本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Amazon SageMaker Canvas 的 受管政策
這些 AWS 受管政策新增使用 Amazon SageMaker Canvas 所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
AWS 受管政策:AmazonSageMakerCanvasFullAccess
此政策授與許可,可透過 AWS Management Console 和 SDK 完整存取 Amazon SageMaker Canvas。此政策也提供相關服務的選取存取權 【例如,Amazon Simple Storage Service (Amazon S3)、 AWS Identity and Access Management (IAM)、Amazon Virtual Private Cloud (Amazon VPC)、Amazon Elastic Container Registry (Amazon ECR)、Amazon CloudWatch Logs、Amazon Redshift AWS Secrets Manager、Amazon SageMaker Autopilot、SageMaker Model Registry 和 Amazon Forecast】。
此政策旨在協助客戶嘗試並開始使用 SageMaker Canvas 的所有功能。為了獲得更精細的控制,我們建議客戶在移至生產工作負載時建立自己的範圍縮減版本。如需詳細資訊,請參閱 IAM 政策類型:如何以及何時使用它們
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
sagemaker– 允許主體在 ARN 包含「Canvas」、「canvas」或「model-compilation-」的資源上建立和託管 SageMaker AI 模型。此外,使用者可以將其 SageMaker Canvas 模型註冊到相同 AWS 帳戶中的 SageMaker AI 模型登錄檔。也允許主體建立和管理 SageMaker 訓練、轉換和 AutoML 任務。 -
application-autoscaling– 允許主體自動擴展 SageMaker AI 推論端點。 -
athena– 允許主體從 Amazon Athena 查詢資料目錄、資料庫和資料表中繼資料的清單,並存取目錄中的資料表。 -
cloudwatch– 允許主體建立和管理 Amazon CloudWatch 警示。 -
ec2- 讓主體建立 Amazon VPC 端點。 -
ecr- 讓主體取得容器映像的相關資訊。 -
emr-serverless– 允許主體建立和管理 Amazon EMR Serverless 應用程式和任務執行。也允許主體標記 SageMaker Canvas 資源。 -
forecast- 讓主體使用 Amazon Forecast。 -
glue– 允許主體擷取 AWS Glue 目錄中的資料表、資料庫和分割區。 -
iam– 允許主體將 IAM 角色傳遞至 Amazon SageMaker AI、Amazon Forecast 和 Amazon EMR Serverless。也允許主體建立服務連結角色。 -
kms– 允許主體讀取以 標記的 AWS KMS 金鑰Source:SageMakerCanvas。 -
logs- 允許主體從訓練任務和端點發佈日誌。 -
quicksight– 允許主體列出 QuickSight 帳戶中的命名空間。 -
rds- 讓主體傳回佈建 Amazon RDS 執行個體的相關資訊。 -
redshift- 如果該使用者存在,則讓主體取得任何 Amazon Redshift 叢集上 “sagemaker_access*” dbuser 的憑證。 -
redshift-data- 讓主體使用 Amazon Redshift 資料 API 在 Amazon edshift 上執行查詢。此僅提供對 Redshift 資料 API 本身的存取,而不會直接提供對 Amazon Redshift 叢集的存取許可。如需詳細資訊,請參閱使用 Amazon Redshift 資料 API。 -
s3- 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包括 “SageMaker”、“Sagemaker” 或 “sagemaker” 的物件。此外,也讓主體從特定區域中 ARN 以 “jumpstart-cache-prod-” 開頭的 Amazon S3 儲存貯體中擷取物件。 -
secretsmanager- 讓主體儲存客戶認證,以便使用 Secrets Manager 連接至 Snowflake 資料庫。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerUserDetailsAndPackageOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", "sagemaker:ListModelPackageGroups", "sagemaker:ListEndpoints" ], "Resource": "*" }, { "Sid": "SageMakerPackageGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateModelPackageGroup", "sagemaker:CreateModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribeModelPackage" ], "Resource": [ "arn:aws:sagemaker:*:*:model-package/*", "arn:aws:sagemaker:*:*:model-package-group/*" ] }, { "Sid": "SageMakerTrainingOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateCompilationJob", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateAutoMLJob", "sagemaker:CreateAutoMLJobV2", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:DeleteEndpoint", "sagemaker:DescribeCompilationJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeAutoMLJob", "sagemaker:DescribeAutoMLJobV2", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:ListCandidatesForAutoMLJob", "sagemaker:StopAutoMLJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:AddTags", "sagemaker:DeleteApp" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*", "arn:aws:sagemaker:*:*:*model-compilation-*" ] }, { "Sid": "SageMakerHostingOperations", "Effect": "Allow", "Action": [ "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:InvokeEndpointAsync" ], "Resource": [ "arn:aws:sagemaker:*:*:*Canvas*", "arn:aws:sagemaker:*:*:*canvas*" ] }, { "Sid": "EC2VPCOperation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices" ], "Resource": "*" }, { "Sid": "ECROperations", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:GetBucketCors", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Sid": "ReadSageMakerJumpstartArtifacts", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-1/*", "arn:aws:s3:::jumpstart-cache-prod-us-east-2/*", "arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*", "arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*", "arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*", "arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*" ] }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": "glue:SearchTables", "Resource": [ "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:catalog" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutResourcePolicy" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" ] }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/SageMaker": "true" } } }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult", "redshift-data:ListSchemas", "redshift-data:ListTables", "redshift-data:DescribeTable" ], "Resource": "*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "ForecastOperations", "Effect": "Allow", "Action": [ "forecast:CreateExplainabilityExport", "forecast:CreateExplainability", "forecast:CreateForecastEndpoint", "forecast:CreateAutoPredictor", "forecast:CreateDatasetImportJob", "forecast:CreateDatasetGroup", "forecast:CreateDataset", "forecast:CreateForecast", "forecast:CreateForecastExportJob", "forecast:CreatePredictorBacktestExportJob", "forecast:CreatePredictor", "forecast:DescribeExplainabilityExport", "forecast:DescribeExplainability", "forecast:DescribeAutoPredictor", "forecast:DescribeForecastEndpoint", "forecast:DescribeDatasetImportJob", "forecast:DescribeDataset", "forecast:DescribeForecast", "forecast:DescribeForecastExportJob", "forecast:DescribePredictorBacktestExportJob", "forecast:GetAccuracyMetrics", "forecast:InvokeForecastEndpoint", "forecast:GetRecentForecastContext", "forecast:DescribePredictor", "forecast:TagResource", "forecast:DeleteResourceTree" ], "Resource": [ "arn:aws:forecast:*:*:*Canvas*" ] }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "IAMPassOperationForForecast", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "forecast.amazonaws.com" } } }, { "Sid": "AutoscalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "arn:aws:application-autoscaling:*:*:scalable-target/*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "sagemaker", "application-autoscaling:scalable-dimension": "sagemaker:variant:DesiredInstanceCount" } } }, { "Sid": "AsyncEndpointOperations", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "sagemaker:DescribeEndpointConfig" ], "Resource": "*" }, { "Sid": "DescribeScalingOperations", "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalingActivities" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "SageMakerCloudWatchUpdate", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:TargetTracking*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "application-autoscaling.amazonaws.com" } } }, { "Sid": "AutoscalingSageMakerEndpointOperation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "Condition": { "StringLike": { "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com" } } } { "Sid": "AthenaOperation", "Action": [ "athena:ListTableMetadata", "athena:ListDataCatalogs", "athena:ListDatabases" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } }, }, { "Sid": "GlueOperation", "Action": [ "glue:GetDatabases", "glue:GetPartitions", "glue:GetTables" ], "Effect": "Allow", "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "QuicksightOperation", "Action": [ "quicksight:ListNamespaces" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowUseOfKeyInAccount", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Source": "SageMakerCanvas", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:StopApplication", "emr-serverless:GetApplication", "emr-serverless:StartApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AWS 受管政策:AmazonSageMakerCanvasDataPrepFullAccess
此政策授予許可,允許完整存取 Amazon SageMaker Canvas 的資料準備功能。此政策也為與資料準備功能整合的服務提供最低權限許可 【例如,Amazon Simple Storage Service (Amazon S3)、 AWS Identity and Access Management (IAM)、Amazon EMR、Amazon EventBridge、Amazon Redshift、 AWS Key Management Service (AWS KMS) 和 AWS Secrets Manager】。
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
sagemaker– 允許主體存取處理任務、訓練任務、推論管道、AutoML 任務和功能群組。 -
athena– 允許主體從 Amazon Athena 查詢資料目錄、資料庫和資料表中繼資料的清單。 -
elasticmapreduce– 允許主體讀取和列出 Amazon EMR 叢集。 -
emr-serverless– 允許主體建立和管理 Amazon EMR Serverless 應用程式和任務執行。也允許主體標記 SageMaker Canvas 資源。 -
events– 允許主體為排程任務建立、讀取、更新目標,並將目標新增至 Amazon EventBridge 規則。 -
glue– 允許主體從 AWS Glue 目錄中的資料庫取得和搜尋資料表。 -
iam– 允許主體將 IAM 角色傳遞至 Amazon SageMaker AI、EventBridge 和 Amazon EMR Serverless。也允許主體建立服務連結角色。 -
kms– 允許主體擷取存放在任務和端點中的別名,並存取相關聯的 KMS AWS KMS 金鑰。 -
logs- 允許主體從訓練任務和端點發佈日誌。 -
redshift– 允許主體取得登入資料以存取 Amazon Redshift 資料庫。 -
redshift-data– 允許主體執行、取消、描述、列出和取得 Amazon Redshift 查詢的結果。也允許主體列出 Amazon Redshift 結構描述和資料表。 -
s3- 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包含「SageMaker」、「Sagemaker」或「sagemaker」的物件;或標記「SageMaker」且不區分大小寫的物件。 -
secretsmanager– 允許主體使用 Secrets Manager 存放和擷取客戶資料庫登入資料。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerListFeatureGroupOperation", "Effect": "Allow", "Action": "sagemaker:ListFeatureGroups", "Resource": "*" }, { "Sid": "SageMakerFeatureGroupOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateFeatureGroup", "sagemaker:DescribeFeatureGroup" ], "Resource": "arn:aws:sagemaker:*:*:feature-group/*" }, { "Sid": "SageMakerProcessingJobOperations", "Effect": "Allow", "Action": [ "sagemaker:CreateProcessingJob", "sagemaker:DescribeProcessingJob", "sagemaker:AddTags" ], "Resource": "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*" }, { "Sid": "SageMakerProcessingJobListOperation", "Effect": "Allow", "Action": "sagemaker:ListProcessingJobs", "Resource": "*" }, { "Sid": "SageMakerPipelineOperations", "Effect": "Allow", "Action": [ "sagemaker:DescribePipeline", "sagemaker:CreatePipeline", "sagemaker:UpdatePipeline", "sagemaker:DeletePipeline", "sagemaker:StartPipelineExecution", "sagemaker:ListPipelineExecutionSteps", "sagemaker:DescribePipelineExecution" ], "Resource": "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*" }, { "Sid": "KMSListOperations", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" }, { "Sid": "KMSOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*" }, { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "IAMListOperations", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "IAMGetOperations", "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "IAMPassOperation", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "events.amazonaws.com" ] } } }, { "Sid": "EventBridgePutOperation", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeOperations", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutTargets" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeTagBasedOperations", "Effect": "Allow", "Action": [ "events:TagResource" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-data-prep-job": "true", "aws:ResourceTag/sagemaker:is-canvas-data-prep-job": "true" } } }, { "Sid": "EventBridgeListTagOperation", "Effect": "Allow", "Action": "events:ListTagsForResource", "Resource": "*" }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:SearchTables" ], "Resource": [ "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*" ] }, { "Sid": "EMROperations", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups" ], "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*" }, { "Sid": "EMRListOperation", "Effect": "Allow", "Action": "elasticmapreduce:ListClusters", "Resource": "*" }, { "Sid": "AthenaListDataCatalogOperation", "Effect": "Allow", "Action": "athena:ListDataCatalogs", "Resource": "*" }, { "Sid": "AthenaQueryExecutionOperations", "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": "arn:aws:athena:*:*:workgroup/*" }, { "Sid": "AthenaDataCatalogOperations", "Effect": "Allow", "Action": [ "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "arn:aws:athena:*:*:datacatalog/*" }, { "Sid": "RedshiftOperations", "Effect": "Allow", "Action": [ "redshift-data:DescribeStatement", "redshift-data:CancelStatement", "redshift-data:GetStatementResult" ], "Resource": "*" }, { "Sid": "RedshiftArnBasedOperations", "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:ListSchemas", "redshift-data:ListTables" ], "Resource": "arn:aws:redshift:*:*:cluster:*" }, { "Sid": "RedshiftGetCredentialsOperation", "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbuser:*/sagemaker_access*", "arn:aws:redshift:*:*:dbname:*" ] }, { "Sid": "SecretsManagerARNBasedOperation", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*" }, { "Sid": "SecretManagerTagBasedOperation", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*", "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "RDSOperation", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Sid": "LoggingOperation", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*" }, { "Sid": "EMRServerlessCreateApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:CreateApplication", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListApplicationOperation", "Effect": "Allow", "Action": "emr-serverless:ListApplications", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessApplicationOperations", "Effect": "Allow", "Action": [ "emr-serverless:UpdateApplication", "emr-serverless:GetApplication" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessStartJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:StartJobRun", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessListJobRunOperation", "Effect": "Allow", "Action": "emr-serverless:ListJobRuns", "Resource": "arn:aws:emr-serverless:*:*:/applications/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessJobRunOperations", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EMRServerlessTagResourceOperation", "Effect": "Allow", "Action": "emr-serverless:TagResource", "Resource": "arn:aws:emr-serverless:*:*:/*", "Condition": { "StringEquals": { "aws:RequestTag/sagemaker:is-canvas-resource": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AWS 受管政策:AmazonSageMakerCanvasDirectDeployAccess
此政策授予 Amazon SageMaker Canvas 建立和管理 Amazon SageMaker AI 端點所需的許可。
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
sagemaker– 允許主體建立和管理以「Canvas」或「canvas」開頭的 ARN 資源名稱的 SageMaker AI 端點。 -
cloudwatch– 允許主體擷取 Amazon CloudWatch 統計資料。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerEndpointPerms", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:DeleteEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:InvokeEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:aws:sagemaker:*:*:Canvas*", "arn:aws:sagemaker:*:*:canvas*" ] }, { "Sid": "ReadCWInvocationMetrics", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] }
AWS 受管政策略:AmazonSageMakerCanvasAIServicesAccess
此政策授予 Amazon SageMaker Canvas 使用 Amazon Textract、Amazon Rekognition、Amazon Comprehend 和 Amazon Bedrock 的許可。
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
textract- 讓主體使用 Amazon Textract 偵測影像中的文件、費用和身分。 -
rekognition- 讓主體使用 Amazon Rekognition 偵測影像中的標籤和文字。 -
comprehend- 讓主體使用 Amazon Comprehend 偵測文字文件中的情緒和優勢語言,以及具名和個人身分識別資訊 (PII) 實體。 -
bedrock- 讓主體使用 Amazon Bedrock 列出和調用基礎模型。 -
iam– 允許主體將 IAM 角色傳遞至 Amazon Bedrock。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Textract", "Effect": "Allow", "Action": [ "textract:AnalyzeDocument", "textract:AnalyzeExpense", "textract:AnalyzeID", "textract:StartDocumentAnalysis", "textract:StartExpenseAnalysis", "textract:GetDocumentAnalysis", "textract:GetExpenseAnalysis" ], "Resource": "*" }, { "Sid": "Rekognition", "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectText" ], "Resource": "*" }, { "Sid": "Comprehend", "Effect": "Allow", "Action": [ "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectEntities", "comprehend:BatchDetectSentiment", "comprehend:DetectPiiEntities", "comprehend:DetectEntities", "comprehend:DetectSentiment", "comprehend:DetectDominantLanguage" ], "Resource": "*" }, { "Sid": "Bedrock", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:ListFoundationModels", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "CreateBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob", "bedrock:CreateProvisionedModelThroughput", "bedrock:TagResource" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "SageMaker", "Canvas" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:RequestTag/Canvas": "true", "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "GetStopAndDeleteBedrockResourcesPermission", "Effect": "Allow", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:GetCustomModel", "bedrock:GetProvisionedModelThroughput", "bedrock:StopModelCustomizationJob", "bedrock:DeleteProvisionedModelThroughput" ], "Resource": [ "arn:aws:bedrock:*:*:model-customization-job/*", "arn:aws:bedrock:*:*:custom-model/*", "arn:aws:bedrock:*:*:provisioned-model/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/SageMaker": "true", "aws:ResourceTag/Canvas": "true" } } }, { "Sid": "FoundationModelPermission", "Effect": "Allow", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*" ] }, { "Sid": "BedrockFineTuningPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } } ] }
AWS 受管政策:AmazonSageMakerCanvasBedrockAccess
此政策會授予將 Amazon SageMaker Canvas 與 Amazon Bedrock 搭配使用時通常需要的許可。
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
s3– 允許主體從「sagemaker-*/Canvas」目錄中的 Amazon S3 儲存貯體新增和擷取物件。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3CanvasAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/Canvas/*" ] }, { "Sid": "S3BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }
AWS 受管政策:AmazonSageMakerCanvasForecastAccess
此政策授予搭配使用 Amazon SageMaker Canvas 與 Amazon Forecast 經常所需的許可。
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
s3- 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱以 “sagemaker-” 開頭的物件。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*/Canvas", "arn:aws:s3:::sagemaker-*/canvas" ] } { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] } ] }
AWS 受管政策:AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy
此政策會針對 Amazon SageMaker Canvas 用於大型資料處理 AWS 的服務,將許可授予 Amazon EMR Serverless,例如 Amazon S3。 Amazon SageMaker
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
s3- 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於名稱包含 "SageMaker" 或 "sagemaker" 的物件;或標記 "SageMaker" 且不區分大小寫的物件。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3Operations", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*sagemaker*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3GetObjectOperation", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "S3ListOperations", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AWS 受管政策:AmazonSageMakerCanvasSMDataScienceAssistantAccess
此政策授予 Amazon SageMaker Canvas 中使用者與 Amazon Q Developer 開始對話的許可。此功能需要 Amazon Q Developer 和 SageMaker AI 資料科學助理服務的許可。
許可詳細資訊
此 AWS 受管政策包含下列許可。
-
q– 允許主體傳送提示給 Amazon Q Developer。 -
sagemaker-data-science-assistant– 允許主體將提示傳送至 SageMaker Canvas 資料科學助理服務。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerDataScienceAssistantAccess", "Effect": "Allow", "Action": [ "sagemaker-data-science-assistant:SendConversation" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AmazonQDeveloperAccess", "Effect": "Allow", "Action": [ "q:SendMessage", "q:StartConversation" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
Amazon SageMaker AI 更新 Amazon SageMaker Canvas 受管政策
檢視自此服務開始追蹤這些變更以來SageMaker Canvas AWS 受管政策更新的詳細資訊。
| 政策 | 版本 | 變更 | 日期 |
|---|---|---|---|
2 |
新增 |
2025 年 1 月 14 日 | |
1 |
初始政策 |
2024 年 12 月 4 日 | |
4 |
將資源新增至 |
2024 年 8 月 16 日 | |
|
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
11 |
將資源新增至 |
2024 年 8 月 15 日 |
1 |
初始政策 |
2024 年 7 月 26 日 | |
|
AmazonSageMakerCanvasDataPrepFullAccess - 更新現有政策 |
3 |
新增 |
2024 年 7 月 18 日 |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
10 |
新增 新增 新增 新增 新增 |
2024 年 7 月 9 日 |
1 |
初始政策 |
2024 年 2 月 2 日 | |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
9 |
新增 |
2024 年 1 月 24 日 |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
8 |
新增 |
2023 年 12 月 8 日 |
|
AmazonSageMakerCanvasDataPrepFullAccess - 更新現有政策 |
2 |
小型更新以強制執行先前政策第 1 版的意圖;未新增或刪除任何許可。 |
2023 年 12 月 7 日 |
3 |
新增 |
2023 年 11 月 29 日 | |
|
AmazonSageMakerCanvasDataPrepFullAccess - 新政策 |
1 |
初始政策 |
2023 年 10 月 26 日 |
1 |
初始政策 |
2023 年 10 月 6 日 | |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
7 |
新增 |
2023 年 9 月 29 日 |
|
AmazonSageMakerCanvasAIServicesAccess - 更新現有政策 |
2 |
新增 |
2023 年 9 月 29 日 |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
6 |
新增 |
2023 年 8 月 29 日 |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
5 |
新增 |
2023 年 7 月 24 日 |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
4 |
新增 |
2023 年 5 月 4 日 |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
3 |
新增 |
2023 年 3 月 24 日 |
|
AmazonSageMakerCanvasAIServicesAccess - 新政策 |
1 |
初始政策 |
2023 年 3 月 23 日 |
AmazonSageMakerCanvasFullAccess - 更新現有政策 |
2 |
新增 |
2022 年 12 月 6 日 |
AmazonSageMakerCanvasFullAccess - 新政策 |
1 |
初始政策 |
2022 年 9 月 8 日 |
1 |
初始政策 |
2022 年 8 月 24 日 |
