本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
SageMakerStudioUserIAMPermissiveExecutionPolicy
描述:在 SageMaker Unified Studio 中使用 IAM 角色的执行策略。允许用户访问您账户中的资源(包括广泛访问 S3、G CloudWatch lue、Logs 等所有 APIs 数据服务),以便基于 IAM 使用 Uni SageMaker fied Studio。
SageMakerStudioUserIAMPermissiveExecutionPolicy 是一项 AWS 托管式策略。
使用此策略
您可以将 SageMakerStudioUserIAMPermissiveExecutionPolicy 附加到您的用户、组和角色。
策略详细信息
-
类型: AWS 托管策略
-
创建时间:2025 年 8 月 18 日 17:19 UTC
-
编辑时间:世界标准时间 2025 年 11 月 18 日 23:34
-
ARN:
arn:aws:iam::aws:policy/SageMakerStudioUserIAMPermissiveExecutionPolicy
策略版本
策略版本:v5(默认)
此策略的默认版本是定义策略权限的版本。当使用该策略的用户或角色请求访问 AWS 资源时, AWS 会检查策略的默认版本以确定是否允许该请求。
JSON 策略文档
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DataAccess", "Effect" : "Allow", "Action" : [ "cloudwatch:*", "glue:*", "logs:*", "redshift-data:*", "redshift-serverless:*", "redshift:*", "s3:*" ], "Resource" : "*" }, { "Sid" : "ComputeAccess", "Effect" : "Allow", "Action" : [ "athena:*", "bedrock:*", "codewhisperer:*", "sagemaker-unified-studio-mcp:*", "q:*", "sagemaker:*", "sagemaker-mlflow:*", "scheduler:*", "sqlworkbench:*", "emr-serverless:*", "airflow-serverless:*" ], "Resource" : "*" }, { "Sid" : "GlueSessionIsolation", "Effect" : "Deny", "Action" : [ "glue:CancelStatement", "glue:CreateSession", "glue:DeleteSession", "glue:GetSession", "glue:GetStatement", "glue:RunStatement", "glue:StopSession", "glue:GetDashboardUrl" ], "Resource" : [ "arn:aws:glue:*:*:session/*" ], "Condition" : { "StringNotEquals" : { "aws:RequestTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}", "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DenyTaggingUntaggingForeignSessions", "Effect" : "Deny", "Action" : [ "glue:TagResource", "glue:UntagResource" ], "Resource" : "arn:aws:glue:*:*:session/*", "Condition" : { "StringNotEquals" : { "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DataZone", "Effect" : "Allow", "Action" : [ "datazone:AcceptPredictions", "datazone:AcceptSubscriptionRequest", "datazone:CancelMetadataGenerationRun", "datazone:CancelSubscription", "datazone:CreateAsset*", "datazone:CreateConnection", "datazone:CreateEnvironment", "datazone:CreateListingChangeSet", "datazone:CreateProject", "datazone:CreateSubscriptionGrant", "datazone:CreateSubscriptionRequest", "datazone:DeleteAsset*", "datazone:DeleteConnection", "datazone:DeleteEnvironment", "datazone:DeleteListing", "datazone:DeleteProject", "datazone:DeleteSubscriptionGrant", "datazone:DeleteSubscriptionRequest", "datazone:Get*", "datazone:List*", "datazone:PostLineageEvent", "datazone:RejectPredictions", "datazone:RejectSubscriptionRequest", "datazone:RevokeSubscription", "datazone:Search", "datazone:SearchListings", "datazone:SearchRules", "datazone:SearchTypes", "datazone:SearchUserProfiles", "datazone:SearchGroupProfiles", "datazone:StartMetadataGenerationRun", "datazone:UpdateAssetFilter", "datazone:UpdateConnection", "datazone:UpdateEnvironment", "datazone:UpdateProject", "datazone:UpdateSubscriptionRequest", "datazone:CreateNotebook", "datazone:UpdateNotebook", "datazone:DeleteNotebook", "datazone:CreateCell", "datazone:UpdateCell", "datazone:DeleteCell", "datazone:BatchGetCell", "datazone:CreateCellRun", "datazone:UpdateCellRun", "datazone:DeleteCellRun", "datazone:BatchGetCellRun", "datazone:PutCellRunResult", "datazone:StartNotebookCompute", "datazone:StopNotebookCompute", "datazone:StartConversation", "datazone:GenerateCode", "datazone:SendMessage" ], "Resource" : "*" }, { "Sid" : "CfnManage", "Effect" : "Allow", "Action" : [ "cloudformation:*" ], "Resource" : [ "arn:aws:cloudformation:*:*:stack/DataZone*" ] }, { "Sid" : "ValidateCfn", "Effect" : "Allow", "Action" : "cloudformation:ValidateTemplate", "Resource" : "*" }, { "Sid" : "IamSts", "Effect" : "Allow", "Action" : [ "iam:GetRole", "iam:ListRoles", "sts:AssumeRole" ], "Resource" : "*" }, { "Sid" : "CreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : [ "arn:aws:iam::*:role/aws-service-role/neptune-graph.amazonaws.com/AWSServiceRoleForNeptuneGraph", "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks", "arn:aws:iam::*:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWSServiceRoleForAmazonEMRServerless", "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA", "arn:aws:iam::*:role/aws-service-role/airflow-serverless.amazonaws.com/AWSServiceRoleForAmazonMWAAServerless", "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com/AWSServiceRoleForEMRCleanup", "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless" ] }, { "Sid" : "TagSession", "Effect" : "Allow", "Action" : "sts:TagSession", "Resource" : "*", "Condition" : { "ForAllValues:StringLike" : { "aws:TagKeys" : [ "AmazonDataZone*" ] } } }, { "Sid" : "PassRole", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : [ "arn:aws:iam::*:role/service-role/AmazonSageMaker*" ], "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "sagemaker.amazonaws.com", "lakeformation.amazonaws.com", "glue.amazonaws.com", "bedrock.amazonaws.com", "redshift-serverless.amazonaws.com", "redshift.amazonaws.com", "scheduler.amazonaws.com", "emr-serverless.amazonaws.com", "airflow-serverless.amazonaws.com" ] } } }, { "Sid" : "SourceIdentity", "Effect" : "Allow", "Action" : "sts:SetSourceIdentity", "Resource" : "*", "Condition" : { "StringLike" : { "sts:SourceIdentity" : "${aws:PrincipalTag/datazone:userId}" } } }, { "Sid" : "SSM", "Effect" : "Allow", "Action" : [ "ssm:GetParameter*" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/amazon/datazone/q*", "arn:aws:ssm:*:*:parameter/amazon/datazone/genAI/*", "arn:aws:ssm:*::parameter/aws/service/sagemaker-distribution/*" ] }, { "Sid" : "LFAccess", "Effect" : "Allow", "Action" : [ "lakeformation:BatchGrantPermissions", "lakeformation:BatchRevokePermissions", "lakeformation:DescribeResource", "lakeformation:GetDataAccess", "lakeformation:GrantPermissions", "lakeformation:ListResources", "lakeformation:ListPermissions", "lakeformation:RevokePermissions" ], "Resource" : "*" }, { "Sid" : "FederatedConn", "Effect" : "Allow", "Action" : [ "dynamodb:List*", "dynamodb:Describe*", "dynamodb:Scan", "dynamodb:PartiQLSelect", "dynamodb:Query", "secretsmanager:ListSecrets", "resource-groups:GetGroupQuery", "resource-groups:ListGroupResources" ], "Resource" : "*" }, { "Sid" : "PrivateSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:PutResourcePolicy" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/AmazonDataZoneProject" : "${datazone:projectId}" } } }, { "Sid" : "SharedSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/for-use-with-all-datazone-projects" : "true" } } }, { "Sid" : "Ecr", "Effect" : "Allow", "Action" : [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer" ], "Resource" : "*" }, { "Sid" : "CodeConnectionsUser", "Effect" : "Allow", "Action" : [ "codeconnections:UseConnection", "codeconnections:ListConnections", "codeconnections:GetConnection", "codeconnections:GetHost", "codeconnections:ListTagsForResource", "codestar-connections:UseConnection", "codestar-connections:ListConnections", "codestar-connections:GetConnection", "codestar-connections:GetHost", "codestar-connections:ListTagsForResource" ], "Resource" : "*" }, { "Sid" : "KmsListAndDescribe", "Effect" : "Allow", "Action" : [ "kms:DescribeKey", "kms:ListAliases", "kms:ListGrants" ], "Resource" : "*" }, { "Sid" : "DataZoneKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "datazone.*.amazonaws.com" }, "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:datazone:domainId" } } }, { "Sid" : "S3Kms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "s3.*.amazonaws.com" }, "Null" : { "kms:EncryptionContext:aws:s3:arn" : "false" } } }, { "Sid" : "SchedulerKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "Null" : { "kms:EncryptionContext:aws:scheduler:schedule:arn" : "false" } } }, { "Sid" : "SecretsKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "secretsmanager.*.amazonaws.com" }, "Null" : { "kms:EncryptionContext:SecretARN" : "false" } } }, { "Sid" : "SageMakerKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sagemaker.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "SageMakerCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sagemaker.*.amazonaws.com" } } }, { "Sid" : "DataZoneCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "datazone.*.amazonaws.com" }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Encrypt", "Decrypt", "ReEncryptFrom", "ReEncryptTo", "GenerateDataKeyWithoutPlaintext", "GenerateDataKey", "DescribeKey", "RetireGrant", "CreateGrant" ] } } }, { "Sid" : "GlueKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "glue.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "BedrockKms", "Effect" : "Allow", "Action" : [ "kms:CreateGrant", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "bedrock.*.amazonaws.com" }, "Null" : { "kms:EncryptionContextKeys" : "false" } } }, { "Sid" : "WorkflowsCreateGrant", "Effect" : "Allow", "Action" : [ "kms:CreateGrant" ], "Resource" : "arn:*:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:ViaService" : "airflow-serverless.*.amazonaws.com" }, "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:airflow-serverless:workflow-arn" }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "RetireGrant" ] } } }, { "Sid" : "WorkflowsKms", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "arn:*:kms:*:*:key/*", "Condition" : { "ForAnyValue:StringEquals" : { "kms:EncryptionContextKeys" : "aws:airflow-serverless:workflow-arn" } } }, { "Sid" : "Ec2DescribeOnly", "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, { "Sid" : "VpcAccess", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission" ], "Resource" : "*" }, { "Sid" : "EC2TagAccessForVpc", "Effect" : "Allow", "Action" : [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource" : [ "arn:aws:ec2:*:*:network-interface/*" ] }, { "Sid" : "AthenaSessionIsolation", "Effect" : "Deny", "Action" : [ "athena:StartSession", "athena:GetSession", "athena:TerminateSession", "athena:GetSessionStatus", "athena:GetSessionEndpoint", "athena:GetResourceDashboard" ], "Resource" : [ "arn:aws:athena:*:*:workgroup/*/session/*" ], "Condition" : { "StringNotEquals" : { "aws:RequestTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}", "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } }, { "Sid" : "DenyTaggingUntaggingForeignAthenaSessions", "Effect" : "Deny", "Action" : [ "athena:TagResource", "athena:UntagResource" ], "Resource" : "arn:aws:athena:*:*:workgroup/*/session/*", "Condition" : { "StringNotEquals" : { "aws:ResourceTag/AmazonDataZoneSessionOwner" : "${aws:SourceIdentity}" } } } ] }
了解更多
