本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Amazon 的受管政策 SageMaker
要向用戶,組和角色添加權限,使用起來更容易 AWS 管理策略而不是自己編寫策略。建立IAM客戶管理的政策需要時間和專業知識,以便為您的團隊提供他們所需的權限。要快速開始使用,您可以使用我們的 AWS 受管理的策略。這些政策涵蓋常見使用案例,並且可在您的 AWS 帳戶。如需關於 AWS 受管政策,請參閱 AWS《IAM使用者指南》中的受管理策略。
AWS 服務維護和更新 AWS 受管理的策略。您無法更改權限 AWS 受管理的策略。服務偶爾會將其他權限新增至 AWS 管理策略以支持新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。服務最有可能更新 AWS 啟動新功能或新作業可用時的受管理策略。服務不會移除權限 AWS 受管理的原則,因此政策更新不會破壞您現有的權限。
此外, AWS 支援跨越多個服務之工作職能的受管理原則。例如,ReadOnlyAccess AWS 受管理策略提供所有人的唯讀存取 AWS 服務和資源。當服務啟動新功能時, AWS 新增作業和資源的唯讀權限。如需工作職能原則的清單與說明,請參閱 AWS 《使用者指南》中針對工作職能的IAM管理策略。
重要
我們建議您使用允許您執行使用案例的最受限政策。
如下所示 AWS 您可以將其附加到帳戶中的使用者的受管政策是 Amazon 特有的 SageMaker:
-
AmazonSageMakerFullAccess— 授予對 Amazon SageMaker 和 SageMaker 地理空間資源的完全訪問權限以及支持的操作。這不提供不受限制的 Amazon S3 存取,但是支援使用特定sagemaker標籤的儲存貯體與物件。此政策允許將所有IAM角色傳遞給 Amazon SageMaker,但只允許將其中包含 AmazonSageMaker "" 的IAM角色傳遞給 AWS Glue, AWS Step Functions和 AWS RoboMaker 服務。 -
AmazonSageMakerReadOnly— 授予對 Amazon SageMaker 資源的只讀訪問權限。
如下所示 AWS 受管理的策略可以附加到您帳戶中的使用者,但不建議您:
-
AdministratorAccess— 授予所有人的所有行動 AWS 服務和帳戶中的所有資源。 -
DataScientist– 授予各種許可來涵蓋大部分的資料科學家遇到的使用案例 (主要用於分析與商用智慧)。
您可以登入IAM主控台並進行搜尋,以檢閱這些權限原則。
您也可以建立自己的自訂IAM政策,以根據需要允許 Amazon SageMaker 動作和資源。您可以將這些自訂政策連接至需要這些政策的 使用者或群組。
主題
- AWS 受管理的策略: AmazonSageMakerFullAccess
- AWS 受管理的策略: AmazonSageMakerReadOnly
- AWS Amazon SageMaker 畫布的受管政策
- AWS Amazon SageMaker 功能商店的受管政策
- AWS Amazon SageMaker 地理空間受管政策
- AWS Amazon SageMaker Ground Truth 的受管政策
- AWS Amazon 的受管政策 SageMaker HyperPod
- AWS SageMaker 模型治理的受管理原則
- AWS 模型登錄的受管理原則
- AWS SageMaker 筆記本的受管理原則
- AWS 管道的受 SageMaker 管原則
- AWS 專案與管 SageMaker 理的政策 JumpStart
- SageMaker 更新至 AWS 受管政策
AWS 受管理的策略: AmazonSageMakerFullAccess
此政策授予管理許可,允許主體完全訪問所有 Amazon SageMaker 和 SageMaker 地理空間資源和操作。該策略還提供對相關服務的選擇存取許可。此政策允許將所有IAM角色傳遞給 Amazon SageMaker,但只允許將其中包含 AmazonSageMaker "" 的IAM角色傳遞給 AWS Glue, AWS Step Functions和 AWS RoboMaker 服務。此政策不包括建立 Amazon SageMaker 網域的許可。如需建立領域所需政策的資訊,請參閱Amazon SageMaker 前提。
許可詳細資訊
此政策包含以下許可。
-
application-autoscaling— 允許主參與者自動調整 SageMaker 即時推論端點的規模。 -
athena— 允許主參與者從中查詢資料目錄、資料庫和表格中繼資料的清單 Amazon Athena. -
aws-marketplace— 允許主參與者檢視 AWS AI Marketplace 訂閱。如果您想訪問訂閱的 SageMaker軟件,則需要此功能 AWS Marketplace. -
cloudformation— 允許主參與者取得 AWS CloudFormation 使用 SageMaker JumpStart 解決方案和管道的範本。 SageMaker JumpStart建立執行 end-to-end 機器學習解決方案所需的資源,以便與其他 SageMaker 方面 AWS 服務。 SageMaker 管道會建立由 Service Catalog 支援的新專案。 -
cloudwatch— 允許主體張貼 CloudWatch 指標、與警示互動,以及將記錄檔上傳至您帳戶中的 CloudWatch 記錄。 -
codebuild— 允許主參與者儲存 AWS CodeBuild SageMaker 管道和項目的工件。 -
codecommit— 需要 AWS CodeCommit 與 SageMaker筆記本執行個體整合。 -
cognito-idp— 需要 Amazon SageMaker Ground Truth 來定義私人勞動力和工作團隊. -
ec2— 當您 SageMaker 為任務、模型、端點和筆記本執行個體指VPC定 SageMaker Amazon 時,需要管理 Amazon EC2 資源和網路界面。 -
ecr— 需要為 Amazon SageMaker Studio 經典版 (自訂映像)、訓練、處理、批次推論和推論端點提取和存放 Docker 成品。這也需要在中使用您自己的容器 SageMaker。代表使用者建立和移除自訂映像檔,需要其他 SageMaker JumpStart 解決方案權限。 -
elastic-inference— 允許主體連線至 Amazon Elastic Inference 使用 SageMaker 筆記本執行個體和端點。 -
elasticfilesystem- 讓主體存取 Amazon Elastic File System。 SageMaker 若要使用 Amazon Elastic File System 中的資料來源來訓練機器學習模型,這是必要的。 -
fsx— 允許校長訪問 Amazon FSx。 SageMaker 若要使用 Amazon FSx 中的資料來源來訓練機器學習模型,這是必要的。 -
glue— 需要用於從 SageMaker 筆記本執行個體內部推論管道預處理。 -
groundtruthlabeling- 用於 Ground Truth 標籤工作。groundtruthlabeling端點是由 Ground Truth 主控台存取。 -
iam— 需要授予 SageMaker 主控台存取可用IAM角色並建立服務連結角色。 -
kms— 需要給 SageMaker 控制台訪問可用 AWS KMS 鍵並為任何指定的檢索它們 AWS KMS 工作和端點中的別名。 -
lambda-允許主參與者叫用並取得清單 AWS Lambda 函數。 -
logs— 允許 SageMaker 工作和端點發佈記錄資料流所需。 -
redshift- 讓主體存取 Amazon Redshift 叢集憑證。 -
redshift-data- 讓主體使用來自 Amazon Redshift 的資料執行、描述和取消陳述式;取得陳述式結果,以及列出結構描述和資料表。 -
robomaker— 允許主參與者具有建立、取得描述及刪除的完整存取權 AWS RoboMaker 模擬應用程序和工作。在筆記本執行個體上執行強化學習範例時也需要。 -
s3, s3express— 允許主體完全存取與 Amazon S3 或 Amazon S3 快遞相關的資源 SageMaker,但不是所有的 Amazon S3 或 Amazon S3 快遞資源。 -
sagemaker— 允許主參與 SageMaker 者在使用者設定檔上列出標籤,並將標籤新增至 SageMaker 應用程式和空間。僅允許訪問流動器的 SageMaker 流量定義:WorkteamType 「私人人群」或「供應商人群」。 -
sagemaker和sagemaker-geospatial-允許主參與者對 SageMaker 網域和使用者設定檔進行唯讀存取。 -
secretsmanager— 允許主參與者具有完整存取權限 AWS Secrets Manager。 主體可以安全地加密、儲存和擷取資料庫和其他服務的認證。對於具有使 GitHub用的 SageMaker 程式碼儲存庫的 SageMaker 筆記型電腦執行個體,也需要 -
servicecatalog- 讓主體使用 Service Catalog。主參與者可以建立、取得、更新或終止提供產品的清單,例如伺服器、資料庫、網站或使用部署的應用程式 AWS 的費用。這是必需的 SageMaker JumpStart 和項目來查找和讀取服務目錄產品並啟動 AWS 使用者中的資源。 -
sns-允許校長獲取 Amazon SNS 主題列表。啟用非同步推論的端點需要此功能,才能通知使用者其推論已完成。 -
states— 需要 SageMaker JumpStart 和 Pipeline 才能使用服務目錄來建立步驟函數資源。 -
tag-在工作室經典中渲染 SageMaker 管道所需。工作室經典需要使用特定標sagemaker:project-id籤鍵標記的資源。此動作需要tag:GetResources許可。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllNonAdminSageMakerActions", "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Sid": "AllowAddTagsForSpace", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:space/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } }, { "Sid": "AllowAddTagsForApp", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Sid": "AllowStudioActions", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:DescribeApp", "sagemaker:ListApps" ], "Resource": "*" }, { "Sid": "AllowAppActionsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "AllowAppActionsForSharedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "StringEquals": { "sagemaker:SpaceSharingType": [ "Shared" ] } } }, { "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private", "Shared" ] } } }, { "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private" ] } } }, { "Sid": "AllowFlowDefinitionActions", "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Sid": "AllowAWSServiceActions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Sid": "AllowECRActions", "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Sid": "AllowCodeCommitActions", "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Sid": "AllowCodeBuildActions", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Sid": "AllowStepFunctionsActions", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Sid": "AllowSecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "AllowReadOnlySecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "AllowServiceCatalogProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Sid": "AllowS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AllowS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Sid": "AllowS3BucketACL", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowLambdaInvokeFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AllowCreateServiceLinkedRoleForRobomaker", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Sid": "AllowSNSActions", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "AllowPassRoleForSageMakerRoles", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Sid": "AllowPassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AllowAthenaActions", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Sid": "AllowGlueCreateTable", "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueUpdateTable", "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Sid": "AllowGlueDeleteTable", "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetTablesAndDatabases", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetAndCreateDatabase", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Sid": "AllowRedshiftDataActions", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Sid": "AllowRedshiftGetClusterCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "AllowListTagsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid": "AllowCloudformationListStackResources", "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AllowS3ExpressObjectActions", "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*", "arn:aws:s3express:*:*:bucket/*aws-glue*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressCreateBucketActions", "Effect": "Allow", "Action": [ "s3express:CreateBucket" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressListBucketActions", "Effect": "Allow", "Action": [ "s3express:ListAllMyDirectoryBuckets" ], "Resource": "*" } ] }
AWS 受管理的策略: AmazonSageMakerReadOnly
此政策授予 Amazon SageMaker 的唯讀存取權 AWS Management Console 和SDK。
許可詳細資訊
此政策包含以下許可。
-
application-autoscaling— 可讓使用者瀏覽可擴充 SageMaker 即時推論端點的說明。 -
aws-marketplace-允許用戶查看 AWS AI Marketplace 訂閱。 -
cloudwatch— 允許用戶接收 CloudWatch 警報。 -
cognito-idp— 需要 Amazon SageMaker Ground Truth 瀏覽說明和私人勞動力和工作團隊的列表。 -
ecr- 用於讀取 Docker 成品供訓練和推論所用。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }
SageMaker 更新至 AWS 受管政策
檢視有關更新的詳細資訊 AWS SageMaker 自此服務開始追蹤這些變更後的受管理政策。
| 政策 | 版本 | 變更 | 日期 |
|---|---|---|---|
AmazonSageMakerFullAccess - 更新現有政策 |
26 |
新增 |
2024年3月29 日 |
AmazonSageMakerFullAccess -更新現有策略 |
25 |
新增 |
2023 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新現有策略 |
24 |
新增 |
2022 年 11 月 30 日 |
AmazonSageMakerFullAccess -更新現有策略 |
23 |
新增 |
2022 年 6 月 29 日 |
AmazonSageMakerFullAccess -更新現有策略 |
22 |
新增 |
2022 年 5 月 1 日 |
AmazonSageMakerReadOnly - 更新現有政策 |
11 |
新增 |
2021 年 12 月 1 日 |
AmazonSageMakerFullAccess -更新現有策略 |
21 |
為啟用非同步推論的端點新增 |
2021 年 9 月 8 日 |
AmazonSageMakerFullAccess -更新現有策略 |
20 |
更新 |
2021 年 7 月 15 日 |
AmazonSageMakerReadOnly -更新現有策略 |
10 |
SageMaker 功能商店新API |
2021 年 6 月 10 日 |
|
SageMaker 開始追蹤其變更 AWS 受管理的策略。 |
2021 年 6 月 1 日 |
