本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
這些 AWS 受管政策會新增使用 SageMaker Notebooks 所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
AWS
受管政策:AmazonSageMakerNotebooksServiceRolePolicy
此 AWS 受管政策會授予使用 Amazon SageMaker Notebooks 時通常需要的許可。政策會新增至您加入 Amazon SageMaker Studio Classic 時建立AWSServiceRoleForAmazonSageMakerNotebooks的 。如需關於服務連結角色詳細資訊,請參閱服務連結角色。如需詳細資訊,請參閱 AmazonSageMakerNotebooksServiceRolePolicy
許可詳細資訊
此政策包含以下許可。
-
elasticfilesystem- 讓主體建立和刪除 Amazon Elastic File System (EFS) 檔案系統、存取點和掛載目標。僅限於標記了 ManagedByAmazonSageMakerResource 的金鑰。讓主體描述所有 EFS 檔案系統、存取點和掛載目標。讓主體建立或覆寫 EFS 存取點和裝載目標的標籤。 -
ec2- 讓主體為 Amazon Elastic Compute Cloud (EC2) 執行個體建立網路介面和安全群組。也讓主體建立和覆寫這些資源的標籤。 -
sso- 讓主體將受管執行個體新增至 AWS IAM Identity Center中並刪除。 -
sagemaker– 允許主體建立和讀取 SageMaker AI 使用者設定檔和 SageMaker AI 空間;刪除 SageMaker AI 空間和 SageMaker AI 應用程式;以及新增和列出標籤。 -
fsx– 允許主體描述 Amazon FSx for Lustre 檔案系統,並使用中繼資料將其掛載到筆記本上。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFSxDescribe",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems",
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowSageMakerDeleteApp",
"Effect": "Allow",
"Action": [
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*"
},
{
"Sid": "AllowEFSAccessPointCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateAccessPoint",
"Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*",
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSAccessPointDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DeleteAccessPoint"
],
"Resource": "arn:aws:elasticfilesystem:*:*:access-point/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSCreation",
"Effect": "Allow",
"Action": "elasticfilesystem:CreateFileSystem",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSMountWithDeletion",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEFSDescribe",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},
{
"Sid": "AllowEFSTagging",
"Effect": "Allow",
"Action": "elasticfilesystem:TagResource",
"Resource": [
"arn:aws:elasticfilesystem:*:*:access-point/*",
"arn:aws:elasticfilesystem:*:*:file-system/*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowEC2Tagging",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid": "AllowEC2Operations",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Sid": "AllowEC2AuthZ",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*"
}
}
},
{
"Sid": "AllowIdcOperations",
"Effect": "Allow",
"Action": [
"sso:CreateManagedApplicationInstance",
"sso:DeleteManagedApplicationInstance",
"sso:GetManagedApplicationInstance"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerProfileCreation",
"Effect": "Allow",
"Action": [
"sagemaker:CreateUserProfile",
"sagemaker:DescribeUserProfile"
],
"Resource": "*"
},
{
"Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:DescribeSpace",
"sagemaker:DeleteSpace",
"sagemaker:ListTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*"
},
{
"Sid": "AllowSagemakerAddTagsForAppManagedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*",
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
}
]
}Amazon SageMaker AI 更新至 SageMaker AI 筆記本受管政策
檢視自此服務開始追蹤這些變更以來,Amazon SageMaker AI AWS 受管政策更新的詳細資訊。
| 政策 | 版本 | 變更 | 日期 |
|---|---|---|---|
10 |
新增 |
2024 年 11 月 14 日 | |
9 |
新增 |
2024 年 7 月 24 日 | |
AmazonSageMakerNotebooksServiceRolePolicy - 更新至現有政策 |
8 |
新增 |
2024 年 5 月 22 日 |
AmazonSageMakerNotebooksServiceRolePolicy - 更新至現有政策 |
7 |
新增 |
2023 年 3 月 9 日 |
AmazonSageMakerNotebooksServiceRolePolicy - 更新至現有政策 |
6 |
新增 |
2023 年 1 月 12 日 |
|
SageMaker AI 開始追蹤其 AWS 受管政策的變更。 |
2021 年 6 月 1 日 |
