Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
SageMakerStudioUserIAMPermissiveExecutionPolicy
Descrizione: politica di esecuzione per l'utilizzo dei ruoli IAM con SageMaker Unified Studio. Consente agli utenti di accedere alle risorse del tuo account (incluso un ampio accesso APIs a tutti i servizi di dati come S3, Glue, CloudWatch Logs e altri) per l'utilizzo basato su IAM di SageMaker Unified Studio.
SageMakerStudioUserIAMPermissiveExecutionPolicyè una politica gestita.AWS
Utilizzo di questa politica
È possibile associare la policy SageMakerStudioUserIAMPermissiveExecutionPolicy a utenti, gruppi e ruoli.
Dettagli della politica
-
Tipo: politica AWS gestita
-
Ora di creazione: 18 agosto 2025, 17:19 UTC
-
Ora modificata: 18 novembre 2025, 23:34 UTC
-
ARN:
arn:aws:iam::aws:policy/SageMakerStudioUserIAMPermissiveExecutionPolicy
Versione della politica
Versione della politica: v5 (predefinita)
La versione predefinita della politica è la versione che definisce le autorizzazioni per la politica. Quando un utente o un ruolo con la politica effettua una richiesta di accesso a una AWS risorsa, AWS controlla la versione predefinita della politica per determinare se consentire la richiesta.
Documento di policy JSON
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DataAccess", "Effect" : "Allow", "Action" : [ "cloudwatch:*", "glue:*", "logs:*", "redshift-data:*", "redshift-serverless:*", "redshift:*", "s3:*" ], "Resource" : "*" }, { "Sid" : "ComputeAccess", "Effect" : "Allow", "Action" : [ "athena:*", "bedrock:*", "codewhisperer:*", "sagemaker-unified-studio-mcp:*", "q:*", "sagemaker:*", "sagemaker-mlflow:*", "scheduler:*", "sqlworkbench:*", "emr-serverless:*", "airflow-serverless:*" ], "Resource" : "*" }, { "Sid" : "GlueSessionIsolation", "Effect" : "Deny", "Action" : [ "glue:CancelStatement", "glue:CreateSession", "glue:DeleteSession", "glue:GetSession", "glue:GetStatement", "glue:RunStatement", "glue:StopSession", "glue:GetDashboardUrl" ], "Resource" : [ "arn:aws:glue:*:*:session/*" ], "Condition" : { "StringNotEquals" : { "aws:RequestTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}", "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DenyTaggingUntaggingForeignSessions", "Effect" : "Deny", "Action" : [ "glue:TagResource", "glue:UntagResource" ], "Resource" : "arn:aws:glue:*:*:session/*", "Condition" : { "StringNotEquals" : { "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DataZone", "Effect" : "Allow", "Action" : [ "datazone:AcceptPredictions", "datazone:AcceptSubscriptionRequest", "datazone:CancelMetadataGenerationRun", "datazone:CancelSubscription", "datazone:CreateAsset*", "datazone:CreateConnection", "datazone:CreateEnvironment", "datazone:CreateListingChangeSet", "datazone:CreateProject", "datazone:CreateSubscriptionGrant", "datazone:CreateSubscriptionRequest", "datazone:DeleteAsset*", "datazone:DeleteConnection", "datazone:DeleteEnvironment", "datazone:DeleteListing", "datazone:DeleteProject", "datazone:DeleteSubscriptionGrant", "datazone:DeleteSubscriptionRequest", "datazone:Get*", "datazone:List*", "datazone:PostLineageEvent", "datazone:RejectPredictions", "datazone:RejectSubscriptionRequest", "datazone:RevokeSubscription", "datazone:Search", "datazone:SearchListings", "datazone:SearchRules", "datazone:SearchTypes", "datazone:SearchUserProfiles", "datazone:SearchGroupProfiles", "datazone:StartMetadataGenerationRun", "datazone:UpdateAssetFilter", "datazone:UpdateConnection", "datazone:UpdateEnvironment", "datazone:UpdateProject", "datazone:UpdateSubscriptionRequest", "datazone:CreateNotebook", "datazone:UpdateNotebook", "datazone:DeleteNotebook", "datazone:CreateCell", "datazone:UpdateCell", "datazone:DeleteCell", "datazone:BatchGetCell", "datazone:CreateCellRun", "datazone:UpdateCellRun", "datazone:DeleteCellRun", "datazone:BatchGetCellRun", "datazone:PutCellRunResult", "datazone:StartNotebookCompute", "datazone:StopNotebookCompute", "datazone:StartConversation", "datazone:GenerateCode", "datazone:SendMessage" ], "Resource" : "*" }, { "Sid" : "CfnManage", "Effect" : "Allow", "Action" : [ "cloudformation:*" ], "Resource" : [ "arn:aws:cloudformation:*:*:stack/DataZone*" ] }, { "Sid" : "ValidateCfn", "Effect" : "Allow", "Action" : "cloudformation:ValidateTemplate", "Resource" : "*" }, { "Sid" : "IamSts", "Effect" : "Allow", "Action" : [ "iam:GetRole", "iam:ListRoles", "sts:AssumeRole" ], "Resource" : "*" }, { "Sid" : "CreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : [ "arn:aws:iam::*:role/aws-service-role/neptune-graph.amazonaws.com/AWSServiceRoleForNeptuneGraph", "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks", "arn:aws:iam::*:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWSServiceRoleForAmazonEMRServerless", "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA", "arn:aws:iam::*:role/aws-service-role/airflow-serverless.amazonaws.com/AWSServiceRoleForAmazonMWAAServerless", "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com/AWSServiceRoleForEMRCleanup", "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless" ] }, { "Sid" : "TagSession", "Effect" : "Allow", "Action" : "sts:TagSession", "Resource" : "*", "Condition" : { "ForAllValues:StringLike" : { "aws:TagKeys" : [ "AmazonDataZone*" ] } } }, { "Sid" : "PassRole", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : [ "arn:aws:iam::*:role/service-role/AmazonSageMaker*" ], "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "sagemaker.amazonaws.com", "lakeformation.amazonaws.com", "glue.amazonaws.com", "bedrock.amazonaws.com", "redshift-serverless.amazonaws.com", "redshift.amazonaws.com", "scheduler.amazonaws.com", "emr-serverless.amazonaws.com", "airflow-serverless.amazonaws.com" ] } } }, { "Sid" : "SourceIdentity", "Effect" : "Allow", "Action" : "sts:SetSourceIdentity", "Resource" : "*", "Condition" : { "StringLike" : { "sts:SourceIdentity" : "${aws:PrincipalTag/datazone:userId}" } } }, { "Sid" : "SSM", "Effect" : "Allow", "Action" : [ "ssm:GetParameter*" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/amazon/datazone/q*", "arn:aws:ssm:*:*:parameter/amazon/datazone/genAI/*", "arn:aws:ssm:*::parameter/aws/service/sagemaker-distribution/*" ] }, { "Sid" : "LFAccess", "Effect" : "Allow", "Action" : [ "lakeformation:BatchGrantPermissions", "lakeformation:BatchRevokePermissions", "lakeformation:DescribeResource", "lakeformation:GetDataAccess", "lakeformation:GrantPermissions", "lakeformation:ListResources", "lakeformation:ListPermissions", "lakeformation:RevokePermissions" ], "Resource" : "*" }, { "Sid" : "FederatedConn", "Effect" : "Allow", "Action" : [ "dynamodb:List*", "dynamodb:Describe*", "dynamodb:Scan", "dynamodb:PartiQLSelect", "dynamodb:Query", "secretsmanager:ListSecrets", "resource-groups:GetGroupQuery", "resource-groups:ListGroupResources" ], "Resource" : "*" }, { "Sid" : "PrivateSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:PutResourcePolicy" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/AmazonDataZoneProject" : "${datazone:projectId}" } } }, { "Sid" : "SharedSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/for-use-with-all-datazone-projects" : "true" } } }, { "Sid" : "Ecr", "Effect" : "Allow", "Action" : [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer" ], "Resource" : "*" }, { "Sid" : "CodeConnectionsUser", "Effect" : "Allow", "Action" : [ "codeconnections:UseConnection", "codeconnections:ListConnections", "codeconnections:GetConnection", "codeconnections:GetHost", "codeconnections:ListTagsForResource", "codestar-connections:UseConnection", "codestar-connections:ListConnections", "codestar-connections:GetConnection", "codestar-connections:GetHost", "codestar-connections:ListTagsForResource" ], "Resource" : "*" }, { "Sid" : "KmsListAndDescribe", "Effect" : "Allow", "Action" : [ "kms:DescribeKey", "kms:ListAliases", "kms:ListGrants" ], "Resource" : "*" }, { "Sid" : "DataZoneKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "datazone.*.amazonaws.com" }, "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:datazone:domainId" } } }, { "Sid" : "S3Kms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "s3.*.amazonaws.com" }, "Null" : { "kms:EncryptionContext:aws:s3:arn" : "false" } } }, { "Sid" : "SchedulerKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "Null" : { "kms:EncryptionContext:aws:scheduler:schedule:arn" : "false" } } }, { "Sid" : "SecretsKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "secretsmanager.*.amazonaws.com" }, "Null" : { "kms:EncryptionContext:SecretARN" : "false" } } }, { "Sid" : "SageMakerKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sagemaker.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "SageMakerCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sagemaker.*.amazonaws.com" } } }, { "Sid" : "DataZoneCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "datazone.*.amazonaws.com" }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Encrypt", "Decrypt", "ReEncryptFrom", "ReEncryptTo", "GenerateDataKeyWithoutPlaintext", "GenerateDataKey", "DescribeKey", "RetireGrant", "CreateGrant" ] } } }, { "Sid" : "GlueKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "glue.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "BedrockKms", "Effect" : "Allow", "Action" : [ "kms:CreateGrant", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "bedrock.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "WorkflowsCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "arn:*:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:ViaService" : "airflow-serverless.*.amazonaws.com" }, "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:airflow-serverless:workflow-arn" }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "RetireGrant" ] } } }, { "Sid" : "WorkflowsKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "arn:*:kms:*:*:key/*", "Condition" : { "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:airflow-serverless:workflow-arn" } } }, { "Sid" : "Ec2DescribeOnly", "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, { "Sid" : "VpcAccess", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission" ], "Resource" : "*" }, { "Sid" : "EC2TagAccessForVpc", "Effect" : "Allow", "Action" : [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource" : [ "arn:aws:ec2:*:*:network-interface/*" ] }, { "Sid" : "AthenaSessionIsolation", "Effect" : "Deny", "Action" : [ "athena:StartSession", "athena:GetSession", "athena:TerminateSession", "athena:GetSessionStatus", "athena:GetSessionEndpoint", "athena:GetResourceDashboard" ], "Resource" : [ "arn:aws:athena:*:*:workgroup/*/session/*" ], "Condition" : { "StringNotEquals" : { "aws:RequestTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}", "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DenyTaggingUntaggingForeignAthenaSessions", "Effect" : "Deny", "Action" : [ "athena:TagResource", "athena:UntagResource" ], "Resource" : "arn:aws:athena:*:*:workgroup/*/session/*", "Condition" : { "StringNotEquals" : { "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } } ] }
Ulteriori informazioni
