# AWS managed policies for Amazon SageMaker AI AWS managed policies for SageMaker AI To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) to which the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions. Additionally, AWS supports managed policies for job functions that span multiple services. For example, the `ReadOnlyAccess` AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. **Important** We recommend that you use the most restricted policy that allows you to perform your use case. The following AWS managed policies, which you can attach to users in your account, are specific to Amazon SageMaker AI: + **`AmazonSageMakerFullAccess`** – Grants full access to Amazon SageMaker AI and SageMaker AI geospatial resources and the supported operations. This does not provide unrestricted Amazon S3 access, but supports buckets and objects with specific `sagemaker` tags. This policy allows all IAM roles to be passed to Amazon SageMaker AI, but only allows IAM roles with "AmazonSageMaker" in them to be passed to the AWS Glue, AWS Step Functions, and AWS RoboMaker services. + **`AmazonSageMakerReadOnly`** – Grants read-only access to Amazon SageMaker AI resources. The following AWS managed policies can be attached to users in your account but are not recommended: + [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator) – Grants all actions for all AWS services and for all resources in the account. + [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist) – Grants a wide range of permissions to cover most of the use cases (primarily for analytics and business intelligence) encountered by data scientists. You can review these permissions policies by signing in to the IAM console and searching for them. You can also create your own custom IAM policies to allow permissions for Amazon SageMaker AI actions and resources as you need them. You can attach these custom policies to the users or groups that require them. **Topics** + [ ## AWS managed policy: AmazonSageMakerFullAccess ](#security-iam-awsmanpol-AmazonSageMakerFullAccess) + [ ## AWS managed policy: AmazonSageMakerReadOnly ](#security-iam-awsmanpol-AmazonSageMakerReadOnly) + [ # AWS managed policies for Amazon SageMaker Canvas ](security-iam-awsmanpol-canvas.md) + [ # AWS managed policies for Amazon SageMaker Feature Store ](security-iam-awsmanpol-feature-store.md) + [ # AWS managed policies for Amazon SageMaker geospatial ](security-iam-awsmanpol-geospatial.md) + [ # AWS Managed Policies for Amazon SageMaker Ground Truth ](security-iam-awsmanpol-ground-truth.md) + [ # AWS managed policies for Amazon SageMaker HyperPod ](security-iam-awsmanpol-hyperpod.md) + [ # AWS Managed Policies for SageMaker AI Model Governance ](security-iam-awsmanpol-governance.md) + [ # AWS Managed Policies for Model Registry ](security-iam-awsmanpol-model-registry.md) + [ # AWS Managed Policies for SageMaker Notebooks ](security-iam-awsmanpol-notebooks.md) + [ # AWS managed policies for Amazon SageMaker Partner AI Apps ](security-iam-awsmanpol-partner-apps.md) + [ # AWS Managed Policies for SageMaker Pipelines ](security-iam-awsmanpol-pipelines.md) + [ # AWS managed policies for SageMaker training plans ](security-iam-awsmanpol-training-plan.md) + [ # AWS Managed Policies for SageMaker Projects and JumpStart ](security-iam-awsmanpol-sc.md) + [ ## SageMaker AI Updates to AWS Managed Policies ](#security-iam-awsmanpol-updates) ## AWS managed policy: AmazonSageMakerFullAccess AmazonSageMakerFullAccess This policy grants administrative permissions that allow a principal full access to all Amazon SageMaker AI and SageMaker AI geospatial resources and operations. The policy also provides select access to related services. This policy allows all IAM roles to be passed to Amazon SageMaker AI, but only allows IAM roles with "AmazonSageMaker" in them to be passed to the AWS Glue, AWS Step Functions, and AWS RoboMaker services. This policy does not include permissions to create an Amazon SageMaker AI domain. For information on the policy needed to create a domain, see [Complete Amazon SageMaker AI prerequisites](gs-set-up.md). **Permissions details** This policy includes the following permissions. + `application-autoscaling` – Allows principals to automatically scale a SageMaker AI real-time inference endpoint. + `athena` – Allows principals to query a list of data catalogs, databases, and table metadata from Amazon Athena. + `aws-marketplace` – Allows principals to view AWS AI Marketplace subscriptions. You need this if you want to access SageMaker AI software subscribed in AWS Marketplace. + `cloudformation` – Allows principals to get AWS CloudFormation templates for using SageMaker AI JumpStart solutions and Pipelines. SageMaker AI JumpStart creates resources necessary to run end-to-end machine learning solutions that tie SageMaker AI to other AWS services. SageMaker AI Pipelines creates new projects that are backed by Service Catalog. + `cloudwatch` – Allows principals to post CloudWatch metrics, interact with alarms, and upload logs to CloudWatch Logs in your account. + `codebuild` – Allows principals to store AWS CodeBuild artifacts for SageMaker AI Pipeline and Projects. + `codecommit` – Needed for AWS CodeCommit integration with SageMaker AI notebook instances. + `cognito-idp` – Needed for Amazon SageMaker Ground Truth to define private workforce and work teams. + `ec2` – Needed for SageMaker AI to manage Amazon EC2 resources and network interfaces when you specify an Amazon VPC for your SageMaker AI jobs, models, endpoints, and notebook instances. + `ecr` – Needed to pull and store Docker artifacts for Amazon SageMaker Studio Classic (custom images), training, processing, batch inference, and inference endpoints. This is also required to use your own container in SageMaker AI. Additional permissions for SageMaker AI JumpStart solutions are required to create and remove custom images on behalf of users. + `elasticfilesystem` – Allows principals to access Amazon Elastic File System. This is needed for SageMaker AI to use data sources in Amazon Elastic File System for training machine learning models. + `fsx` – Allows principals to access Amazon FSx. This is needed for SageMaker AI to use data sources in Amazon FSx for training machine learning models. + `glue` – Needed for inference pipeline pre-processing from within SageMaker AI notebook instances. + `groundtruthlabeling` – Needed for Ground Truth labeling jobs. The `groundtruthlabeling` endpoint is accessed by the Ground Truth console. + `iam` – Needed to give the SageMaker AI console access to available IAM roles and create service-linked roles. + `kms` – Needed to give the SageMaker AI console access to available AWS KMS keys and retrieve them for any specified AWS KMS aliases in jobs and endpoints. + `lambda` – Allows principals to invoke and get a list of AWS Lambda functions. + `logs` – Needed to allow SageMaker AI jobs and endpoints to publish log streams. + `redshift` – Allows principals to access Amazon Redshift cluster credentials. + `redshift-data` – Allows principals to use data from Amazon Redshift to run, describe, and cancel statements; get statement results; and list schemas and tables. + `robomaker` – Allows principals to have full access to create, get descriptions, and delete AWS RoboMaker simulation applications and jobs. This is also needed to run reinforcement learning examples on notebook instances. + `s3, s3express` – Allows principals to have full access to Amazon S3 and Amazon S3 Express resources pertaining to SageMaker AI, but not all of Amazon S3 or Amazon S3 Express. + `sagemaker` – Allows principals to list tags on SageMaker AI user profiles, and add tags to SageMaker AI apps and spaces. Allows access only to SageMaker AI flow-definitions of sagemaker:WorkteamType "private-crowd" or "vendor-crowd". Allows the use and description of SageMaker AI training plans and reserved capacity in SageMaker training jobs, and SageMaker HyperPod clusters, across all AWS Regions where the training plans feature is accessible. + `sagemaker` and `sagemaker-geospatial` – Allows principals read-only access to SageMaker AI domains and user profiles. + `secretsmanager` – Allows principals to have full access to AWS Secrets Manager. The principals can securely encrypt, store, and retrieve credentials for databases and other services. This is also needed for SageMaker AI notebook instances with SageMaker AI code repositories that use GitHub. + `servicecatalog` – Allows principals to use Service Catalog. The principals can create, get a list of, update, or terminate provisioned products, such as servers, databases, websites, or applications deployed using AWS resources. This is needed for SageMaker AI JumpStart and Projects to find and read service catalog products and launch AWS resources in users. + `sns` – Allows principals to get a list of Amazon SNS topics. This is needed for endpoints with Async Inference enabled for notifying users that their inference has completed. + `states` – Needed for SageMaker AI JumpStart and Pipelines to use a service catalog to create step function resources. + `tag` – Needed for SageMaker AI Pipelines to render in Studio Classic. Studio Classic needs resources tagged with particular `sagemaker:project-id` tag-key. This requires the `tag:GetResources` permission. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAllNonAdminSageMakerActions", "Effect": "Allow", "Action": [ "sagemaker:*", "sagemaker-geospatial:*" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:partner-app/*", "arn:aws:sagemaker:*:*:flow-definition/*", "arn:aws:sagemaker:*:*:training-plan/*", "arn:aws:sagemaker:*:*:reserved-capacity/*" ] }, { "Sid": "AllowAddTagsForSpace", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:space/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } }, { "Sid": "AllowAddTagsForApp", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:app/*" ] }, { "Sid": "AllowUseOfTrainingPlanResources", "Effect": "Allow", "Action": [ "sagemaker:CreateTrainingJob", "sagemaker:CreateCluster", "sagemaker:UpdateCluster", "sagemaker:DescribeTrainingPlan" ], "Resource": [ "arn:aws:sagemaker:*:*:training-plan/*", "arn:aws:sagemaker:*:*:reserved-capacity/*" ] }, { "Sid": "AllowStudioActions", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:DescribeUserProfile", "sagemaker:ListUserProfiles", "sagemaker:DescribeSpace", "sagemaker:ListSpaces", "sagemaker:DescribeApp", "sagemaker:ListApps" ], "Resource": "*" }, { "Sid": "AllowAppActionsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "AllowAppActionsForSharedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "StringEquals": { "sagemaker:SpaceSharingType": [ "Shared" ] } } }, { "Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "Null": { "sagemaker:OwnerUserProfileArn": "true" } } }, { "Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace", "sagemaker:DeleteSpace" ], "Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private", "Shared" ] } } }, { "Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile", "Effect": "Allow", "Action": [ "sagemaker:CreateApp", "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*", "Condition": { "ArnLike": { "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" }, "StringEquals": { "sagemaker:SpaceSharingType": [ "Private" ] } } }, { "Sid": "AllowFlowDefinitionActions", "Effect": "Allow", "Action": "sagemaker:*", "Resource": [ "arn:aws:sagemaker:*:*:flow-definition/*" ], "Condition": { "StringEqualsIfExists": { "sagemaker:WorkteamType": [ "private-crowd", "vendor-crowd" ] } } }, { "Sid": "AllowAWSServiceActions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:RegisterScalableTarget", "aws-marketplace:ViewSubscriptions", "cloudformation:GetTemplateSummary", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:PutMetricData", "codecommit:BatchGetRepositories", "codecommit:CreateRepository", "codecommit:GetRepository", "codecommit:List*", "cognito-idp:AdminAddUserToGroup", "cognito-idp:AdminCreateUser", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminRemoveUserFromGroup", "cognito-idp:CreateGroup", "cognito-idp:CreateUserPool", "cognito-idp:CreateUserPoolClient", "cognito-idp:CreateUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:List*", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CreateRepository", "ecr:Describe*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:StartImageScan", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "fsx:DescribeFileSystems", "glue:CreateJob", "glue:DeleteJob", "glue:GetJob*", "glue:GetTable*", "glue:GetWorkflowRun", "glue:ResetJobBookmark", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:UpdateJob", "groundtruthlabeling:*", "iam:ListRoles", "kms:DescribeKey", "kms:ListAliases", "lambda:ListFunctions", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "secretsmanager:ListSecrets", "servicecatalog:Describe*", "servicecatalog:List*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:SearchProvisionedProducts", "sns:ListTopics", "tag:GetResources" ], "Resource": "*" }, { "Sid": "AllowECRActions", "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/*sagemaker*" ] }, { "Sid": "AllowCodeCommitActions", "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Sid": "AllowCodeBuildActions", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker*", "arn:aws:codebuild:*:*:build/*" ], "Effect": "Allow" }, { "Sid": "AllowStepFunctionsActions", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StartExecution", "states:StopExecution", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:statemachine:*sagemaker*", "arn:aws:states:*:*:execution:*sagemaker*:*" ], "Effect": "Allow" }, { "Sid": "AllowSecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "AllowReadOnlySecretManagerActions", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "AllowServiceCatalogProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct" ], "Resource": "*" }, { "Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct", "Effect": "Allow", "Action": [ "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } }, { "Sid": "AllowS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*", "arn:aws:s3:::*aws-glue*" ] }, { "Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AllowS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Sid": "AllowS3BucketACL", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowLambdaInvokeFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*", "arn:aws:lambda:*:*:function:*LabelingFunction*" ] }, { "Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AllowCreateServiceLinkedRoleForRobomaker", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "robomaker.amazonaws.com" } } }, { "Sid": "AllowSNSActions", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:CreateTopic", "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "AllowPassRoleForSageMakerRoles", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonSageMaker*", "Condition": { "StringEquals": { "iam:PassedToService": [ "glue.amazonaws.com", "robomaker.amazonaws.com", "states.amazonaws.com" ] } } }, { "Sid": "AllowPassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AllowAthenaActions", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "*" ] }, { "Sid": "AllowGlueCreateTable", "Effect": "Allow", "Action": [ "glue:CreateTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueUpdateTable", "Effect": "Allow", "Action": [ "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/sagemaker_featurestore/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore" ] }, { "Sid": "AllowGlueDeleteTable", "Effect": "Allow", "Action": [ "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:*:*:table/*/sagemaker_tmp_*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetTablesAndDatabases", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "AllowGlueGetAndCreateDatabase", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:database/sagemaker_processing", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/sagemaker_data_wrangler" ] }, { "Sid": "AllowRedshiftDataActions", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": [ "*" ] }, { "Sid": "AllowRedshiftGetClusterCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "AllowListTagsForUserProfile", "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:user-profile/*" ] }, { "Sid": "AllowCloudformationListStackResources", "Effect": "Allow", "Action": [ "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AllowS3ExpressObjectActions", "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*", "arn:aws:s3express:*:*:bucket/*aws-glue*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressCreateBucketActions", "Effect": "Allow", "Action": [ "s3express:CreateBucket" ], "Resource": [ "arn:aws:s3express:*:*:bucket/*SageMaker*", "arn:aws:s3express:*:*:bucket/*Sagemaker*", "arn:aws:s3express:*:*:bucket/*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowS3ExpressListBucketActions", "Effect": "Allow", "Action": [ "s3express:ListAllMyDirectoryBuckets" ], "Resource": "*" } ] } ``` ------ ## AWS managed policy: AmazonSageMakerReadOnly AmazonSageMakerReadOnly This policy grants read-only access to Amazon SageMaker AI through the AWS Management Console and SDK. **Permissions details** This policy includes the following permissions. + `application-autoscaling` – Allows users to browse descriptions of scalable SageMaker AI real-time inference endpoints. + `aws-marketplace` – Allows users to view AWS AI Marketplace subscriptions. + `cloudwatch` – Allows users to receive CloudWatch alarms. + `cognito-idp` – Needed for Amazon SageMaker Ground Truth to browse descriptions and lists of private workforce and work teams. + `ecr` – Needed to read Docker artifacts for training and inference. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:Describe*", "sagemaker:List*", "sagemaker:BatchGetMetrics", "sagemaker:GetDeviceRegistration", "sagemaker:GetDeviceFleetReport", "sagemaker:GetSearchSuggestions", "sagemaker:BatchGetRecord", "sagemaker:GetRecord", "sagemaker:Search", "sagemaker:QueryLineage", "sagemaker:GetLineageGroupPolicy", "sagemaker:BatchDescribeModelPackage", "sagemaker:GetModelPackageGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "aws-marketplace:ViewSubscriptions", "cloudwatch:DescribeAlarms", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup", "ecr:Describe*" ], "Resource": "*" } ] } ``` ------ # AWS managed policies for Amazon SageMaker Canvas SageMaker Canvas These AWS managed policies add permissions required to use Amazon SageMaker Canvas. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerCanvasFullAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess) + [ ## AWS managed policy: AmazonSageMakerCanvasDataPrepFullAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess) + [ ## AWS managed policy: AmazonSageMakerCanvasDirectDeployAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess) + [ ## AWS managed policy: AmazonSageMakerCanvasAIServicesAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess) + [ ## AWS managed policy: AmazonSageMakerCanvasBedrockAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess) + [ ## AWS managed policy: AmazonSageMakerCanvasForecastAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) + [ ## AWS managed policy: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy) + [ ## AWS managed policy: AmazonSageMakerCanvasSMDataScienceAssistantAccess ](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) + [ ## Amazon SageMaker AI updates to Amazon SageMaker Canvas managed policies ](#security-iam-awsmanpol-canvas-updates) ## AWS managed policy: AmazonSageMakerCanvasFullAccess AmazonSageMakerCanvasFullAccess This policy grants permissions that allow full access to Amazon SageMaker Canvas through the AWS Management Console and SDK. The policy also provides select access to related services [for example, Amazon Simple Storage Service (Amazon S3), AWS Identity and Access Management (IAM), Amazon Virtual Private Cloud (Amazon VPC), Amazon Elastic Container Registry (Amazon ECR), Amazon CloudWatch Logs, Amazon Redshift, AWS Secrets Manager, Amazon SageMaker Autopilot, SageMaker Model Registry, and Amazon Forecast]. This policy is intended to help customers experiment and get started with all the capabilities of SageMaker Canvas. For more fine-grained control, we suggest customers build their own scoped down versions as they move to production workloads. For more information, see [IAM policy types: How and when to use them](https://aws.amazon.com/blogs/security/iam-policy-types-how-and-when-to-use-them/). **Permissions details** This AWS managed policy includes the following permissions. + `sagemaker` – Allows principals to create and host SageMaker AI models on resources whose ARN contains "Canvas", "canvas", or "model-compilation-". Additionally, users can register their SageMaker Canvas model to SageMaker AI Model Registry in the same AWS account. Also allows principals to create and manage SageMaker training, transform, and AutoML jobs. + `application-autoscaling` – Allows principals to automatically scale a SageMaker AI inference endpoint. + `athena` – Allows principals to query a list of data catalogs, databases, and table metadata from Amazon Athena, and access the tables in the catalogs. + `cloudwatch` – Allows principals to create and manage Amazon CloudWatch alarms. + `ec2` – Allows principals to create Amazon VPC endpoints. + `ecr` – Allows principals to get information about a container image. + `emr-serverless` – Allows principals to create and manage Amazon EMR Serverless applications and job runs. Also allows principals to tag SageMaker Canvas resources. + `forecast` – Allows principals to use Amazon Forecast. + `glue` – Allows principals to retrieve the tables, databases, and partitions in the AWS Glue catalog. + `iam` – Allows principals to pass an IAM role to Amazon SageMaker AI, Amazon Forecast, and Amazon EMR Serverless. Also allows principals to create a service-linked role. + `kms` – Allows principals to read an AWS KMS key that is tagged with `Source:SageMakerCanvas`. + `logs` – Allows principals to publish logs from training jobs and endpoints. + `quicksight` – Allows principals to list the namespaces in the Quick account. + `rds` – Allows principals to return information about provisioned Amazon RDS instances. + `redshift` – Allows principals to get credentials for a "sagemaker\$1access\$1" dbuser on any Amazon Redshift cluster if that user exists. + `redshift-data` – Allows principals to run queries on Amazon Redshift using the Amazon Redshift Data API. This only provides access to the Redshift Data APIs themselves and does not directly provide access to your Amazon Redshift clusters. For more information, see [Using the Amazon Redshift Data API](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api.html). + `s3` – Allows principals to add and retrieve objects from Amazon S3 buckets. These objects are limited to those whose name includes "SageMaker", "Sagemaker", or "sagemaker". Also allows principals to retrieve objects from Amazon S3 buckets whose ARN starts with "jumpstart-cache-prod-" in specific regions. + `secretsmanager` – Allows principals to store customer credentials to connect to a Snowflake database using Secrets Manager. **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerUserDetailsAndPackageOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups", "sagemaker:ListEndpoints" ], "Resource": "*" }, { "Sid": "SageMakerPackageGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource": [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid": "SageMakerTrainingOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:StopAutoMLJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid": "SageMakerHostingOperations", "Effect": "Allow", "Action": [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:InvokeEndpointAsync" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid": "EC2VPCOperation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource": "*" }, { "Sid": "ECROperations", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "ReadSageMakerJumpstartArtifacts", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": "glue:SearchTables", "Resource": [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource": "*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "ForecastOperations", "Effect": "Allow", "Action": [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource": [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "IAMPassOperationForForecast", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "forecast.amazonaws.com" } } }, { "Sid": "AutoscalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "sagemaker", "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount" } } }, { "Sid": "AsyncEndpointOperations", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "sagemaker:DescribeEndpointConfig" ], "Resource": "*" }, { "Sid": "DescribeScalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalingActivities" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "SageMakerCloudWatchUpdate", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:TargetTracking*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "application-autoscaling.amazonaws.com" } } }, { "Sid": "AutoscalingSageMakerEndpointOperation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } }, { "Sid": "AthenaOperation", "Action": [ "athena:ListTableMetadata", "athena:ListDataCatalogs", "athena:ListDatabases" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "GlueOperation", "Action": [ "glue:GetDatabases", "glue:GetPartitions", "glue:GetTables" ], "Effect": "Allow", "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "QuicksightOperation", "Action": [ "quicksight:ListNamespaces" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowUseOfKeyInAccount", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Source": "SageMakerCanvas", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:StopApplication", "emr-serverless:GetApplication", "emr-serverless:StartApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ## AWS managed policy: AmazonSageMakerCanvasDataPrepFullAccess AmazonSageMakerCanvasDataPrepFullAccess This policy grants permissions that allow full access to the data preparation functionality of Amazon SageMaker Canvas. The policy also provides least privilege permissions for the services that integrate with the data preparation functionality [for example, Amazon Simple Storage Service (Amazon S3), AWS Identity and Access Management (IAM), Amazon EMR, Amazon EventBridge, Amazon Redshift, AWS Key Management Service (AWS KMS) and AWS Secrets Manager]. **Permissions details** This AWS managed policy includes the following permissions. + `sagemaker` – Allows principals to access processing jobs, training jobs, inference pipelines, AutoML jobs, and feature groups. + `athena` – Allows principals to query a list of data catalogs, databases, and table metadata from Amazon Athena. + `elasticmapreduce` – Allows principals to read and list Amazon EMR clusters. + `emr-serverless` – Allows principals to create and manage Amazon EMR Serverless applications and job runs. Also allows principals to tag SageMaker Canvas resources. + `events` – Allows principals to create, read, update, and add targets to Amazon EventBridge rules for scheduled jobs. + `glue` – Allows principals to get and search tables from databases in the AWS Glue catalog. + `iam` – Allows principals to pass an IAM role to Amazon SageMaker AI, EventBridge, and Amazon EMR Serverless. Also allows principals to create a service-linked role. + `kms` – Allows principals to retrieve AWS KMS aliases stored in jobs and endpoints, and access the associated KMS key. + `logs` – Allows principals to publish logs from training jobs and endpoints. + `redshift` – Allows principals to get credentials to access an Amazon Redshift database. + `redshift-data` – Allows principals to run, cancel, describe, list, and get the results of Amazon Redshift queries. Also allows principals to list Amazon Redshift schemas and tables. + `s3` – Allows principals to add and retrieve objects from Amazon S3 buckets. These objects are limited to those whose name includes "SageMaker", "Sagemaker", or "sagemaker"; or is tagged with "SageMaker", case-insensitive. + `secretsmanager` – Allows principals to store and retrieve customer database credentials using Secrets Manager. **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerListFeatureGroupOperation", "Effect": "Allow", "Action": "sagemaker:ListFeatureGroups", "Resource": "*" }, { "Sid": "SageMakerFeatureGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateFeatureGroup", "sagemaker:DescribeFeatureGroup" ], "Resource": "arn:aws:sagemaker:*:*:feature-group/*" }, { "Sid": "SageMakerProcessingJobOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateProcessingJob", "sagemaker:DescribeProcessingJob", "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*" }, { "Sid": "SageMakerProcessingJobListOperation", "Effect": "Allow", "Action": "sagemaker:ListProcessingJobs", "Resource": "*" }, { "Sid": "SageMakerPipelineOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribePipeline", "sagemaker:CreatePipeline", "sagemaker:UpdatePipeline", "sagemaker:DeletePipeline", "sagemaker:StartPipelineExecution", "sagemaker:ListPipelineExecutionSteps", "sagemaker:DescribePipelineExecution" ], "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*" }, { "Sid": "KMSListOperations", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" }, { "Sid": "KMSOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "IAMListOperations", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "events.amazonaws.com" ] } } }, { "Sid": "EventBridgePutOperation", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeOperations", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutTargets" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeTagBasedOperations", "Effect": "Allow", "Action": [ "events:TagResource" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true", "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeListTagOperation", "Effect": "Allow", "Action": "events:ListTagsForResource", "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:SearchTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "EMROperations", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups" ], "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*" }, { "Sid": "EMRListOperation", "Effect": "Allow", "Action": "elasticmapreduce:ListClusters", "Resource": "*" }, { "Sid": "AthenaListDataCatalogOperation", "Effect": "Allow", "Action": "athena:ListDataCatalogs", "Resource": "*" }, { "Sid": "AthenaQueryExecutionOperations", "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": "arn:aws:athena:*:*:workgroup/*" }, { "Sid": "AthenaDataCatalogOperations", "Effect": "Allow", "Action": [ "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "arn:aws:athena:*:*:datacatalog/*" }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult" ], "Resource": "*" }, { "Sid": "RedshiftArnBasedOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": "arn:aws:redshift:*:*:cluster:*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*", "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*" }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:GetApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ## AWS managed policy: AmazonSageMakerCanvasDirectDeployAccess AmazonSageMakerCanvasDirectDeployAccess This policy grants permissions needed for Amazon SageMaker Canvas to create and manage Amazon SageMaker AI endpoints. **Permissions details** This AWS managed policy includes the following permissions. + `sagemaker` – Allows principals to create and manage SageMaker AI endpoints with an ARN resource name that starts with "Canvas" or "canvas". + `cloudwatch` – Allows principals to retrieve Amazon CloudWatch metric data. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerEndpointPerms", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:DeleteEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:Canvas*", "arn:aws:sagemaker:*:*:canvas*" ] }, { "Sid": "ReadCWInvocationMetrics", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] } ``` ------ ## AWS managed policy: AmazonSageMakerCanvasAIServicesAccess AmazonSageMakerCanvasAIServicesAccess This policy grants permissions for Amazon SageMaker Canvas to use Amazon Textract, Amazon Rekognition, Amazon Comprehend, and Amazon Bedrock. **Permissions details** This AWS managed policy includes the following permissions. + `textract` – Allows principals to use Amazon Textract to detect documents, expenses, and identities within an image. + `rekognition` – Allows principals to use Amazon Rekognition to detect labels and text within an image. + `comprehend` – Allows principals to use Amazon Comprehend to detect sentiment and dominant language, and named and personally identifiable information (PII) entities within a text document. + `bedrock` – Allows principals to use Amazon Bedrock to list and invoke foundation models. + `iam` – Allows principals to pass an IAM role to Amazon Bedrock. **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Textract", "Effect": "Allow", "Action": [ "textract:AnalyzeDocument", "textract:AnalyzeExpense", "textract:AnalyzeID", "textract:StartDocumentAnalysis", "textract:StartExpenseAnalysis", "textract:GetDocumentAnalysis", "textract:GetExpenseAnalysis" ], "Resource": "*" }, { "Sid": "Rekognition", "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectText" ], "Resource": "*" }, { "Sid": "Comprehend", "Effect": "Allow", "Action": [ "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectEntities", "comprehend:BatchDetectSentiment", "comprehend:DetectPiiEntities", "comprehend:DetectEntities", "comprehend:DetectSentiment", "comprehend:DetectDominantLanguage" ], "Resource": "*" }, { "Sid": "Bedrock", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:ListFoundationModels", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "CreateBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob", "bedrock:CreateProvisionedModelThroughput", "bedrock:TagResource" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "SageMaker", "Canvas" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:RequestTag/Canvas": "true", "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "GetStopAndDeleteBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:GetCustomModel", "bedrock:GetProvisionedModelThroughput", "bedrock:StopModelCustomizationJob", "bedrock:DeleteProvisionedModelThroughput" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "FoundationModelPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*" ] }, { "Sid": "BedrockFineTuningPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } } ] } ``` ## AWS managed policy: AmazonSageMakerCanvasBedrockAccess AmazonSageMakerCanvasBedrockAccess This policy grants permissions commonly needed to use Amazon SageMaker Canvas with Amazon Bedrock. **Permissions details** This AWS managed policy includes the following permissions. + `s3` – Allows principals to add and retrieve objects from Amazon S3 buckets in the "sagemaker-\$1/Canvas" directory. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "S3CanvasAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/Canvas/*" ] }, { "Sid": "S3BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] } ``` ------ ## AWS managed policy: AmazonSageMakerCanvasForecastAccess AmazonSageMakerCanvasForecastAccess This policy grants permissions commonly needed to use Amazon SageMaker Canvas with Amazon Forecast. **Permissions details** This AWS managed policy includes the following permissions. + `s3` – Allows principals to add and retrieve objects from Amazon S3 buckets. These objects are limited to those whose name starts with "sagemaker-". ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/canvas" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] } ``` ------ ## AWS managed policy: AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy This policy grants permissions to Amazon EMR Serverless for AWS services, such as Amazon S3, used by Amazon SageMaker Canvas for large data processing. **Permissions details** This AWS managed policy includes the following permissions. + `s3` – Allows principals to add and retrieve objects from Amazon S3 buckets. These objects are limited to those whose name includes "SageMaker" or "sagemaker"; or is tagged with "SageMaker", case-insensitive. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ ## AWS managed policy: AmazonSageMakerCanvasSMDataScienceAssistantAccess AmazonSageMakerCanvasSMDataScienceAssistantAccess This policy grants permissions for users in Amazon SageMaker Canvas to start conversations with Amazon Q Developer. This feature requires permissions to both Amazon Q Developer and the SageMaker AI Data Science Assistant service. **Permissions details** This AWS managed policy includes the following permissions. + `q` – Allows principals to send prompts to Amazon Q Developer. + `sagemaker-data-science-assistant` – Allows principals to send prompts to the SageMaker Canvas Data Science Assistant service. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SageMakerDataScienceAssistantAccess", "Effect": "Allow", "Action": [ "sagemaker-data-science-assistant:SendConversation" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AmazonQDeveloperAccess", "Effect": "Allow", "Action": [ "q:SendMessage", "q:StartConversation" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ ## Amazon SageMaker AI updates to Amazon SageMaker Canvas managed policies SageMaker Canvas policy updates View details about updates to AWS managed policies for SageMaker Canvas since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) - Update to an existing policy | 2 | Add `q:StartConversation` permission. | January 14, 2025 | | [AmazonSageMakerCanvasSMDataScienceAssistantAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasSMDataScienceAssistantAccess) - New policy | 1 | Initial policy | December 4, 2024 | | [AmazonSageMakerCanvasDataPrepFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDataPrepFullAccess) - Update to an existing policy | 4 | Add resource to `IAMPassOperationForEMRServerless` permission. | August 16, 2024 | | [AmazonSageMakerCanvasFullAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasFullAccess) - Update to an existing policy | 11 | Add resource to `IAMPassOperationForEMRServerless` permission. | August 15, 2024 | | [AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy](#security-iam-awsmanpol-AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy) - New policy | 1 | Initial policy | July 26, 2024 | | AmazonSageMakerCanvasDataPrepFullAccess - Update to an existing policy | 3 | Add `emr-serverless:CreateApplication`, `emr-serverless:ListApplications`, `emr-serverless:UpdateApplication`, `emr-serverless:GetApplication`, `emr-serverless:StartJobRun`, `emr-serverless:ListJobRuns`, `emr-serverless:GetJobRun`, `emr-serverless:CancelJobRun`, and `emr-serverless:TagResource` permissions. | July 18, 2024 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 10 | Add `application-autoscaling:DescribeScalingActivities` `iam:PassRole`, `kms:DescribeKey`, and `quicksight:ListNamespaces` permissions. Add `sagemaker:CreateTrainingJob`, `sagemaker:CreateTransformJob`, `sagemaker:DescribeTrainingJob`, `sagemaker:DescribeTransformJob`, `sagemaker:StopAutoMLJob`, `sagemaker:StopTrainingJob`, and `sagemaker:StopTransformJob` permissions. Add `athena:ListTableMetadata`, `athena:ListDataCatalogs`, and `athena:ListDatabases` permissions. Add `glue:GetDatabases`, `glue:GetPartitions`, and `glue:GetTables` permissions. Add `emr-serverless:CreateApplication`, `emr-serverless:ListApplications`, `emr-serverless:UpdateApplication`, `emr-serverless:StopApplication`, `emr-serverless:GetApplication`, `emr-serverless:StartApplication`, `emr-serverless:StartJobRun`, `emr-serverless:ListJobRuns`, `emr-serverless:GetJobRun`, `emr-serverless:CancelJobRun`, and `emr-serverless:TagResource` permissions. | July 9, 2024 | | [AmazonSageMakerCanvasBedrockAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasBedrockAccess) - New policy | 1 | Initial policy | February 2, 2024 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 9 | Add `sagemaker:ListEndpoints` permission. | January 24, 2024 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 8 | Add `sagemaker:UpdateEndpointWeightsAndCapacities`, `sagemaker:DescribeEndpointConfig`, `sagemaker:InvokeEndpointAsync`, `athena:ListDataCatalogs`, `athena:GetQueryExecution`, `athena:GetQueryResults`, `athena:StartQueryExecution`, `athena:StopQueryExecution`, `athena:ListDatabases`, `cloudwatch:DescribeAlarms`, `cloudwatch:PutMetricAlarm`, `cloudwatch:DeleteAlarms`, and `iam:CreateServiceLinkedRole` permissions. | December 8, 2023 | | AmazonSageMakerCanvasDataPrepFullAccess - Update to an existing policy | 2 | Small update to enforce the intents of the previous policy, version 1; no permissions added or deleted. | December 7, 2023 | | [AmazonSageMakerCanvasAIServicesAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasAIServicesAccess) - Update to an existing policy | 3 | Add `bedrock:InvokeModelWithResponseStream`, `bedrock:GetModelCustomizationJob`, `bedrock:StopModelCustomizationJob`, `bedrock:GetCustomModel`, `bedrock:GetProvisionedModelThroughput`, `bedrock:DeleteProvisionedModelThroughput`, `bedrock:TagResource`, `bedrock:CreateModelCustomizationJob`, `bedrock:CreateProvisionedModelThroughput`, and `iam:PassRole` permissions. | November 29, 2023 | | AmazonSageMakerCanvasDataPrepFullAccess - New policy | 1 | Initial policy | October 26, 2023 | | [AmazonSageMakerCanvasDirectDeployAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasDirectDeployAccess) - New policy | 1 | Initial policy | October 6, 2023 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 7 | Add `sagemaker:DeleteEndpointConfig`, `sagemaker:DeleteModel`, and `sagemaker:InvokeEndpoint` permissions. Also add `s3:GetObject` permission for JumpStart resources in specific regions. | September 29, 2023 | | AmazonSageMakerCanvasAIServicesAccess - Update to an existing policy | 2 | Add `bedrock:InvokeModel` and `bedrock:ListFoundationModels` permissions. | September 29, 2023 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 6 | Add `rds:DescribeDBInstances` permission. | August 29, 2023 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 5 | Add `application-autoscaling:PutScalingPolicy` and `application-autoscaling:RegisterScalableTarget` permissions. | July 24, 2023 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 4 | Add `sagemaker:CreateModelPackage`, `sagemaker:CreateModelPackageGroup`, `sagemaker:DescribeModelPackage`, `sagemaker:DescribeModelPackageGroup`, `sagemaker:ListModelPackages`, and `sagemaker:ListModelPackageGroups` permissions. | May 4, 2023 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 3 | Add `sagemaker:CreateAutoMLJobV2`, `sagemaker:DescribeAutoMLJobV2`, and `glue:SearchTables` permissions. | March 24, 2023 | | AmazonSageMakerCanvasAIServicesAccess - New policy | 1 | Initial policy | March 23, 2023 | | AmazonSageMakerCanvasFullAccess - Update to an existing policy | 2 | Add `forecast:DeleteResourceTree` permission. | December 6, 2022 | | AmazonSageMakerCanvasFullAccess - New policy | 1 | Initial policy | September 8, 2022 | | [AmazonSageMakerCanvasForecastAccess](#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) - New policy | 1 | Initial policy | August 24, 2022 | # AWS managed policies for Amazon SageMaker Feature Store SageMaker AI Feature Store These AWS managed policies add permissions required to use Feature Store. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerFeatureStoreAccess ](#security-iam-awsmanpol-AmazonSageMakerFeatureStoreAccess) + [ ## Amazon SageMaker AI updates to Amazon SageMaker Feature Store managed policies ](#security-iam-awsmanpol-feature-store-updates) ## AWS managed policy: AmazonSageMakerFeatureStoreAccess AmazonSageMakerFeatureStoreAccess This policy grants permissions required to enable the offline store for an Amazon SageMaker Feature Store feature group. **Permissions details** This AWS managed policy includes the following permissions. + `s3` – Allows principals to write data into an offline store Amazon S3 bucket. These buckets are limited to those whose name includes "SageMaker", "Sagemaker", or "sagemaker". + `s3` – Allows principals to read existing manifest files maintained in the `metadata` folder of an offline store S3 bucket. + `glue` – Allows principals to read and update AWS Glue tables. These permissions are limited to tables in the `sagemaker_featurestore` folder. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*SageMaker*/metadata/*", "arn:aws:s3:::*Sagemaker*/metadata/*", "arn:aws:s3:::*sagemaker*/metadata/*" ] }, { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker_featurestore", "arn:aws:glue:*:*:table/sagemaker_featurestore/*" ] } ] } ``` ------ ## Amazon SageMaker AI updates to Amazon SageMaker Feature Store managed policies Feature Store policy updates View details about updates to AWS managed policies for Feature Store since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker AI [Document history page.](doc-history.md) | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerFeatureStoreAccess](#security-iam-awsmanpol-AmazonSageMakerFeatureStoreAccess) - Update to an existing policy | 3 | Add `s3:GetObject`, `glue:GetTable`, and `glue:UpdateTable` permissions. | December 5, 2022 | | AmazonSageMakerFeatureStoreAccess - Update to an existing policy | 2 | Add `s3:PutObjectAcl` permission. | February 23, 2021 | | AmazonSageMakerFeatureStoreAccess - New policy | 1 | Initial policy | December 1, 2020 | # AWS managed policies for Amazon SageMaker geospatial SageMaker geospatial These AWS managed policies add permissions required to use SageMaker geospatial. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerGeospatialFullAccess ](#security-iam-awsmanpol-AmazonSageMakerGeospatialFullAccess) + [ ## AWS managed policy: AmazonSageMakerGeospatialExecutionRole ](#security-iam-awsmanpol-AmazonSageMakerGeospatialExecutionRole) + [ ## Amazon SageMaker AI updates to Amazon SageMaker geospatial managed policies ](#security-iam-awsmanpol-geospatial-updates) ## AWS managed policy: AmazonSageMakerGeospatialFullAccess AmazonSageMakerGeospatialFullAccess This policy grants permissions that allow full access to Amazon SageMaker geospatial through the AWS Management Console and SDK. **Permissions details** This AWS managed policy includes the following permissions. + `sagemaker-geospatial` – Allows principals full access to all SageMaker geospatial resources. + `iam` – Allows principals to pass an IAM role to SageMaker geospatial. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sagemaker-geospatial:*", "Resource": "*" }, { "Effect": "Allow", "Action": ["iam:PassRole"], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker-geospatial.amazonaws.com" ] } } } ] } ``` ------ ## AWS managed policy: AmazonSageMakerGeospatialExecutionRole AmazonSageMakerGeospatialExecutionRole This policy grants permissions commonly needed to use SageMaker geospatial. **Permissions details** This AWS managed policy includes the following permissions. + `s3` – Allows principals to add and retrieve objects from Amazon S3 buckets. These objects are limited to those whose name contains "SageMaker", "Sagemaker", or "sagemaker". + `sagemaker-geospatial` – Allows principals to access Earth observation jobs through the `GetEarthObservationJob` API. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": "sagemaker-geospatial:GetEarthObservationJob", "Resource": "arn:aws:sagemaker-geospatial:*:*:earth-observation-job/*" }, { "Effect": "Allow", "Action": "sagemaker-geospatial:GetRasterDataCollection", "Resource": "arn:aws:sagemaker-geospatial:*:*:raster-data-collection/*" } ] } ``` ------ ## Amazon SageMaker AI updates to Amazon SageMaker geospatial managed policies SageMaker geospatial policy updates View details about updates to AWS managed policies for SageMaker geospatial since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerGeospatialExecutionRole](#security-iam-awsmanpol-AmazonSageMakerGeospatialExecutionRole) - Updated policy | 2 | Add `sagemaker-geospatial:GetRasterDataCollection` permission. | May 10, 2023 | | [AmazonSageMakerGeospatialFullAccess](#security-iam-awsmanpol-AmazonSageMakerGeospatialFullAccess) - New policy | 1 | Initial policy | November 30, 2022 | | AmazonSageMakerGeospatialExecutionRole - New policy | 1 | Initial policy | November 30, 2022 | # AWS Managed Policies for Amazon SageMaker Ground Truth SageMaker AI Ground Truth These AWS managed policies add permissions required to use SageMaker AI Ground Truth. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerGroundTruthExecution ](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution) + [ ## Amazon SageMaker AI updates to SageMaker AI Ground Truth managed policies ](#security-iam-awsmanpol-groundtruth-updates) ## AWS managed policy: AmazonSageMakerGroundTruthExecution AmazonSageMakerGroundTruthExecution This AWS managed policy grants permissions commonly needed to use SageMaker AI Ground Truth. **Permissions details** This policy includes the following permissions. + `lambda` – Allows principals to invoke Lambda functions whose name includes "sagemaker" (case-insensitive), "GtRecipe", or "LabelingFunction". + `s3` – Allows principals to add and retrieve objects from Amazon S3 buckets. These objects are limited to those whose case-insensitive name contains "groundtruth" or "sagemaker", or are tagged with "SageMaker". + `cloudwatch` – Allows principals to post CloudWatch metrics. + `logs` – Allows principals to create and access log streams, and post log events. + `sqs` – Allows principals to create Amazon SQS queues, and send and receive Amazon SQS messages. These permissions are limited to queues whose name includes "GroundTruth". + `sns` – Allows principals to subscribe to and publish messages to Amazon SNS topics whose case-insensitive name contains "groundtruth" or "sagemaker". + `ec2` – Allows principals to create, describe, and delete Amazon VPC endpoints whose VPC endpoint service name contains "sagemaker-task-resources" or "labeling". ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CustomLabelingJobs", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:*GtRecipe*", "arn:aws:lambda:*:*:function:*LabelingFunction*", "arn:aws:lambda:*:*:function:*SageMaker*", "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*Sagemaker*" ] }, { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::*GroundTruth*", "arn:aws:s3:::*Groundtruth*", "arn:aws:s3:::*groundtruth*", "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": "*" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" }, { "Sid": "StreamingQueue", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage", "sqs:SendMessage", "sqs:SetQueueAttributes" ], "Resource": "arn:aws:sqs:*:*:*GroundTruth*" }, { "Sid": "StreamingTopicSubscribe", "Effect": "Allow", "Action": "sns:Subscribe", "Resource": [ "arn:aws:sns:*:*:*GroundTruth*", "arn:aws:sns:*:*:*Groundtruth*", "arn:aws:sns:*:*:*groundTruth*", "arn:aws:sns:*:*:*groundtruth*", "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sageMaker*", "arn:aws:sns:*:*:*sagemaker*" ], "Condition": { "StringEquals": { "sns:Protocol": "sqs" }, "StringLike": { "sns:Endpoint": "arn:aws:sqs:*:*:*GroundTruth*" } } }, { "Sid": "StreamingTopic", "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": [ "arn:aws:sns:*:*:*GroundTruth*", "arn:aws:sns:*:*:*Groundtruth*", "arn:aws:sns:*:*:*groundTruth*", "arn:aws:sns:*:*:*groundtruth*", "arn:aws:sns:*:*:*SageMaker*", "arn:aws:sns:*:*:*Sagemaker*", "arn:aws:sns:*:*:*sageMaker*", "arn:aws:sns:*:*:*sagemaker*" ] }, { "Sid": "StreamingTopicUnsubscribe", "Effect": "Allow", "Action": [ "sns:Unsubscribe" ], "Resource": "*" }, { "Sid": "WorkforceVPC", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeVpcEndpoints", "ec2:DeleteVpcEndpoints" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "ec2:VpceServiceName": [ "*sagemaker-task-resources*", "aws.sagemaker*labeling*" ] } } } ] } ``` ------ ## Amazon SageMaker AI updates to SageMaker AI Ground Truth managed policies SageMaker AI Ground Truth policy updates View details about updates to AWS managed policies for Amazon SageMaker AI Ground Truth since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution) - Update to an existing policy | 3 | Add `ec2:CreateVpcEndpoint`, `ec2:DescribeVpcEndpoints`, and `ec2:DeleteVpcEndpoints` permissions. | April 29, 2022 | | AmazonSageMakerGroundTruthExecution - Update to an existing policy | 2 | Remove `sqs:SendMessageBatch` permission. | April 11, 2022 | | AmazonSageMakerGroundTruthExecution - New policy | 1 | Initial policy | July 20, 2020 | # AWS managed policies for Amazon SageMaker HyperPod SageMaker HyperPod The following AWS managed policies add permissions required to use Amazon SageMaker HyperPod. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console or the HyperPod service-linked role. **Topics** + [ # AWS managed policy: AmazonSageMakerHyperPodTrainingOperatorAccess ](security-iam-awsmanpol-AmazonSageMakerHyperPodTrainingOperatorAccess.md) + [ # AWS managed policy: AmazonSageMakerHyperPodObservabilityAdminAccess ](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md) + [ # AWS managed policy: AmazonSageMakerHyperPodServiceRolePolicy ](security-iam-awsmanpol-AmazonSageMakerHyperPodServiceRolePolicy.md) + [ # AWS managed policy: AmazonSageMakerClusterInstanceRolePolicy ](security-iam-awsmanpol-AmazonSageMakerClusterInstanceRolePolicy.md) + [ ## Amazon SageMaker AI updates to SageMaker HyperPod managed policies ](#security-iam-awsmanpol-hyperpod-updates) # AWS managed policy: AmazonSageMakerHyperPodTrainingOperatorAccess AmazonSageMakerHyperPodTrainingOperatorAccess This policy provides administrative permissions required to set up the SageMaker HyperPod training operator. It enables access to SageMaker HyperPod and Amazon EKS add-ons. The policy includes permissions to describe the SageMaker HyperPod resources in your account. **Permission details** This policy includes the following permissions: + `sagemaker:DescribeClusterNode` - Allows users to return information about a HyperPod cluster. To view the permissions for this policy, see [AmazonSageMakerHyperPodTrainingOperatorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerHyperPodTrainingOperatorAccess.html) in the AWS Managed Policy Reference. # AWS managed policy: AmazonSageMakerHyperPodObservabilityAdminAccess AmazonSageMakerHyperPodObservabilityAdminAccess This policy provides administrative privileges required for setting up Amazon SageMaker HyperPod observability. It enables access to Amazon Managed Service for Prometheus, Amazon Managed Grafana and Amazon Elastic Kubernetes Service add-ons. The policy also includes broad access to Grafana HTTP APIs through ServiceAccountTokens across all Amazon Managed Grafana workspaces in your account. **Permission details** The following list provides an overview of the permissions that are included in this policy. + `prometheus` – Create and manage Amazon Managed Service for Prometheus workspaces and rule groups + `grafana` – Creates and manages Amazon Managed Grafana workspaces and service accounts + `eks` – Creates and manages the `amazon-sagemaker-hyperpod-observability` Amazon EKS add-on + `iam` – Passes specific IAM service roles to Amazon Managed Grafana and Amazon EKS + `sagemaker` – Lists and describes SageMaker HyperPod clusters + `sso` – Creates and manages IAM Identity Center application instances for Amazon Managed Grafana setup + `tag` – Tags Amazon Managed Service for Prometheus, Amazon Managed Grafana, and Amazon EKS add-on resources To view the policy JSON, see [AmazonSageMakerHyperPodObservabilityAdminAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerHyperPodObservabilityAdminAccess.html). # AWS managed policy: AmazonSageMakerHyperPodServiceRolePolicy AmazonSageMakerHyperPodServiceRolePolicy SageMaker HyperPod creates and uses the service-linked role named `AWSServiceRoleForSageMakerHyperPod` with the `AmazonSageMakerHyperPodServiceRolePolicy` attached to the role. This policy grants Amazon SageMaker HyperPod permissions to related AWS services such as Amazon EKS and Amazon CloudWatch. The service-linked role makes setting up SageMaker HyperPod easier because you don’t have to manually add the necessary permissions. SageMaker HyperPod defines the permissions of its service-linked roles, and unless defined otherwise, only SageMaker HyperPod can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. You can delete a service-linked role only after first deleting their related resources. This protects your SageMaker HyperPod resources because you can't inadvertently remove permission to access the resources. For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. The `AmazonSageMakerHyperPodServiceRolePolicy` allows SageMaker HyperPod to complete the following actions on the specified resources on your behalf. **Permissions details** This service-linked role policy includes the following permissions. + `eks` – Allows principals to read Amazon Elastic Kubernetes Service (EKS) cluster information. + `logs` – Allows principals to publish Amazon CloudWatch log streams to `/aws/sagemaker/Clusters`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "EKSClusterDescribePermissions", "Effect": "Allow", "Action": "eks:DescribeCluster", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "CloudWatchLogGroupPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "CloudWatchLogStreamPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ You must configure permissions to allow your users, groups, or roles to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. ## Creating a service-linked role for SageMaker HyperPod You don't need to manually create a service-linked role. When you create a SageMaker HyperPod cluster using the SageMaker AI console, the AWS CLI, or the AWS SDKs, SageMaker HyperPod creates the service-linked role for you. If you delete this service-linked role but need to create it again, you can use the same process (create a new SageMaker HyperPod cluster) to recreate the role in your account. ## Editing a service-linked role for SageMaker HyperPod SageMaker HyperPod does not allow you to edit the `AWSServiceRoleForSageMakerHyperPod` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a service-linked role for SageMaker HyperPod If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it. **To delete SageMaker HyperPod cluster resources using the service-linked role** Use one of the following options to delete SageMaker HyperPod cluster resources. + [Delete a SageMaker HyperPod cluster](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-operate-slurm-console-ui.html#sagemaker-hyperpod-operate-slurm-console-ui-delete-cluster) using the SageMaker AI console + [Delete a SageMaker HyperPod cluster](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-operate-slurm-cli-command.html#sagemaker-hyperpod-operate-slurm-cli-command-delete-cluster) using the AWS CLI **Note** If the SageMaker HyperPod service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. **To manually delete the service-linked role using IAM** Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForSageMakerHyperPod` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported Regions for SageMaker HyperPod service-linked roles SageMaker HyperPod supports using service-linked roles in all of the Regions where the service is available. For more information, see [Prerequisites for SageMaker HyperPod](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-prerequisites.html). # AWS managed policy: AmazonSageMakerClusterInstanceRolePolicy AmazonSageMakerClusterInstanceRolePolicy This policy grants permissions commonly needed to use Amazon SageMaker HyperPod. **Permissions details** This AWS managed policy includes the following permissions. + `cloudwatch` – Allows principals to post Amazon CloudWatch metrics. + `logs` – Allows principals to publish CloudWatch log streams. + `s3` – Allows principals to list and retrieve lifecycle script files from an Amazon S3 bucket in your account. These buckets are limited to those whose name starts with "sagemaker-". + `ssmmessages` – Allows principals to open a connection to AWS Systems Manager. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement" : [ { "Sid" : "CloudwatchLogStreamPublishPermissions", "Effect" : "Allow", "Action" : [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:DescribeLogStreams" ], "Resource" : [ "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*" ] }, { "Sid" : "CloudwatchLogGroupCreationPermissions", "Effect" : "Allow", "Action" : [ "logs:CreateLogGroup" ], "Resource" : [ "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*" ] }, { "Sid" : "CloudwatchPutMetricDataAccess", "Effect" : "Allow", "Action" : [ "cloudwatch:PutMetricData" ], "Resource" : [ "*" ], "Condition" : { "StringEquals" : { "cloudwatch:namespace" : "/aws/sagemaker/Clusters" } } }, { "Sid" : "DataRetrievalFromS3BucketPermissions", "Effect" : "Allow", "Action" : [ "s3:ListBucket", "s3:GetObject" ], "Resource" : [ "arn:aws:s3:::sagemaker-*" ], "Condition" : { "StringEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "SSMConnectivityPermissions", "Effect" : "Allow", "Action" : [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource" : "*" } ] } ``` ------ ## Amazon SageMaker AI updates to SageMaker HyperPod managed policies SageMaker HyperPod policy updates View details about updates to AWS managed policies for SageMaker HyperPod since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker AI [Document history page.](doc-history.md) | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerHyperPodTrainingOperatorAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodTrainingOperatorAccess.md) - New policy | 1 | Initial policy | August 22, 2025 | | [AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md) - Updated policy | 2 | Updated the policy to fix the role scope-down to include the `service-role` prefix. Also added permissions for `eks:DeletePodIdentityAssociation` and `eks:UpdatePodIdentityAssociation` that are required for end-to-end administrative actions. | August 19, 2025 | | [AmazonSageMakerHyperPodObservabilityAdminAccess](security-iam-awsmanpol-AmazonSageMakerHyperPodObservabilityAdminAccess.md) - New policy | 1 | Initial policy | July 10, 2025 | | [AmazonSageMakerHyperPodServiceRolePolicy](security-iam-awsmanpol-AmazonSageMakerHyperPodServiceRolePolicy.md) - New policy | 1 | Initial policy | September 9, 2024 | | [AmazonSageMakerClusterInstanceRolePolicy](security-iam-awsmanpol-AmazonSageMakerClusterInstanceRolePolicy.md) - New policy | 1 | Initial policy | November 29, 2023 | # AWS Managed Policies for SageMaker AI Model Governance SageMaker AI Model Governance This AWS managed policy adds permissions required to use SageMaker AI Model Governance. The policy is available in your AWS account and is used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerModelGovernanceUseAccess ](#security-iam-awsmanpol-governance-AmazonSageMakerModelGovernanceUseAccess) + [ ## Amazon SageMaker AI updates to SageMaker AI Model Governance managed policies ](#security-iam-awsmanpol-governance-updates) ## AWS managed policy: AmazonSageMakerModelGovernanceUseAccess AmazonSageMakerModelGovernanceUseAccess This AWS managed policy grants permissions needed to use all Amazon SageMaker AI Governance features. The policy is available in your AWS account. This policy includes the following permissions. + `s3` – Retrieve objects from Amazon S3 buckets. Retrievable objects are limited to those whose case-insensitive name contains the string `"sagemaker"`. + `kms` – List the AWS KMS keys to use for content encryption. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowSMMonitoringModelCards", "Effect": "Allow", "Action": [ "sagemaker:ListMonitoringAlerts", "sagemaker:ListMonitoringExecutions", "sagemaker:UpdateMonitoringAlert", "sagemaker:StartMonitoringSchedule", "sagemaker:StopMonitoringSchedule", "sagemaker:ListMonitoringAlertHistory", "sagemaker:DescribeModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:CreateModelCard", "sagemaker:DescribeModelCard", "sagemaker:UpdateModelCard", "sagemaker:DeleteModelCard", "sagemaker:ListModelCards", "sagemaker:ListModelCardVersions", "sagemaker:CreateModelCardExportJob", "sagemaker:DescribeModelCardExportJob", "sagemaker:ListModelCardExportJobs" ], "Resource": "*" }, { "Sid": "AllowSMTrainingModelsSearchTags", "Effect": "Allow", "Action": [ "sagemaker:ListTrainingJobs", "sagemaker:DescribeTrainingJob", "sagemaker:ListModels", "sagemaker:DescribeModel", "sagemaker:Search", "sagemaker:AddTags", "sagemaker:DeleteTags", "sagemaker:ListTags" ], "Resource": "*" }, { "Sid": "AllowKMSActions", "Effect": "Allow", "Action": [ "kms:ListAliases" ], "Resource": "*" }, { "Sid": "AllowS3Actions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:CreateBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AllowS3ListActions", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" } ] } ``` ------ ## Amazon SageMaker AI updates to SageMaker AI Model Governance managed policies SageMaker AI Model Governance policy updates View details about updates to AWS managed policies for SageMaker AI Model Governance since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker AI [Document history page.](doc-history.md) | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerModelGovernanceUseAccess](#security-iam-awsmanpol-governance-AmazonSageMakerModelGovernanceUseAccess) - Update to an existing policy | 3 | Add statement IDs (`Sid`). | June 4, 2024 | | AmazonSageMakerModelGovernanceUseAccess - Update to an existing policy | 2 | Add `sagemaker:DescribeModelPackage` and `DescribeModelPackageGroup` permissions. | July 17, 2023 | | AmazonSageMakerModelGovernanceUseAccess - New policy | 1 | Initial policy | November 30, 2022 | # AWS Managed Policies for Model Registry Model Registry These AWS managed policies adds permissions required to use Model Registry. The policies are available in your AWS account and are used by execution roles created from the Amazon SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerModelRegistryFullAccess ](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess) + [ ## Amazon SageMaker AI updates to Model Registry managed policies ](#security-iam-awsmanpol-model-registry-updates) ## AWS managed policy: AmazonSageMakerModelRegistryFullAccess AmazonSageMakerModelRegistryFullAccess This AWS managed policy grants permissions needed to use all Model Registry features inside an Amazon SageMaker AI domain. This policy is attached to an execution role when configuring Model Registry settings to enable Model Registry permissions. This policy includes the following permissions. + `ecr` – Allows principals to retrieve information, including metadata, about Amazon Elastic Container Registry (Amazon ECR) images. + `iam` – Allows principals to pass the execution role to the Amazon SageMaker AI service. + `resource-groups` – Allows principals to create, list, tag, and delete AWS Resource Groups. + `s3` – Allows principals to retrieve objects from the Amazon Simple Storage Service (Amazon S3) buckets where model versions are stored. Retrievable objects are limited to those whose case-insensitive name contains the string `"sagemaker"`. + `sagemaker` – Allows principals to catalog, manage, and deploy models using the SageMaker Model Registry. + `kms` – Allows only the SageMaker AI service principal to add a grant, generate data keys, decrypt, and read AWS KMS keys, and only keys that are tagged for "sagemaker" use. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AmazonSageMakerModelRegistrySageMakerReadPermission", "Effect": "Allow", "Action": [ "sagemaker:DescribeAction", "sagemaker:DescribeInferenceRecommendationsJob", "sagemaker:DescribeModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribePipeline", "sagemaker:DescribePipelineExecution", "sagemaker:ListAssociations", "sagemaker:ListArtifacts", "sagemaker:ListModelMetadata", "sagemaker:ListModelPackages", "sagemaker:Search", "sagemaker:GetSearchSuggestions" ], "Resource": "*" }, { "Sid": "AmazonSageMakerModelRegistrySageMakerWritePermission", "Effect": "Allow", "Action": [ "sagemaker:AddTags", "sagemaker:CreateModel", "sagemaker:CreateModelPackage", "sagemaker:CreateModelPackageGroup", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateInferenceRecommendationsJob", "sagemaker:DeleteModelPackage", "sagemaker:DeleteModelPackageGroup", "sagemaker:DeleteTags", "sagemaker:UpdateModelPackage" ], "Resource": "*" }, { "Sid": "AmazonSageMakerModelRegistryS3GetPermission", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "AmazonSageMakerModelRegistryS3ListPermission", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AmazonSageMakerModelRegistryECRReadPermission", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:DescribeImages" ], "Resource": "*" }, { "Sid": "AmazonSageMakerModelRegistryIAMPassRolePermission", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "AmazonSageMakerModelRegistryTagReadPermission", "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": "*" }, { "Sid": "AmazonSageMakerModelRegistryResourceGroupGetPermission", "Effect": "Allow", "Action": [ "resource-groups:GetGroupQuery" ], "Resource": "arn:aws:resource-groups:*:*:group/*" }, { "Sid": "AmazonSageMakerModelRegistryResourceGroupListPermission", "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*" }, { "Sid": "AmazonSageMakerModelRegistryResourceGroupWritePermission", "Effect": "Allow", "Action": [ "resource-groups:CreateGroup", "resource-groups:Tag" ], "Resource": "arn:aws:resource-groups:*:*:group/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "sagemaker:collection" } } }, { "Sid": "AmazonSageMakerModelRegistryResourceGroupDeletePermission", "Effect": "Allow", "Action": "resource-groups:DeleteGroup", "Resource": "arn:aws:resource-groups:*:*:group/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:collection": "true" } } }, { "Sid": "AmazonSageMakerModelRegistryResourceKMSPermission", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker" : "true" }, "StringLike": { "kms:ViaService": "sagemaker.*.amazonaws.com" } } } ] } ``` ------ ## Amazon SageMaker AI updates to Model Registry managed policies Model Registry policy updates View details about updates to AWS managed policies for Model Registry since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker AI [Document history page.](doc-history.md) | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerModelRegistryFullAccess](#security-iam-awsmanpol-model-registry-AmazonSageMakerModelRegistryFullAccess) - Update to an existing policy | 2 | Add `kms:CreateGrant`, `kms:DescribeKey`, `kms:GenerateDataKey`, and `kms:Decrypt` permissions. | June 6, 2024 | | AmazonSageMakerModelRegistryFullAccess - New policy | 1 | Initial policy | April 12, 2023 | # AWS Managed Policies for SageMaker Notebooks SageMaker Notebooks These AWS managed policies add permissions required to use SageMaker Notebooks. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerNotebooksServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) + [ ## Amazon SageMaker AI updates to SageMaker AI Notebooks managed policies ](#security-iam-awsmanpol-notebooks-updates) ## AWS managed policy: AmazonSageMakerNotebooksServiceRolePolicy AmazonSageMakerNotebooksServiceRolePolicy This AWS managed policy grants permissions commonly needed to use Amazon SageMaker Notebooks. The policy is added to the `AWSServiceRoleForAmazonSageMakerNotebooks` that is created when you onboard to Amazon SageMaker Studio Classic. For more information on service-linked roles, see [Service-linked roles](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service-linked). For more information, see [AmazonSageMakerNotebooksServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerNotebooksServiceRolePolicy.html) **Permissions details** This policy includes the following permissions. + `elasticfilesystem` – Allows principals to create and delete Amazon Elastic File System (EFS) file systems, access points, and mount targets. These are limited to those tagged with the key *ManagedByAmazonSageMakerResource*. Allows principals to describe all EFS file systems, access points, and mount targets. Allows principals to create or overwrite tags for EFS access points and mount targets. + `ec2` – Allows principals to create network interfaces and security groups for Amazon Elastic Compute Cloud (EC2) instances. Also allows principals to create and overwrite tags for these resources. + `sso` – Allows principals to add and delete managed application instances to AWS IAM Identity Center. + `sagemaker` – Allows principals to create and read SageMaker AI user profiles and SageMaker AI spaces; delete SageMaker AI spaces and SageMaker AI apps; and add and list tags. + `fsx` – Allows principals to describe Amazon FSx for Lustre file system, and use the metadata to mount it on notebook. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowFSxDescribe", "Effect": "Allow", "Action": [ "fsx:DescribeFileSystems" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowSageMakerDeleteApp", "Effect": "Allow", "Action": [ "sagemaker:DeleteApp" ], "Resource": "arn:aws:sagemaker:*:*:app/*" }, { "Sid": "AllowEFSAccessPointCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateAccessPoint", "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*", "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSAccessPointDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:DeleteAccessPoint" ], "Resource": "arn:aws:elasticfilesystem:*:*:access-point/*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSCreation", "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSMountWithDeletion", "Effect": "Allow", "Action": [ "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEFSDescribe", "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Sid": "AllowEFSTagging", "Effect": "Allow", "Action": "elasticfilesystem:TagResource", "Resource": [ "arn:aws:elasticfilesystem:*:*:access-point/*", "arn:aws:elasticfilesystem:*:*:file-system/*" ], "Condition": { "StringLike": { "aws:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowEC2Tagging", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid": "AllowEC2Operations", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*" }, { "Sid": "AllowEC2AuthZ", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ManagedByAmazonSageMakerResource": "*" } } }, { "Sid": "AllowIdcOperations", "Effect": "Allow", "Action": [ "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:GetManagedApplicationInstance" ], "Resource": "*" }, { "Sid": "AllowSagemakerProfileCreation", "Effect": "Allow", "Action": [ "sagemaker:CreateUserProfile", "sagemaker:DescribeUserProfile" ], "Resource": "*" }, { "Sid": "AllowSagemakerSpaceOperationsForCanvasManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:DescribeSpace", "sagemaker:DeleteSpace", "sagemaker:ListTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*" }, { "Sid": "AllowSagemakerAddTagsForAppManagedSpaces", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:space/*/CanvasManagedSpace-*", "Condition": { "StringEquals": { "sagemaker:TaggingAction": "CreateSpace" } } } ] } ``` ------ ## Amazon SageMaker AI updates to SageMaker AI Notebooks managed policies SageMaker Notebooks policy updates View details about updates to AWS managed policies for Amazon SageMaker AI since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) - Update to an existing policy | 10 | Add `fsx:DescribeFileSystems` permission. | November 14, 2024 | | [AmazonSageMakerNotebooksServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerNotebooksServiceRolePolicy) - Update to an existing policy | 9 | Add `sagemaker:DeleteApp` permission. | July 24, 2024 | | AmazonSageMakerNotebooksServiceRolePolicy - Update to an existing policy | 8 | Add `sagemaker:CreateSpace`, `sagemaker:DescribeSpace`, `sagemaker:DeleteSpace`, `sagemaker:ListTags`, and `sagemaker:AddTags` permissions. | May 22, 2024 | | AmazonSageMakerNotebooksServiceRolePolicy - Update to an existing policy | 7 | Add `elasticfilesystem:TagResource` permission. | March 9, 2023 | | AmazonSageMakerNotebooksServiceRolePolicy - Update to an existing policy | 6 | Add `elasticfilesystem:CreateAccessPoint`, `elasticfilesystem:DeleteAccessPoint`, and `elasticfilesystem:DescribeAccessPoints` permissions. | January 12, 2023 | | | | SageMaker AI started tracking changes for its AWS managed policies. | June 1, 2021 | # AWS managed policies for Amazon SageMaker Partner AI Apps Amazon SageMaker Partner AI Apps These AWS managed policies add permissions required to use Amazon SageMaker Partner AI Apps. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerPartnerAppsFullAccess ](#security-iam-awsmanpol-AmazonSageMakerPartnerAppsFullAccess) + [ ## Amazon SageMaker AI updates to Partner AI Apps managed policies ](#security-iam-awsmanpol-partner-apps-updates) ## AWS managed policy: AmazonSageMakerPartnerAppsFullAccess AmazonSageMakerPartnerAppsFullAccess Allows full administrative access to Amazon SageMaker Partner AI Apps. **Permissions details** This AWS managed policy includes the following permissions. + `sagemaker` – Gives Amazon SageMaker Partner AI App users permission to access applications, list available applications, launch application web UIs, and connect using the application SDK. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AmazonSageMakerPartnerListAppsPermission", "Effect": "Allow", "Action": "sagemaker:ListPartnerApps", "Resource": "*" }, { "Sid": "AmazonSageMakerPartnerAppsPermission", "Effect": "Allow", "Action": [ "sagemaker:CreatePartnerAppPresignedUrl", "sagemaker:DescribePartnerApp", "sagemaker:CallPartnerAppApi" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } }, "Resource": "arn:aws:sagemaker:*:*:partner-app/*" } ] } ``` ------ ## Amazon SageMaker AI updates to Partner AI Apps managed policies Partner AI App policy updates View details about updates to AWS managed policies for Partner AI Apps since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker AI [Document history page.](doc-history.md) | Policy | Version | Change | Date | | --- | --- | --- | --- | | AmazonSageMakerPartnerAppsFullAccess - New policy | 1 | Initial policy | January 17, 2025 | # AWS Managed Policies for SageMaker Pipelines SageMaker Pipelines These AWS managed policies add permissions required to use SageMaker Pipelines. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. **Topics** + [ ## AWS managed policy: AmazonSageMakerPipelinesIntegrations ](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) + [ ## Amazon SageMaker AI updates to SageMaker AI Pipelines managed policies ](#security-iam-awsmanpol-pipelines-updates) ## AWS managed policy: AmazonSageMakerPipelinesIntegrations AmazonSageMakerPipelinesIntegrations This AWS managed policy grants permissions commonly needed to use Callback steps and Lambda steps in SageMaker Pipelines. The policy is added to the `AmazonSageMaker-ExecutionRole` that is created when you onboard to Amazon SageMaker Studio Classic. The policy can be attached to any role used for authoring or executing a pipeline. This policy grants appropriate AWS Lambda, Amazon Simple Queue Service (Amazon SQS), Amazon EventBridge, and IAM permissions needed when building pipelines that invoke Lambda functions or include callback steps, which can be used for manual approval steps or running custom workloads. The Amazon SQS permissions allow you to create the Amazon SQS queue needed for receiving callback messages, and also to send messages to that queue. The Lambda permissions allow you to create, read, update, and delete the Lambda functions used in the pipeline steps, and also to invoke those Lambda functions. This policy grants the Amazon EMR permissions needed to run a pipelines Amazon EMR step. **Permissions details** This policy includes the following permissions. + `elasticmapreduce` – Read, add, and cancel steps in a running Amazon EMR cluster. Read, create, and terminate a new Amazon EMR cluster. + `events` – Read, create, update, and add targets to an EventBridge rule named `SageMakerPipelineExecutionEMRStepStatusUpdateRule` and `SageMakerPipelineExecutionEMRClusterStatusUpdateRule`. + `iam` – Pass an IAM role to the AWS Lambda service, Amazon EMR and Amazon EC2. + `lambda` – Create, read, update, delete, and invoke Lambda functions. These permissions are limited to functions whose name includes "sagemaker". + `sqs` – Create an Amazon SQS queue; send an Amazon SQS message. These permissions are limited to queues whose name includes "sagemaker". ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:UpdateFunctionCode" ], "Resource": [ "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*sageMaker*", "arn:aws:lambda:*:*:function:*SageMaker*" ] }, { "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:SendMessage" ], "Resource": [ "arn:aws:sqs:*:*:*sagemaker*", "arn:aws:sqs:*:*:*sageMaker*", "arn:aws:sqs:*:*:*SageMaker*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "elasticmapreduce.amazonaws.com", "ec2.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutRule", "events:PutTargets" ], "Resource": [ "arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRStepStatusUpdateRule", "arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRClusterStatusUpdateRule" ] }, { "Effect": "Allow", "Action": [ "elasticmapreduce:AddJobFlowSteps", "elasticmapreduce:CancelSteps", "elasticmapreduce:DescribeStep", "elasticmapreduce:RunJobFlow", "elasticmapreduce:DescribeCluster", "elasticmapreduce:TerminateJobFlows", "elasticmapreduce:ListSteps" ], "Resource": [ "arn:aws:elasticmapreduce:*:*:cluster/*" ] } ] } ``` ------ ## Amazon SageMaker AI updates to SageMaker AI Pipelines managed policies SageMaker Pipelines policy updates View details about updates to AWS managed policies for Amazon SageMaker AI since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) - Update to an existing policy | 3 | Added permissions for `elasticmapreduce:RunJobFlows`, `elasticmapreduce:TerminateJobFlows`, `elasticmapreduce:ListSteps`, and `elasticmapreduce:DescribeCluster`. | February 17, 2023 | | [AmazonSageMakerPipelinesIntegrations](#security-iam-awsmanpol-AmazonSageMakerPipelinesIntegrations) - Update to an existing policy | 2 | Added permissions for `lambda:GetFunction`, `events:DescribeRule`, `events:PutRule`, `events:PutTargets`, `elasticmapreduce:AddJobFlowSteps`, `elasticmapreduce:CancelSteps`, and `elasticmapreduce:DescribeStep`. | April 20, 2022 | | AmazonSageMakerPipelinesIntegrations - New policy | 1 | Initial policy | July 30, 2021 | # AWS managed policies for SageMaker training plans SageMaker training plans This AWS managed policy grants permissions needed to create and manage Amazon SageMaker training plans and Reserved Capacity in SageMaker AI. The policy can be attached to IAM roles used for creating and managing training plans and reserved capacity within SageMaker AI including your [SageMaker AI execution role](sagemaker-roles.md). **Topics** + [ ## AWS managed policy: AmazonSageMakerTrainingPlanCreateAccess ](#security-iam-awsmanpol-AmazonSageMakerTrainingPlanCreateAccess) + [ ## AWS managed policy: AmazonSageMakerCapacityReservationServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerCapacityReservationServiceRolePolicy) + [ ## Amazon SageMaker AI updates to SageMaker training plans managed policies ](#security-iam-awsmanpol-training-plan-updates) ## AWS managed policy: AmazonSageMakerTrainingPlanCreateAccess AmazonSageMakerTrainingPlanCreateAccess This policy provides the necessary permissions to create, describe, search for, and list training plans in SageMaker AI. Additionally, it also allows adding tags to training plans and reserved capacity resources under specific conditions. **Permissions details** This policy includes the following permissions. + `sagemaker` – Create training plans and reserved capacity, permits adding tags to training plans and reserved capacity when the tagging action is specifically `CreateTrainingPlan` or `CreateReservedCapacity`, allows describing training plans, permits searching for training plan offerings and listing existing training plans on all resources. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateTrainingPlanPermissions", "Effect": "Allow", "Action": [ "sagemaker:CreateTrainingPlan", "sagemaker:CreateReservedCapacity", "sagemaker:DescribeReservedCapacity" ], "Resource": [ "arn:aws:sagemaker:*:*:training-plan/*", "arn:aws:sagemaker:*:*:reserved-capacity/*" ] }, { "Sid": "AggTagsToTrainingPlanPermissions", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:training-plan/*", "arn:aws:sagemaker:*:*:reserved-capacity/*" ], "Condition": { "StringEquals": { "sagemaker:TaggingAction": ["CreateTrainingPlan","CreateReservedCapacity"] } } }, { "Sid": "DescribeTrainingPlanPermissions", "Effect": "Allow", "Action": "sagemaker:DescribeTrainingPlan", "Resource": [ "arn:aws:sagemaker:*:*:training-plan/*" ] }, { "Sid": "NonResourceLevelTrainingPlanPermissions", "Effect": "Allow", "Action": [ "sagemaker:SearchTrainingPlanOfferings", "sagemaker:ListTrainingPlans" ], "Resource": "*" }, { "Sid": "ListUltraServersByReservedCapacityPermissions", "Effect": "Allow", "Action": "sagemaker:ListUltraServersByReservedCapacity", "Resource": [ "arn:aws:sagemaker:*:*:reserved-capacity/*" ] } ] } ``` ------ ## AWS managed policy: AmazonSageMakerCapacityReservationServiceRolePolicy AmazonSageMakerCapacityReservationServiceRolePolicy This policy is used by the service-linked role named AWSServiceRoleForSageMakerCapacityReservation to publish CloudWatch metrics for Reserved Capacity utilization into customer accounts. The service-linked role is created by the service principal capacityreservation.sagemaker.amazonaws.com. **Note** This is a service-linked role policy. You cannot attach this policy to your IAM identities. SageMaker AI creates this policy and attaches it to a service-linked role that allows SageMaker AI to perform actions on your behalf. **Permissions details** This policy includes the following permissions. + `cloudwatch` – Allows publishing metric data to CloudWatch. This permission is scoped to the `aws/sagemaker/CapacityReservations` namespace using a condition key. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CloudwatchPutMetricDataAccess", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "cloudwatch:namespace": "aws/sagemaker/CapacityReservations" } } } ] } ``` For more information, see [AmazonSageMakerCapacityReservationServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerCapacityReservationServiceRolePolicy.html) in the AWS Managed Policy Reference Guide. ## Amazon SageMaker AI updates to SageMaker training plans managed policies SageMaker training plans policy updates View details about updates to AWS managed policies for Amazon SageMaker AI since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerCapacityReservationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerCapacityReservationServiceRolePolicy) – New policy | 1 | Initial policy | March 5, 2026 | | AmazonSageMakerTrainingPlanCreateAccess - updated policy | 2 | Updated policy to add permissions to retrieve information about a specific reserved capacity and list all UltraServers in a reserved capacity. | July 29, 2024 | | AmazonSageMakerTrainingPlanCreateAccess - New policy | 1 | Initial policy | December 4, 2024 | # AWS Managed Policies for SageMaker Projects and JumpStart SageMaker Projects and JumpStart These AWS managed policies add permissions to use built-in Amazon SageMaker AI project templates and JumpStart solutions. The policies are available in your AWS account and are used by execution roles created from the SageMaker AI console. SageMaker Projects and JumpStart use AWS Service Catalog to provision AWS resources in customers' accounts. Some created resources need to assume an execution role. For example, if AWS Service Catalog creates a CodePipeline pipeline on behalf of a customer for a SageMaker AI machine learning CI/CD project, then that pipeline requires an IAM role. The [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) role has the permissions required to launch the SageMaker AI portfolio of products from AWS Service Catalog. The [AmazonSageMakerServiceCatalogProductsUseRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsUseRole) role has the permissions required to use the SageMaker AI portfolio of products from AWS Service Catalog. The `AmazonSageMakerServiceCatalogProductsLaunchRole` role passes an `AmazonSageMakerServiceCatalogProductsUseRole` role to the provisioned AWS Service Catalog product resources. **Topics** + [ ## AWS managed policy: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy) + [ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy ](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy) + [ ## Amazon SageMaker AI updates to AWS Service Catalog AWS managed policies ](#security-iam-awsmanpol-sc-updates) ## AWS managed policy: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy This service role policy is used by the AWS Service Catalog service to provision products from the Amazon SageMaker AI portfolio. The policy grants permissions to a set of related AWS services including AWS CodePipeline, AWS CodeBuild, AWS CodeCommit, AWS Glue, AWS CloudFormation, and others. The `AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy` policy is intended to be used by the `AmazonSageMakerServiceCatalogProductsLaunchRole` role created from the SageMaker AI console. The policy adds permissions to provision AWS resources for SageMaker Projects and JumpStart using Service Catalog to a customer's account. **Permissions details** This policy includes the following permissions. + `apigateway` – Allows the role to call API Gateway endpoints that are tagged with `sagemaker:launch-source`. + `cloudformation` – Allows AWS Service Catalog to create, update, and delete CloudFormation stacks. Also allows Service Catalog to tag and untag resources. + `codebuild` – Allows the role assumed by AWS Service Catalog and passed to CloudFormation to create, update and delete CodeBuild projects. + `codecommit` – Allows the role assumed by AWS Service Catalog and passed to CloudFormation to create, update and delete CodeCommit repositories. + `codepipeline` – Allows the role assumed by AWS Service Catalog and passed to CloudFormation to create, update and delete CodePipelines. + `codeconnections`, `codestar-connections` – Also allows the role to pass AWS CodeConnections and AWS CodeStar connections. + `cognito-idp` – Allows the role to create, update, and delete groups and user pools. Also allows tagging resources. + `ecr` – Allows the role assumed by AWS Service Catalog and passed to CloudFormation to create and delete Amazon ECR repositories. Also allows tagging resources. + `events` – Allows the role assumed by AWS Service Catalog and passed to CloudFormation to create and delete EventBridge rules. Used for tying together the various components of the CICD pipeline. + `firehose` – Allows the role to interact with Firehose streams. + `glue` – Allows the role to interact with AWS Glue. + `iam` – Allows the role to pass roles prepended with `AmazonSageMakerServiceCatalog`. This is needed when Projects provisions a AWS Service Catalog product, as a role needs to be passed to AWS Service Catalog. + `lambda` – Allows the role to interact with AWS Lambda. Also allows tagging resources. + `logs` – Allows the role to create, delete and access log streams. + `s3` – Allows the role assumed by AWS Service Catalog and passed to CloudFormation to access Amazon S3 buckets where the Project template code is stored. + `sagemaker` – Allows the role to interact with various SageMaker AI services. This is done both in CloudFormation during template provisioning, as well as in CodeBuild during CICD pipeline execution. Also allows tagging the following resources: endpoints, endpoint configurations, models, pipelines, projects, and model packages. + `states` – Allows the role to create, delete, and update Step Functions prepended with `sagemaker`. To view the permissions for this policy, see [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy.html) in the AWS Managed Policy Reference. ## AWS managed policy: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy This policy is used by Amazon API Gateway within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by API Gateway that require a role. **Permissions details** This policy includes the following permissions. + `lambda` – Invoke a function created by a partner template. + `sagemaker` – Invoke an endpoint created by a partner template. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:*:*:function:sagemaker-*", "Condition": { "Null": { "aws:ResourceTag/sagemaker:project-name": "false", "aws:ResourceTag/sagemaker:partner": "false" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Effect": "Allow", "Action": "sagemaker:InvokeEndpoint", "Resource": "arn:aws:sagemaker:*:*:endpoint/*", "Condition": { "Null": { "aws:ResourceTag/sagemaker:project-name": "false", "aws:ResourceTag/sagemaker:partner": "false" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ ## AWS managed policy: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy This policy is used by AWS CloudFormation within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by CloudFormation that require a role. **Permissions details** This policy includes the following permissions. + `iam` – Pass the `AmazonSageMakerServiceCatalogProductsLambdaRole` and `AmazonSageMakerServiceCatalogProductsApiGatewayRole` roles. + `lambda` – Create, update, delete, and invoke AWS Lambda functions; retrieve, publish, and delete versions of a Lambda layer. + `apigateway` – Create, update, and delete Amazon API Gateway resources. + `s3` – Retrieve the `lambda-auth-code/layer.zip` file from an Amazon Simple Storage Service (Amazon S3) bucket. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "apigateway.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "lambda:DeleteFunction", "lambda:UpdateFunctionCode", "lambda:ListTags", "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:sagemaker-*" ], "Condition": { "Null": { "aws:ResourceTag/sagemaker:project-name": "false", "aws:ResourceTag/sagemaker:partner": "false" } } }, { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:TagResource" ], "Resource": [ "arn:aws:lambda:*:*:function:sagemaker-*" ], "Condition": { "Null": { "aws:ResourceTag/sagemaker:project-name": "false", "aws:ResourceTag/sagemaker:partner": "false" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "sagemaker:project-name", "sagemaker:partner" ] } } }, { "Effect": "Allow", "Action": [ "lambda:PublishLayerVersion", "lambda:GetLayerVersion", "lambda:DeleteLayerVersion", "lambda:GetFunction" ], "Resource": [ "arn:aws:lambda:*:*:layer:sagemaker-*", "arn:aws:lambda:*:*:function:sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "apigateway:GET", "apigateway:DELETE", "apigateway:PATCH", "apigateway:POST", "apigateway:PUT" ], "Resource": [ "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis" ], "Condition": { "Null": { "aws:ResourceTag/sagemaker:project-name": "false", "aws:ResourceTag/sagemaker:partner": "false" } } }, { "Effect": "Allow", "Action": [ "apigateway:POST", "apigateway:PUT" ], "Resource": [ "arn:aws:apigateway:*::/restapis", "arn:aws:apigateway:*::/tags/*" ], "Condition": { "Null": { "aws:ResourceTag/sagemaker:project-name": "false", "aws:ResourceTag/sagemaker:partner": "false" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "sagemaker:project-name", "sagemaker:partner" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/lambda-auth-code/layer.zip" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ ## AWS managed policy: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy This policy is used by AWS Lambda within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by Lambda that require a role. **Permissions details** This policy includes the following permissions. + `secretsmanager` – Retrieve data from partner provided secrets for a partner template. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "Null": { "aws:ResourceTag/sagemaker:partner": false }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] } ``` ------ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy This policy is used by Amazon API Gateway within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by API Gateway that require a role. **Permissions details** This policy includes the following permissions. + `logs` – Create and read CloudWatch Logs groups, streams, and events; update events; describe various resources. These permissions are limited to resources whose log group prefix starts with "aws/apigateway/". ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeResourcePolicies", "logs:DescribeDestinations", "logs:DescribeExportTasks", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:DescribeSubscriptionFilters", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/apigateway/*" } ] } ``` ------ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy This policy is used by AWS CloudFormation within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by CloudFormation that require a role. **Permissions details** This policy includes the following permissions. + `sagemaker` – Allow access to various SageMaker AI resources excluding domains, user-profiles, apps, and flow definitions. + `iam` – Pass the `AmazonSageMakerServiceCatalogProductsCodeBuildRole` and `AmazonSageMakerServiceCatalogProductsExecutionRole` roles. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:AddAssociation", "sagemaker:AddTags", "sagemaker:AssociateTrialComponent", "sagemaker:BatchDescribeModelPackage", "sagemaker:BatchGetMetrics", "sagemaker:BatchGetRecord", "sagemaker:BatchPutMetrics", "sagemaker:CreateAction", "sagemaker:CreateAlgorithm", "sagemaker:CreateApp", "sagemaker:CreateAppImageConfig", "sagemaker:CreateArtifact", "sagemaker:CreateAutoMLJob", "sagemaker:CreateCodeRepository", "sagemaker:CreateCompilationJob", "sagemaker:CreateContext", "sagemaker:CreateDataQualityJobDefinition", "sagemaker:CreateDeviceFleet", "sagemaker:CreateDomain", "sagemaker:CreateEdgePackagingJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateExperiment", "sagemaker:CreateFeatureGroup", "sagemaker:CreateFlowDefinition", "sagemaker:CreateHumanTaskUi", "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateImage", "sagemaker:CreateImageVersion", "sagemaker:CreateInferenceRecommendationsJob", "sagemaker:CreateLabelingJob", "sagemaker:CreateLineageGroupPolicy", "sagemaker:CreateModel", "sagemaker:CreateModelBiasJobDefinition", "sagemaker:CreateModelExplainabilityJobDefinition", "sagemaker:CreateModelPackage", "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelQualityJobDefinition", "sagemaker:CreateMonitoringSchedule", "sagemaker:CreateNotebookInstance", "sagemaker:CreateNotebookInstanceLifecycleConfig", "sagemaker:CreatePipeline", "sagemaker:CreatePresignedDomainUrl", "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:CreateProcessingJob", "sagemaker:CreateProject", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:CreateTrial", "sagemaker:CreateTrialComponent", "sagemaker:CreateUserProfile", "sagemaker:CreateWorkforce", "sagemaker:CreateWorkteam", "sagemaker:DeleteAction", "sagemaker:DeleteAlgorithm", "sagemaker:DeleteApp", "sagemaker:DeleteAppImageConfig", "sagemaker:DeleteArtifact", "sagemaker:DeleteAssociation", "sagemaker:DeleteCodeRepository", "sagemaker:DeleteContext", "sagemaker:DeleteDataQualityJobDefinition", "sagemaker:DeleteDeviceFleet", "sagemaker:DeleteDomain", "sagemaker:DeleteEndpoint", "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteExperiment", "sagemaker:DeleteFeatureGroup", "sagemaker:DeleteFlowDefinition", "sagemaker:DeleteHumanLoop", "sagemaker:DeleteHumanTaskUi", "sagemaker:DeleteImage", "sagemaker:DeleteImageVersion", "sagemaker:DeleteLineageGroupPolicy", "sagemaker:DeleteModel", "sagemaker:DeleteModelBiasJobDefinition", "sagemaker:DeleteModelExplainabilityJobDefinition", "sagemaker:DeleteModelPackage", "sagemaker:DeleteModelPackageGroup", "sagemaker:DeleteModelPackageGroupPolicy", "sagemaker:DeleteModelQualityJobDefinition", "sagemaker:DeleteMonitoringSchedule", "sagemaker:DeleteNotebookInstance", "sagemaker:DeleteNotebookInstanceLifecycleConfig", "sagemaker:DeletePipeline", "sagemaker:DeleteProject", "sagemaker:DeleteRecord", "sagemaker:DeleteTags", "sagemaker:DeleteTrial", "sagemaker:DeleteTrialComponent", "sagemaker:DeleteUserProfile", "sagemaker:DeleteWorkforce", "sagemaker:DeleteWorkteam", "sagemaker:DeregisterDevices", "sagemaker:DescribeAction", "sagemaker:DescribeAlgorithm", "sagemaker:DescribeApp", "sagemaker:DescribeAppImageConfig", "sagemaker:DescribeArtifact", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeCodeRepository", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeContext", "sagemaker:DescribeDataQualityJobDefinition", "sagemaker:DescribeDevice", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeDomain", "sagemaker:DescribeEdgePackagingJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeExperiment", "sagemaker:DescribeFeatureGroup", "sagemaker:DescribeFlowDefinition", "sagemaker:DescribeHumanLoop", "sagemaker:DescribeHumanTaskUi", "sagemaker:DescribeHyperParameterTuningJob", "sagemaker:DescribeImage", "sagemaker:DescribeImageVersion", "sagemaker:DescribeInferenceRecommendationsJob", "sagemaker:DescribeLabelingJob", "sagemaker:DescribeLineageGroup", "sagemaker:DescribeModel", "sagemaker:DescribeModelBiasJobDefinition", "sagemaker:DescribeModelExplainabilityJobDefinition", "sagemaker:DescribeModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelQualityJobDefinition", "sagemaker:DescribeMonitoringSchedule", "sagemaker:DescribeNotebookInstance", "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:DescribePipeline", "sagemaker:DescribePipelineDefinitionForExecution", "sagemaker:DescribePipelineExecution", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeProject", "sagemaker:DescribeSubscribedWorkteam", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:DescribeTrial", "sagemaker:DescribeTrialComponent", "sagemaker:DescribeUserProfile", "sagemaker:DescribeWorkforce", "sagemaker:DescribeWorkteam", "sagemaker:DisableSagemakerServicecatalogPortfolio", "sagemaker:DisassociateTrialComponent", "sagemaker:EnableSagemakerServicecatalogPortfolio", "sagemaker:GetDeviceFleetReport", "sagemaker:GetDeviceRegistration", "sagemaker:GetLineageGroupPolicy", "sagemaker:GetModelPackageGroupPolicy", "sagemaker:GetRecord", "sagemaker:GetSagemakerServicecatalogPortfolioStatus", "sagemaker:GetSearchSuggestions", "sagemaker:InvokeEndpoint", "sagemaker:InvokeEndpointAsync", "sagemaker:ListActions", "sagemaker:ListAlgorithms", "sagemaker:ListAppImageConfigs", "sagemaker:ListApps", "sagemaker:ListArtifacts", "sagemaker:ListAssociations", "sagemaker:ListAutoMLJobs", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:ListCodeRepositories", "sagemaker:ListCompilationJobs", "sagemaker:ListContexts", "sagemaker:ListDataQualityJobDefinitions", "sagemaker:ListDeviceFleets", "sagemaker:ListDevices", "sagemaker:ListDomains", "sagemaker:ListEdgePackagingJobs", "sagemaker:ListEndpointConfigs", "sagemaker:ListEndpoints", "sagemaker:ListExperiments", "sagemaker:ListFeatureGroups", "sagemaker:ListFlowDefinitions", "sagemaker:ListHumanLoops", "sagemaker:ListHumanTaskUis", "sagemaker:ListHyperParameterTuningJobs", "sagemaker:ListImageVersions", "sagemaker:ListImages", "sagemaker:ListInferenceRecommendationsJobs", "sagemaker:ListLabelingJobs", "sagemaker:ListLabelingJobsForWorkteam", "sagemaker:ListLineageGroups", "sagemaker:ListModelBiasJobDefinitions", "sagemaker:ListModelExplainabilityJobDefinitions", "sagemaker:ListModelMetadata", "sagemaker:ListModelPackageGroups", "sagemaker:ListModelPackages", "sagemaker:ListModelQualityJobDefinitions", "sagemaker:ListModels", "sagemaker:ListMonitoringExecutions", "sagemaker:ListMonitoringSchedules", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:ListNotebookInstances", "sagemaker:ListPipelineExecutionSteps", "sagemaker:ListPipelineExecutions", "sagemaker:ListPipelineParametersForExecution", "sagemaker:ListPipelines", "sagemaker:ListProcessingJobs", "sagemaker:ListProjects", "sagemaker:ListSubscribedWorkteams", "sagemaker:ListTags", "sagemaker:ListTrainingJobs", "sagemaker:ListTrainingJobsForHyperParameterTuningJob", "sagemaker:ListTransformJobs", "sagemaker:ListTrialComponents", "sagemaker:ListTrials", "sagemaker:ListUserProfiles", "sagemaker:ListWorkforces", "sagemaker:ListWorkteams", "sagemaker:PutLineageGroupPolicy", "sagemaker:PutModelPackageGroupPolicy", "sagemaker:PutRecord", "sagemaker:QueryLineage", "sagemaker:RegisterDevices", "sagemaker:RenderUiTemplate", "sagemaker:Search", "sagemaker:SendHeartbeat", "sagemaker:SendPipelineExecutionStepFailure", "sagemaker:SendPipelineExecutionStepSuccess", "sagemaker:StartHumanLoop", "sagemaker:StartMonitoringSchedule", "sagemaker:StartNotebookInstance", "sagemaker:StartPipelineExecution", "sagemaker:StopAutoMLJob", "sagemaker:StopCompilationJob", "sagemaker:StopEdgePackagingJob", "sagemaker:StopHumanLoop", "sagemaker:StopHyperParameterTuningJob", "sagemaker:StopInferenceRecommendationsJob", "sagemaker:StopLabelingJob", "sagemaker:StopMonitoringSchedule", "sagemaker:StopNotebookInstance", "sagemaker:StopPipelineExecution", "sagemaker:StopProcessingJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:UpdateAction", "sagemaker:UpdateAppImageConfig", "sagemaker:UpdateArtifact", "sagemaker:UpdateCodeRepository", "sagemaker:UpdateContext", "sagemaker:UpdateDeviceFleet", "sagemaker:UpdateDevices", "sagemaker:UpdateDomain", "sagemaker:UpdateEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:UpdateExperiment", "sagemaker:UpdateImage", "sagemaker:UpdateModelPackage", "sagemaker:UpdateMonitoringSchedule", "sagemaker:UpdateNotebookInstance", "sagemaker:UpdateNotebookInstanceLifecycleConfig", "sagemaker:UpdatePipeline", "sagemaker:UpdatePipelineExecution", "sagemaker:UpdateProject", "sagemaker:UpdateTrainingJob", "sagemaker:UpdateTrial", "sagemaker:UpdateTrialComponent", "sagemaker:UpdateUserProfile", "sagemaker:UpdateWorkforce", "sagemaker:UpdateWorkteam" ], "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:app/*", "arn:aws:sagemaker:*:*:flow-definition/*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole", "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole" ] } ] } ``` ------ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy This policy is used by AWS CodeBuild within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by CodeBuild that require a role. **Permissions details** This policy includes the following permissions. + `sagemaker` – Allow access to various SageMaker AI resources. + `codecommit` – Upload CodeCommit archives to CodeBuild pipelines, get upload status, and cancel uploads; get branch and commit information. These permissions are limited to resources whose name starts with "sagemaker-". + `ecr` – Create Amazon ECR repositories and container images; upload image layers. These permissions are limited to repositories whose name starts with "sagemaker-". `ecr` – Read all resources. + `iam` – Pass the following roles: + `AmazonSageMakerServiceCatalogProductsCloudformationRole` to AWS CloudFormation. + `AmazonSageMakerServiceCatalogProductsCodeBuildRole` to AWS CodeBuild. + `AmazonSageMakerServiceCatalogProductsCodePipelineRole` to AWS CodePipeline. + `AmazonSageMakerServiceCatalogProductsEventsRole` to Amazon EventBridge. + `AmazonSageMakerServiceCatalogProductsExecutionRole` to Amazon SageMaker AI. + `logs` – Create and read CloudWatch Logs groups, streams, and events; update events; describe various resources. These permissions are limited to resources whose name prefix starts with "aws/codebuild/". + `s3` – Create, read, and list Amazon S3 buckets. These permissions are limited to buckets whose name starts with "sagemaker-". + `codeconnections`, `codestar-connections` – Use AWS CodeConnections and AWS CodeStar connections. To view the permissions for this policy, see [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy.html) in the AWS Managed Policy Reference. ## AWS managed policy: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy This policy is used by AWS CodePipeline within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by CodePipeline that require a role. **Permissions details** This policy includes the following permissions. + `cloudformation` – Create, read, delete, and update CloudFormation stacks; create, read, delete, and execute change sets; set stack policy; tag and untag resources. These permissions are limited to resources whose name starts with "sagemaker-". + `s3` – Create, read, list, and delete Amazon S3 buckets; add, read, and delete objects from the buckets; read and set the CORS configuration; read the access control list (ACL); and read the AWS Region the bucket resides in. These permissions are limited to buckets whose name starts with "sagemaker-" or "aws-glue-. + `iam` – Pass the `AmazonSageMakerServiceCatalogProductsCloudformationRole` role. + `codebuild` – Get CodeBuild build information and start builds. These permissions are limited to project and build resources whose name starts with "sagemaker-". + `codecommit` – Upload CodeCommit archives to CodeBuild pipelines, get upload status, and cancel uploads; get branch and commit information. + `codeconnections`, `codestar-connections` – Use AWS CodeConnections and AWS CodeStar connections. To view the permissions for this policy, see [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy.html) in the AWS Managed Policy Reference. ## AWS managed policy: AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy This policy is used by Amazon EventBridge within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by EventBridge that require a role. **Permissions details** This policy includes the following permissions. + `codepipeline` – Start a CodeBuild execution. These permissions are limited to pipelines whose name starts with "sagemaker-". ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codepipeline:StartPipelineExecution", "Resource": "arn:aws:codepipeline:*:*:sagemaker-*" } ] } ``` ------ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy This policy is used by Amazon Data Firehose within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by Firehose that require a role. **Permissions details** This policy includes the following permissions. + `firehose` – Send Firehose records. These permissions are limited to resources whose delivery stream name starts with "sagemaker-". ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*" } ] } ``` ------ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy This policy is used by AWS Glue within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by Glue that require a role. **Permissions details** This policy includes the following permissions. + `glue` – Create, read, and delete AWS Glue partitions, tables, and table versions. These permissions are limited to those resources whose name starts with "sagemaker-". Create and read AWS Glue databases. These permissions are limited to databases whose name is "default", "global\$1temp", or starts with "sagemaker-". Get user defined functions. + `s3` – Create, read, list, and delete Amazon S3 buckets; add, read, and delete objects from the buckets; read and set the CORS configuration; read the access control list (ACL), and read the AWS Region the bucket resides in. These permissions are limited to buckets whose name starts with "sagemaker-" or "aws-glue-". + `logs` – Create, read, and delete CloudWatch Logs log group, streams, and deliveries; and create a resource policy. These permissions are limited to resources whose name prefix starts with "aws/glue/". ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:BatchCreatePartition", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetPartition", "glue:CreateDatabase", "glue:CreatePartition", "glue:CreateTable", "glue:DeletePartition", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:GetDatabase", "glue:GetPartition", "glue:GetPartitions", "glue:GetTable", "glue:GetTables", "glue:GetTableVersion", "glue:GetTableVersions", "glue:SearchTables", "glue:UpdatePartition", "glue:UpdateTable", "glue:GetUserDefinedFunctions" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/default", "arn:aws:glue:*:*:database/global_temp", "arn:aws:glue:*:*:database/sagemaker-*", "arn:aws:glue:*:*:table/sagemaker-*", "arn:aws:glue:*:*:tableVersion/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketAcl", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutBucketCors" ], "Resource": [ "arn:aws:s3:::aws-glue-*", "arn:aws:s3:::sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::aws-glue-*", "arn:aws:s3:::sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/glue/*" } ] } ``` ------ ## AWS managed policy: AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy This policy is used by AWS Lambda within the AWS Service Catalog provisioned products from the Amazon SageMaker AI portfolio. The policy is intended to be attached to an IAM role that the [AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.aws.amazon.com/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole) passes to the AWS resources created by Lambda that require a role. **Permissions details** This policy includes the following permissions. + `sagemaker` – Allow access to various SageMaker AI resources. + `ecr` – Create and delete Amazon ECR repositories; create, read, and delete container images; upload image layers. These permissions are limited to repositories whose name starts with "sagemaker-". + `events` – Create, read, and delete Amazon EventBridge rules; and create and remove targets. These permissions are limited to rules whose name starts with "sagemaker-". + `s3` – Create, read, list, and delete Amazon S3 buckets; add, read, and delete objects from the buckets; read and set the CORS configuration; read the access control list (ACL), and read the AWS Region the bucket resides in. These permissions are limited to buckets whose name starts with "sagemaker-" or "aws-glue-". + `iam` – Pass the `AmazonSageMakerServiceCatalogProductsExecutionRole` role. + `logs` – Create, read, and delete CloudWatch Logs log group, streams, and deliveries; and create a resource policy. These permissions are limited to resources whose name prefix starts with "aws/lambda/". + `codebuild` – Start and get information about AWS CodeBuild builds. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid" : "AmazonSageMakerLambdaECRPermission", "Effect": "Allow", "Action": [ "ecr:DescribeImages", "ecr:BatchDeleteImage", "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": [ "arn:aws:ecr:*:*:repository/sagemaker-*" ] }, { "Sid" : "AmazonSageMakerLambdaEventBridgePermission", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:*:*:rule/sagemaker-*" ] }, { "Sid" : "AmazonSageMakerLambdaS3BucketPermission", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketAcl", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutBucketCors" ], "Resource": [ "arn:aws:s3:::aws-glue-*", "arn:aws:s3:::sagemaker-*" ] }, { "Sid" : "AmazonSageMakerLambdaS3ObjectPermission", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::aws-glue-*", "arn:aws:s3:::sagemaker-*" ] }, { "Sid" : "AmazonSageMakerLambdaSageMakerPermission", "Effect": "Allow", "Action": [ "sagemaker:AddAssociation", "sagemaker:AddTags", "sagemaker:AssociateTrialComponent", "sagemaker:BatchDescribeModelPackage", "sagemaker:BatchGetMetrics", "sagemaker:BatchGetRecord", "sagemaker:BatchPutMetrics", "sagemaker:CreateAction", "sagemaker:CreateAlgorithm", "sagemaker:CreateApp", "sagemaker:CreateAppImageConfig", "sagemaker:CreateArtifact", "sagemaker:CreateAutoMLJob", "sagemaker:CreateCodeRepository", "sagemaker:CreateCompilationJob", "sagemaker:CreateContext", "sagemaker:CreateDataQualityJobDefinition", "sagemaker:CreateDeviceFleet", "sagemaker:CreateDomain", "sagemaker:CreateEdgePackagingJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateExperiment", "sagemaker:CreateFeatureGroup", "sagemaker:CreateFlowDefinition", "sagemaker:CreateHumanTaskUi", "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateImage", "sagemaker:CreateImageVersion", "sagemaker:CreateInferenceRecommendationsJob", "sagemaker:CreateLabelingJob", "sagemaker:CreateLineageGroupPolicy", "sagemaker:CreateModel", "sagemaker:CreateModelBiasJobDefinition", "sagemaker:CreateModelExplainabilityJobDefinition", "sagemaker:CreateModelPackage", "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelQualityJobDefinition", "sagemaker:CreateMonitoringSchedule", "sagemaker:CreateNotebookInstance", "sagemaker:CreateNotebookInstanceLifecycleConfig", "sagemaker:CreatePipeline", "sagemaker:CreatePresignedDomainUrl", "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:CreateProcessingJob", "sagemaker:CreateProject", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:CreateTrial", "sagemaker:CreateTrialComponent", "sagemaker:CreateUserProfile", "sagemaker:CreateWorkforce", "sagemaker:CreateWorkteam", "sagemaker:DeleteAction", "sagemaker:DeleteAlgorithm", "sagemaker:DeleteApp", "sagemaker:DeleteAppImageConfig", "sagemaker:DeleteArtifact", "sagemaker:DeleteAssociation", "sagemaker:DeleteCodeRepository", "sagemaker:DeleteContext", "sagemaker:DeleteDataQualityJobDefinition", "sagemaker:DeleteDeviceFleet", "sagemaker:DeleteDomain", "sagemaker:DeleteEndpoint", "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteExperiment", "sagemaker:DeleteFeatureGroup", "sagemaker:DeleteFlowDefinition", "sagemaker:DeleteHumanLoop", "sagemaker:DeleteHumanTaskUi", "sagemaker:DeleteImage", "sagemaker:DeleteImageVersion", "sagemaker:DeleteLineageGroupPolicy", "sagemaker:DeleteModel", "sagemaker:DeleteModelBiasJobDefinition", "sagemaker:DeleteModelExplainabilityJobDefinition", "sagemaker:DeleteModelPackage", "sagemaker:DeleteModelPackageGroup", "sagemaker:DeleteModelPackageGroupPolicy", "sagemaker:DeleteModelQualityJobDefinition", "sagemaker:DeleteMonitoringSchedule", "sagemaker:DeleteNotebookInstance", "sagemaker:DeleteNotebookInstanceLifecycleConfig", "sagemaker:DeletePipeline", "sagemaker:DeleteProject", "sagemaker:DeleteRecord", "sagemaker:DeleteTags", "sagemaker:DeleteTrial", "sagemaker:DeleteTrialComponent", "sagemaker:DeleteUserProfile", "sagemaker:DeleteWorkforce", "sagemaker:DeleteWorkteam", "sagemaker:DeregisterDevices", "sagemaker:DescribeAction", "sagemaker:DescribeAlgorithm", "sagemaker:DescribeApp", "sagemaker:DescribeAppImageConfig", "sagemaker:DescribeArtifact", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeCodeRepository", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeContext", "sagemaker:DescribeDataQualityJobDefinition", "sagemaker:DescribeDevice", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeDomain", "sagemaker:DescribeEdgePackagingJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeExperiment", "sagemaker:DescribeFeatureGroup", "sagemaker:DescribeFlowDefinition", "sagemaker:DescribeHumanLoop", "sagemaker:DescribeHumanTaskUi", "sagemaker:DescribeHyperParameterTuningJob", "sagemaker:DescribeImage", "sagemaker:DescribeImageVersion", "sagemaker:DescribeInferenceRecommendationsJob", "sagemaker:DescribeLabelingJob", "sagemaker:DescribeLineageGroup", "sagemaker:DescribeModel", "sagemaker:DescribeModelBiasJobDefinition", "sagemaker:DescribeModelExplainabilityJobDefinition", "sagemaker:DescribeModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelQualityJobDefinition", "sagemaker:DescribeMonitoringSchedule", "sagemaker:DescribeNotebookInstance", "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:DescribePipeline", "sagemaker:DescribePipelineDefinitionForExecution", "sagemaker:DescribePipelineExecution", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeProject", "sagemaker:DescribeSubscribedWorkteam", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:DescribeTrial", "sagemaker:DescribeTrialComponent", "sagemaker:DescribeUserProfile", "sagemaker:DescribeWorkforce", "sagemaker:DescribeWorkteam", "sagemaker:DisableSagemakerServicecatalogPortfolio", "sagemaker:DisassociateTrialComponent", "sagemaker:EnableSagemakerServicecatalogPortfolio", "sagemaker:GetDeviceFleetReport", "sagemaker:GetDeviceRegistration", "sagemaker:GetLineageGroupPolicy", "sagemaker:GetModelPackageGroupPolicy", "sagemaker:GetRecord", "sagemaker:GetSagemakerServicecatalogPortfolioStatus", "sagemaker:GetSearchSuggestions", "sagemaker:InvokeEndpoint", "sagemaker:InvokeEndpointAsync", "sagemaker:ListActions", "sagemaker:ListAlgorithms", "sagemaker:ListAppImageConfigs", "sagemaker:ListApps", "sagemaker:ListArtifacts", "sagemaker:ListAssociations", "sagemaker:ListAutoMLJobs", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:ListCodeRepositories", "sagemaker:ListCompilationJobs", "sagemaker:ListContexts", "sagemaker:ListDataQualityJobDefinitions", "sagemaker:ListDeviceFleets", "sagemaker:ListDevices", "sagemaker:ListDomains", "sagemaker:ListEdgePackagingJobs", "sagemaker:ListEndpointConfigs", "sagemaker:ListEndpoints", "sagemaker:ListExperiments", "sagemaker:ListFeatureGroups", "sagemaker:ListFlowDefinitions", "sagemaker:ListHumanLoops", "sagemaker:ListHumanTaskUis", "sagemaker:ListHyperParameterTuningJobs", "sagemaker:ListImageVersions", "sagemaker:ListImages", "sagemaker:ListInferenceRecommendationsJobs", "sagemaker:ListLabelingJobs", "sagemaker:ListLabelingJobsForWorkteam", "sagemaker:ListLineageGroups", "sagemaker:ListModelBiasJobDefinitions", "sagemaker:ListModelExplainabilityJobDefinitions", "sagemaker:ListModelMetadata", "sagemaker:ListModelPackageGroups", "sagemaker:ListModelPackages", "sagemaker:ListModelQualityJobDefinitions", "sagemaker:ListModels", "sagemaker:ListMonitoringExecutions", "sagemaker:ListMonitoringSchedules", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:ListNotebookInstances", "sagemaker:ListPipelineExecutionSteps", "sagemaker:ListPipelineExecutions", "sagemaker:ListPipelineParametersForExecution", "sagemaker:ListPipelines", "sagemaker:ListProcessingJobs", "sagemaker:ListProjects", "sagemaker:ListSubscribedWorkteams", "sagemaker:ListTags", "sagemaker:ListTrainingJobs", "sagemaker:ListTrainingJobsForHyperParameterTuningJob", "sagemaker:ListTransformJobs", "sagemaker:ListTrialComponents", "sagemaker:ListTrials", "sagemaker:ListUserProfiles", "sagemaker:ListWorkforces", "sagemaker:ListWorkteams", "sagemaker:PutLineageGroupPolicy", "sagemaker:PutModelPackageGroupPolicy", "sagemaker:PutRecord", "sagemaker:QueryLineage", "sagemaker:RegisterDevices", "sagemaker:RenderUiTemplate", "sagemaker:Search", "sagemaker:SendHeartbeat", "sagemaker:SendPipelineExecutionStepFailure", "sagemaker:SendPipelineExecutionStepSuccess", "sagemaker:StartHumanLoop", "sagemaker:StartMonitoringSchedule", "sagemaker:StartNotebookInstance", "sagemaker:StartPipelineExecution", "sagemaker:StopAutoMLJob", "sagemaker:StopCompilationJob", "sagemaker:StopEdgePackagingJob", "sagemaker:StopHumanLoop", "sagemaker:StopHyperParameterTuningJob", "sagemaker:StopInferenceRecommendationsJob", "sagemaker:StopLabelingJob", "sagemaker:StopMonitoringSchedule", "sagemaker:StopNotebookInstance", "sagemaker:StopPipelineExecution", "sagemaker:StopProcessingJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:UpdateAction", "sagemaker:UpdateAppImageConfig", "sagemaker:UpdateArtifact", "sagemaker:UpdateCodeRepository", "sagemaker:UpdateContext", "sagemaker:UpdateDeviceFleet", "sagemaker:UpdateDevices", "sagemaker:UpdateDomain", "sagemaker:UpdateEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:UpdateExperiment", "sagemaker:UpdateImage", "sagemaker:UpdateModelPackage", "sagemaker:UpdateMonitoringSchedule", "sagemaker:UpdateNotebookInstance", "sagemaker:UpdateNotebookInstanceLifecycleConfig", "sagemaker:UpdatePipeline", "sagemaker:UpdatePipelineExecution", "sagemaker:UpdateProject", "sagemaker:UpdateTrainingJob", "sagemaker:UpdateTrial", "sagemaker:UpdateTrialComponent", "sagemaker:UpdateUserProfile", "sagemaker:UpdateWorkforce", "sagemaker:UpdateWorkteam" ], "Resource": [ "arn:aws:sagemaker:*:*:action/*", "arn:aws:sagemaker:*:*:algorithm/*", "arn:aws:sagemaker:*:*:app-image-config/*", "arn:aws:sagemaker:*:*:artifact/*", "arn:aws:sagemaker:*:*:automl-job/*", "arn:aws:sagemaker:*:*:code-repository/*", "arn:aws:sagemaker:*:*:compilation-job/*", "arn:aws:sagemaker:*:*:context/*", "arn:aws:sagemaker:*:*:data-quality-job-definition/*", "arn:aws:sagemaker:*:*:device-fleet/*/device/*", "arn:aws:sagemaker:*:*:device-fleet/*", "arn:aws:sagemaker:*:*:edge-packaging-job/*", "arn:aws:sagemaker:*:*:endpoint/*", "arn:aws:sagemaker:*:*:endpoint-config/*", "arn:aws:sagemaker:*:*:experiment/*", "arn:aws:sagemaker:*:*:experiment-trial/*", "arn:aws:sagemaker:*:*:experiment-trial-component/*", "arn:aws:sagemaker:*:*:feature-group/*", "arn:aws:sagemaker:*:*:human-loop/*", "arn:aws:sagemaker:*:*:human-task-ui/*", "arn:aws:sagemaker:*:*:hyper-parameter-tuning-job/*", "arn:aws:sagemaker:*:*:image/*", "arn:aws:sagemaker:*:*:image-version/*/*", "arn:aws:sagemaker:*:*:inference-recommendations-job/*", "arn:aws:sagemaker:*:*:labeling-job/*", "arn:aws:sagemaker:*:*:model/*", "arn:aws:sagemaker:*:*:model-bias-job-definition/*", "arn:aws:sagemaker:*:*:model-explainability-job-definition/*", "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*", "arn:aws:sagemaker:*:*:model-quality-job-definition/*", "arn:aws:sagemaker:*:*:monitoring-schedule/*", "arn:aws:sagemaker:*:*:notebook-instance/*", "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/*", "arn:aws:sagemaker:*:*:pipeline/*", "arn:aws:sagemaker:*:*:pipeline/*/execution/*", "arn:aws:sagemaker:*:*:processing-job/*", "arn:aws:sagemaker:*:*:project/*", "arn:aws:sagemaker:*:*:training-job/*", "arn:aws:sagemaker:*:*:transform-job/*", "arn:aws:sagemaker:*:*:workforce/*", "arn:aws:sagemaker:*:*:workteam/*" ] }, { "Sid" : "AmazonSageMakerLambdaPassRolePermission", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole" ] }, { "Sid" : "AmazonSageMakerLambdaLogPermission", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeResourcePolicies", "logs:DescribeDestinations", "logs:DescribeExportTasks", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:DescribeSubscriptionFilters", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*" }, { "Sid" : "AmazonSageMakerLambdaCodeBuildPermission", "Effect": "Allow", "Action": [ "codebuild:StartBuild", "codebuild:BatchGetBuilds" ], "Resource": "arn:aws:codebuild:*:*:project/sagemaker-*", "Condition": { "StringLike": { "aws:ResourceTag/sagemaker:project-name": "*" } } } ] } ``` ------ ## Amazon SageMaker AI updates to AWS Service Catalog AWS managed policies AWS Service Catalog policy updates View details about updates to AWS managed policies for Amazon SageMaker AI since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy) - Updated policy | 10 | Updated `codestar-connections:PassConnection` and `codeconnections:PassConnection` permissions. | September 27, 2025 | | [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy) - Updated policy | 3 | Updated `codestar-connections:UseConnection` and `codeconnections:UseConnection` permissions. | September 27, 2025 | | [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy) - Updated policy | 3 | Updated `codestar-connections:UseConnection` and `codeconnections:UseConnection` permissions. | September 27, 2025 | | [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy) - Updated policy | 9 | Add `cloudformation:TagResource`, `cloudformation:UntagResource`, and `codeconnections:PassConnection` permissions. | July 1, 2024 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 7 | Roll back the policy to version 7 (v7). Remove `cloudformation:TagResource`, `cloudformation:UntagResource`, and `codeconnections:PassConnection` permissions. | June 12, 2024 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 8 | Add `cloudformation:TagResource`, `cloudformation:UntagResource`, and `codeconnections:PassConnection` permissions. | June 11, 2024 | | [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy) - Updated policy | 2 | Add `codestar-connections:UseConnection` and `codeconnections:UseConnection` permissions. | June 11, 2024 | | [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy) - Updated policy | 2 | Add `cloudformation:TagResource`, `cloudformation:UntagResource`, `codestar-connections:UseConnection` and `codeconnections:UseConnection` permissions. | June 11, 2024 | | [AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy) - Updated policy | 2 | Add `codebuild:StartBuild` and `codebuild:BatchGetBuilds` permissions. | June 11, 2024 | | [AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | Initial policy | August 1, 2023 | | [AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy) | 1 | Initial policy | August 1, 2023 | | [AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy) | 1 | Initial policy | August 1, 2023 | | [AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy) - Updated policy | 2 | Add permission for `glue:GetUserDefinedFunctions`. | August 26, 2022 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 7 | Add permission for `sagemaker:AddTags`. | August 2, 2022 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 6 | Add permission for `lambda:TagResource`. | July 14, 2022 | | AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy | 1 | Initial policy | April 4, 2022 | | [AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | Initial policy | March 24, 2022 | | [AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy) | 1 | Initial policy | March 24, 2022 | | AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy | 1 | Initial policy | March 24, 2022 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 5 | Add permission for `ecr-idp:TagResource`. | March 21, 2022 | | AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy | 1 | Initial policy | February 22, 2022 | | [AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy) | 1 | Initial policy | February 22, 2022 | | [AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy) | 1 | Initial policy | February 22, 2022 | | AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy | 1 | Initial policy | February 22, 2022 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 4 | Add permissions for `cognito-idp:TagResource` and `s3:PutBucketCORS`. | February 16, 2022 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 3 | Add new permissions for `sagemaker`. Create, read, update, and delete SageMaker Images. | September 15, 2021 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Updated policy | 2 | Add permissions for `sagemaker` and `codestar-connections`. Create, read, update, and delete code repositories. Pass AWS CodeStar connections to AWS CodePipeline. | July 1, 2021 | | AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | 1 | Initial policy | November 27, 2020 | ## SageMaker AI Updates to AWS Managed Policies Amazon SageMaker AI policy updates View details about updates to AWS managed policies for SageMaker AI since this service began tracking these changes. | Policy | Version | Change | Date | | --- | --- | --- | --- | | [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) - Update to an existing policy | 27 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol.html) | December 4, 2024 | | [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) - Update to an existing policy | 26 | Add `sagemaker:AddTags` permission. | March 29, 2024 | | AmazonSageMakerFullAccess - Update to an existing policy | 25 | Add `sagemaker:CreateApp`, `sagemaker:DescribeApp`, `sagemaker:DeleteApp`, `sagemaker:CreateSpace`, `sagemaker:UpdateSpace`, `sagemaker:DeleteSpace`, `s3express:CreateSession`, `s3express:CreateBucket`, and `s3express:ListAllMyDirectoryBuckets` permissions. | November 30, 2023 | | AmazonSageMakerFullAccess - Update to an existing policy | 24 | Add `sagemaker-geospatial:*`, `sagemaker:AddTags`, `sagemaker-ListTags`, `sagemaker-DescribeSpace`, and `sagemaker:ListSpaces` permissions. | November 30, 2022 | | AmazonSageMakerFullAccess - Update to an existing policy | 23 | Add `glue:UpdateTable`. | June 29, 2022 | | AmazonSageMakerFullAccess - Update to an existing policy | 22 | Add `cloudformation:ListStackResources`. | May 1, 2022 | | [AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly) - Update to an existing policy | 11 | Add `sagemaker:QueryLineage`, `sagemaker:GetLineageGroupPolicy`, `sagemaker:BatchDescribeModelPackage`, `sagemaker:GetModelPackageGroupPolicy` permissions. | December 1, 2021 | | AmazonSageMakerFullAccess - Update to an existing policy | 21 | Add `sns:Publish` permissions for endpoints with Async Inference enabled. | September 8, 2021 | | AmazonSageMakerFullAccess - Update to an existing policy | 20 | Update `iam:PassRole` resources and permissions. | July 15, 2021 | | AmazonSageMakerReadOnly - Update to an existing policy | 10 | New API `BatchGetRecord` added for SageMaker AI Feature Store. | June 10, 2021 | | | | SageMaker AI started tracking changes for its AWS managed policies. | June 1, 2021 |