政策

 2022 年 9 月 8 日

AmazonSageMakerCanvasForecastAccess – 新政策

1

初始政策

 2022 年 8 月 24 日