本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Amazon 的受管政策 SageMaker
若要將許可新增至使用者、群組和角色,使用 AWS 受管政策比自行撰寫政策更容易。建立IAM客戶受管政策需要時間和專業知識,為您的團隊提供他們所需的許可。若要快速開始使用,您可以使用我們的 AWS 受管政策。這些政策涵蓋常見的使用案例,並且可在您的帳戶中使用 AWS 。如需 AWS 受管政策的詳細資訊,請參閱 IAM 使用者指南 中的AWS 受管政策。
AWS 服務會維護和更新 AWS 受管政策。您無法變更 AWS 受管政策中的許可。服務偶爾會將其他許可新增至 AWS 受管政策,以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。啟動新功能或新操作可用時,服務最有可能更新 AWS 受管政策。服務不會從 AWS 受管政策中移除許可,因此政策更新不會破壞您現有的許可。
此外, AWS 支援跨多個 服務的任務函數的受管政策。例如, ReadOnlyAccess AWS 受管政策提供所有 AWS 服務和資源的唯讀存取權。當服務啟動新功能時, AWS 會為新的操作和資源新增唯讀許可。如需任務函數政策的清單和說明,請參閱 IAM 使用者指南 中的AWS 任務函數的受管政策。
重要
我們建議您使用允許您執行使用案例的最受限政策。
下列 AWS 受管政策可連接至您帳戶中的使用者,其專屬於 Amazon SageMaker:
-
AmazonSageMakerFullAccess– 授予對 Amazon SageMaker 和 SageMaker 地理空間資源和支援操作的完整存取權。這不提供不受限制的 Amazon S3 存取,但是支援使用特定sagemaker標籤的儲存貯體與物件。此政策允許將所有IAM角色傳遞至 Amazon SageMaker,但僅允許將其中具有 "AmazonSageMaker" IAM的角色傳遞至 AWS Glue AWS Step Functions、 AWS RoboMaker 和服務。 -
AmazonSageMakerReadOnly– 授予 Amazon SageMaker 資源的唯讀存取權。
下列 AWS 受管政策可以連接到您帳戶中的使用者,但不建議:
-
AdministratorAccess– 為所有 AWS 服務與帳戶中的所有資源授予所有操作許可。 -
DataScientist– 授予各種許可來涵蓋大部分的資料科學家遇到的使用案例 (主要用於分析與商用智慧)。
您可以登入IAM主控台並搜尋這些許可政策,以檢視這些許可政策。
您也可以建立自己的自訂IAM政策,以在需要時允許 Amazon SageMaker 動作和資源的許可。您可以將這些自訂政策連接至需要這些政策的 使用者或群組。
主題
- AWS 受管政策: AmazonSageMakerFullAccess
- AWS 受管政策: AmazonSageMakerReadOnly
- AWS Amazon SageMaker Canvas 的 受管政策
- AWS Amazon SageMaker Feature Store 的 受管政策
- AWS Amazon SageMaker 地理空間的 受管政策
- AWS Amazon SageMaker Ground Truth 的受管政策
- AWS Amazon 的 受管政策 SageMaker HyperPod
- AWS SageMaker 模型管理的受管政策
- AWS 模型登錄檔的受管政策
- AWS 適用於 SageMaker 筆記本的受管政策
- AWS SageMaker 管道的受管政策
- AWS SageMaker 專案和 的受管政策 JumpStart
- SageMaker AWS 受管政策的更新
AWS 受管政策: AmazonSageMakerFullAccess
此政策會授予管理許可,允許主體完整存取所有 Amazon SageMaker 和 SageMaker 地理空間資源和操作。該策略還提供對相關服務的選擇存取許可。此政策允許將所有IAM角色傳遞至 Amazon SageMaker,但僅允許將其中具有 "AmazonSageMaker" IAM的角色傳遞至 AWS Glue AWS Step Functions、 AWS RoboMaker 和服務。此政策不包含建立 Amazon SageMaker 網域的許可。如需建立領域所需政策的資訊,請參閱完成 Amazon SageMaker 先決條件。
許可詳細資訊
此政策包含以下許可。
-
application-autoscaling– 允許主體自動擴展 SageMaker 即時推論端點。 -
athena– 允許主體從 查詢資料目錄、資料庫和資料表中繼資料的清單 Amazon Athena。 -
aws-marketplace– 允許主體檢視 AWS AI Marketplace 訂閱。如果您想要存取 SageMaker 中訂閱的軟體,則需要此操作 AWS Marketplace。 -
cloudformation– 允許主體取得使用 SageMaker JumpStart 解決方案和管道的 AWS CloudFormation 範本。 SageMaker JumpStart 會建立必要的資源,以執行 end-to-end SageMaker 與其他 AWS 服務綁定的機器學習解決方案。 SageMaker 管道會建立由 Service Catalog 支援的新專案。 -
cloudwatch– 允許主體張貼 CloudWatch 指標、與警示互動,以及將日誌上傳至您帳戶中的 CloudWatch 日誌。 -
codebuild– 允許主體儲存 AWS CodeBuild SageMaker 管道和專案的成品。 -
codecommit– 與 SageMaker筆記本執行個體 AWS CodeCommit 整合時需要。 -
cognito-idp– Amazon SageMaker Ground Truth 定義私有人力資源和工作團隊所需的項目。 -
ec2– 當您VPC為 SageMaker 任務、模型、端點和筆記本執行個體指定 Amazon 時, 需要 SageMaker 來管理 Amazon EC2 資源和網路介面。 -
ecr– 需要提取和存放 Amazon SageMaker Studio Classic (自訂映像)、訓練、處理、批次推論和推論端點的 Docker 成品。在 中使用您自己的容器也是必要的 SageMaker。代表使用者建立和移除自訂映像需要額外 SageMaker JumpStart 的解決方案許可。 -
elasticfilesystem- 讓主體存取 Amazon Elastic File System。這是 SageMaker 在 Amazon Elastic File System 中使用資料來源訓練機器學習模型的必要條件。 -
fsx– 允許主體存取 Amazon FSx。這是 SageMaker 在 Amazon 中使用資料來源FSx訓練機器學習模型所需的。 -
glue– 從 SageMaker 筆記本執行個體內進行推論管道預先處理時需要。 -
groundtruthlabeling- 用於 Ground Truth 標籤工作。groundtruthlabeling端點是由 Ground Truth 主控台存取。 -
iam– 需要授予 SageMaker 主控台對可用IAM角色的存取權,並建立服務連結角色。 -
kms– 需要授予 SageMaker 主控台對可用 AWS KMS 金鑰的存取權,並為任務和端點中的任何指定 AWS KMS 別名擷取這些金鑰。 -
lambda- 讓主體調用並取得 AWS Lambda 函式清單。 -
logs– 需要允許 SageMaker 任務和端點發佈日誌串流。 -
redshift- 讓主體存取 Amazon Redshift 叢集憑證。 -
redshift-data- 讓主體使用來自 Amazon Redshift 的資料執行、描述和取消陳述式;取得陳述式結果,以及列出結構描述和資料表。 -
robomaker– 允許主體擁有建立、取得描述和刪除 AWS RoboMaker 模擬應用程式和任務的完整存取權。在筆記本執行個體上執行強化學習範例時也需要。 -
s3, s3express– 允許委託人完全存取與 相關的 Amazon S3 和 Amazon S3 Express 資源 SageMaker,但並非所有 Amazon S3 或 Amazon S3 Express 都能夠存取。 -
sagemaker– 允許主體列出 SageMaker 使用者設定檔上的標籤,並將標籤新增至 SageMaker 應用程式和空格。僅允許存取 sagemaker:WorkteamType "private-crowd" 或 "vendor-crowd" 的流程 SageMaker 定義。 -
sagemaker和sagemaker-geospatial– 允許主體對 SageMaker 網域和使用者設定檔的唯讀存取。 -
secretsmanager- 讓主體完整存取 AWS Secrets Manager。主體可以安全地加密、存放與擷取資料庫及其他服務的憑證。具有使用 之 SageMaker 程式碼儲存庫的 SageMaker 筆記本執行個體也需要這樣做 GitHub。 -
servicecatalog- 讓主體使用 Service Catalog。委託人可以建立、取得、更新或終止佈建產品的清單,例如使用 AWS 資源部署的伺服器、資料庫、網站或應用程式。這是 SageMaker JumpStart 和 Projects 尋找和讀取服務目錄產品和在使用者中啟動 AWS 資源所需的。 -
sns– 允許主體取得 Amazon SNS主題的清單。啟用非同步推論的端點需要此功能,才能通知使用者其推論已完成。 -
states– 需要使用 SageMaker JumpStart 和 管道來使用服務目錄來建立步驟函數資源。 -
tag– SageMaker 需要在 Studio Classic 中呈現管道。Studio Classicsagemaker:project-id需要以特定標籤鍵標記的資源。此動作需要tag:GetResources許可。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllNonAdminSageMakerActions", "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Sid": "AllowAddTagsForSpace", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:space/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } }, { "Sid": "AllowAddTagsForApp", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Sid": "AllowStudioActions", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:DescribeApp", "sagemaker:ListApps" ], "Resource": "*" }, { "Sid": "AllowAppActionsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "AllowAppActionsForSharedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "StringEquals": { "sagemaker:SpaceSharingType": [ "Shared" ] } } }, { "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private", "Shared" ] } } }, { "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private" ] } } }, { "Sid": "AllowFlowDefinitionActions", "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Sid": "AllowAWSServiceActions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elastic-inference:Connect", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Sid": "AllowECRActions", "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Sid": "AllowCodeCommitActions", "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Sid": "AllowCodeBuildActions", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Sid": "AllowStepFunctionsActions", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Sid": "AllowSecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "AllowReadOnlySecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "AllowServiceCatalogProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Sid": "AllowS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AllowS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Sid": "AllowS3BucketACL", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowLambdaInvokeFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AllowCreateServiceLinkedRoleForRobomaker", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Sid": "AllowSNSActions", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "AllowPassRoleForSageMakerRoles", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Sid": "AllowPassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AllowAthenaActions", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Sid": "AllowGlueCreateTable", "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueUpdateTable", "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Sid": "AllowGlueDeleteTable", "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetTablesAndDatabases", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetAndCreateDatabase", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Sid": "AllowRedshiftDataActions", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Sid": "AllowRedshiftGetClusterCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "AllowListTagsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid": "AllowCloudformationListStackResources", "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AllowS3ExpressObjectActions", "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*", "arn:aws:s3express:*:*:bucket/*aws-glue*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressCreateBucketActions", "Effect": "Allow", "Action": [ "s3express:CreateBucket" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressListBucketActions", "Effect": "Allow", "Action": [ "s3express:ListAllMyDirectoryBuckets" ], "Resource": "*" } ] }
AWS 受管政策: AmazonSageMakerReadOnly
此政策 SageMaker 透過 AWS Management Console 和 授予 Amazon 唯讀存取權SDK。
許可詳細資訊
此政策包含以下許可。
-
application-autoscaling– 允許使用者瀏覽可擴展 SageMaker 即時推論端點的描述。 -
aws-marketplace– 允許使用者檢視 AWS AI Marketplace 訂閱。 -
cloudwatch– 允許使用者接收 CloudWatch 警示。 -
cognito-idp– Amazon SageMaker Ground Truth 需要瀏覽私有人力資源和工作團隊的描述和清單。 -
ecr- 用於讀取 Docker 成品供訓練和推論所用。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] }
SageMaker AWS 受管政策的更新
檢視自此服務開始追蹤這些變更 SageMaker 以來, 受 AWS 管政策更新的詳細資訊。
| 政策 | 版本 | 變更 | 日期 |
|---|---|---|---|
AmazonSageMakerFullAccess - 更新現有政策 |
26 |
新增 |
2024 年 3 月 29 日 |
AmazonSageMakerFullAccess - 更新現有政策 |
25 |
新增 |
2023 年 11 月 30 日 |
AmazonSageMakerFullAccess - 更新現有政策 |
24 |
新增 |
2022 年 11 月 30 日 |
AmazonSageMakerFullAccess - 更新現有政策 |
23 |
新增 |
2022 年 6 月 29 日 |
AmazonSageMakerFullAccess - 更新現有政策 |
22 |
新增 |
2022 年 5 月 1 日 |
AmazonSageMakerReadOnly - 更新現有政策 |
11 |
新增 |
2021 年 12 月 1 日 |
AmazonSageMakerFullAccess - 更新現有政策 |
21 |
為啟用非同步推論的端點新增 |
2021 年 9 月 8 日 |
AmazonSageMakerFullAccess - 更新現有政策 |
20 |
更新 |
2021 年 7 月 15 日 |
AmazonSageMakerReadOnly - 更新現有政策 |
10 |
已為 SageMaker Feature Store API |
2021 年 6 月 10 日 |
|
SageMaker 已開始追蹤其 AWS 受管政策的變更。 |
2021 年 6 月 1 日 |
