# AmazonSageMakerModelCustomizationCoreAccess
**Description**: Grants permissions for SageMaker model customization workflows including serverless training, custom reward function for reinforcement learning, model evaluation, and deployment to SageMaker or Bedrock endpoints.
`AmazonSageMakerModelCustomizationCoreAccess` is an [AWS managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies).
## Using this policy
You can attach `AmazonSageMakerModelCustomizationCoreAccess` to your users, groups, and roles.
## Policy details
+ **Type**: AWS managed policy
+ **Creation time**: May 26, 2026, 18:57 UTC
+ **Edited time:** May 26, 2026, 18:57 UTC
+ **ARN**: `arn:aws:iam::aws:policy/AmazonSageMakerModelCustomizationCoreAccess`
## Policy version
**Policy version:** v1 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
## JSON policy document
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "SageMakerPublicHubPermissions",
"Effect" : "Allow",
"Action" : [
"sagemaker:ListHubContents"
],
"Resource" : [
"arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"
]
},
{
"Sid" : "SageMakerHubPermissions",
"Effect" : "Allow",
"Action" : [
"sagemaker:ImportHubContent",
"sagemaker:ListHubs",
"sagemaker:ListHubContents",
"sagemaker:ListHubContentVersions",
"sagemaker:DescribeHubContent",
"sagemaker:DeleteHubContent"
],
"Resource" : [
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "JumpStartS3Access",
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:ListBucket"
],
"Resource" : [
"arn:aws:s3:::jumpstart*"
]
},
{
"Sid" : "SageMakerTrainingJob",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateTrainingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListTrainingJobs",
"sagemaker:StopTrainingJob"
],
"Resource" : [
"arn:aws:sagemaker:*:*:training-job/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerMLFlow",
"Effect" : "Allow",
"Action" : [
"sagemaker:UpdateMlflowApp",
"sagemaker:DescribeMlflowApp",
"sagemaker:CreatePresignedMlflowAppUrl",
"sagemaker:CallMlflowAppApi",
"sagemaker-mlflow:AccessUI",
"sagemaker-mlflow:GetExperiment",
"sagemaker-mlflow:GetExperimentByName",
"sagemaker-mlflow:GetRun",
"sagemaker-mlflow:GetMetricHistory",
"sagemaker-mlflow:GetLoggedModel",
"sagemaker-mlflow:SearchExperiments",
"sagemaker-mlflow:SearchRuns",
"sagemaker-mlflow:ListArtifacts",
"sagemaker-mlflow:CreateExperiment",
"sagemaker-mlflow:CreateRun",
"sagemaker-mlflow:LogBatch",
"sagemaker-mlflow:LogMetric",
"sagemaker-mlflow:LogParam",
"sagemaker-mlflow:LogModel",
"sagemaker-mlflow:LogInputs",
"sagemaker-mlflow:SetTag",
"sagemaker-mlflow:UpdateRun"
],
"Resource" : [
"arn:aws:sagemaker:*:*:mlflow-app/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "BYODataSetS3Access",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource" : [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerModelPackage",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateModel",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:UpdateModelPackage",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:ListModelPackages",
"sagemaker:ListModelPackageGroups",
"sagemaker:DescribeModel",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup"
],
"Resource" : [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerLineage",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateAction",
"sagemaker:CreateArtifact",
"sagemaker:CreateContext",
"sagemaker:DescribeAction",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeTrialComponent",
"sagemaker:QueryLineage",
"sagemaker:AddAssociation",
"sagemaker:UpdateArtifact"
],
"Resource" : [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:pipeline/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerPipelines",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreatePipeline",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:UpdatePipeline",
"sagemaker:StartPipelineExecution"
],
"Resource" : [
"arn:aws:sagemaker:*:*:pipeline/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerInference",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateInferenceComponent",
"sagemaker:DescribeInferenceComponent",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DeleteInferenceComponent",
"sagemaker:DeleteEndpoint",
"sagemaker:InvokeEndpoint"
],
"Resource" : [
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerInferenceAutoscaling",
"Effect" : "Allow",
"Action" : [
"application-autoscaling:DescribeScalableTargets"
],
"Resource" : [
"arn:aws:application-autoscaling:*:*:scalable-target/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerInferenceEcrReadAccess",
"Effect" : "Allow",
"Action" : [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource" : "*"
},
{
"Sid" : "SageMakerListPermissions",
"Effect" : "Allow",
"Action" : [
"sagemaker:ListActions",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListEndpoints",
"sagemaker:ListInferenceComponents",
"sagemaker:ListMlflowApps",
"sagemaker:ListMlflowTrackingServers",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListWorkforces",
"sagemaker:Search"
],
"Resource" : [
"*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerTagsPermission",
"Effect" : "Allow",
"Action" : [
"sagemaker:AddTags",
"sagemaker:ListTags"
],
"Resource" : [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:action/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerJobAdvancedSettings",
"Effect" : "Allow",
"Action" : [
"kms:DescribeKey",
"kms:ListAliases",
"iam:ListRoles",
"ec2:DescribeVpcs"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "CloudWatchLogReadAccess",
"Effect" : "Allow",
"Action" : [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/*",
"arn:aws:logs:*:*:log-group::log-stream:"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "CloudWatchLogWriteAccess",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "LambdaListFunctions",
"Effect" : "Allow",
"Action" : [
"lambda:ListFunctions"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "LambdaPermissionsForRewardFunction",
"Effect" : "Allow",
"Action" : [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:GetFunction"
],
"Resource" : [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "LambdaLayerForAWSSDK",
"Effect" : "Allow",
"Action" : [
"lambda:GetLayerVersion"
],
"Resource" : [
"arn:aws:lambda:*:336392948345:layer:AWSSDK*"
]
},
{
"Sid" : "BedrockCustomModelAndEvaluation",
"Effect" : "Allow",
"Action" : [
"bedrock:CreateCustomModel",
"bedrock:CreateEvaluationJob",
"bedrock:GetCustomModel",
"bedrock:GetModelImportJob",
"bedrock:GetImportedModel",
"bedrock:GetEvaluationJob",
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource" : [
"arn:aws:bedrock:*:*:evaluation-job/*",
"arn:aws:bedrock:*:*:imported-model/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:model-import-job/*",
"arn:aws:bedrock:*:*:foundation-model/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "BedrockModelImportAndList",
"Effect" : "Allow",
"Action" : [
"bedrock:CreateModelImportJob",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListCustomModelDeployments",
"bedrock:ListCustomModels",
"bedrock:ListModelImportJobs"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "BedrockFoundationModelOperations",
"Effect" : "Allow",
"Action" : [
"bedrock:GetFoundationModelAvailability",
"bedrock:ListFoundationModels"
],
"Resource" : [
"*"
]
},
{
"Sid" : "PassRoleForSageMaker",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:aws:iam::*:role/service-role/*SageMaker*",
"arn:aws:iam::*:role/service-role/*Sagemaker*",
"arn:aws:iam::*:role/service-role/*sagemaker*"
],
"Condition" : {
"ArnLike" : {
"iam:AssociatedResourceArn" : "arn:aws:sagemaker:*:*:*"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}",
"iam:PassedToService" : [
"sagemaker.amazonaws.com",
"job.sagemaker.amazonaws.com"
]
}
}
},
{
"Sid" : "PassRoleForAWSLambda",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : "arn:aws:iam::*:role/SageMakerForLambda*",
"Condition" : {
"ArnLike" : {
"iam:AssociatedResourceArn" : "arn:aws:lambda:*:*:function:*"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}",
"iam:PassedToService" : "lambda.amazonaws.com"
}
}
},
{
"Sid" : "PassRoleForBedrock",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : "arn:aws:iam::*:role/SageMakerForBedrock*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}",
"iam:PassedToService" : "bedrock.amazonaws.com"
}
}
}
]
}
```
## Learn more
+ [Create a permission set using AWS managed policies in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html)
+ [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [Understand versioning for IAM policies](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [Get started with AWS managed policies and move toward least-privilege permissions](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)