本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Amazon SageMaker Ground Truth 的受管政策
這些 AWS 受管政策新增使用 SageMaker AI Ground Truth 所需的許可。這些政策可在您的帳戶中使用, AWS 並由從 SageMaker AI 主控台建立的執行角色使用。
**Topics**
+ [AWS 受管政策:AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution)
+ [Amazon SageMaker AI 更新 SageMaker AI Ground Truth 受管政策](#security-iam-awsmanpol-groundtruth-updates)
## AWS 受管政策:AmazonSageMakerGroundTruthExecution
此 AWS 受管政策會授予使用 SageMaker AI Ground Truth 時通常需要的許可。
**許可詳細資訊**
此政策包含以下許可。
+ `lambda` - 讓主體調用名稱包含 “sagemaker” (不區分大小寫)、“GtRecipe” 或 “LabelingFunction” 的 Lambda 函式。
+ `s3` - 讓主體從 Amazon S3 儲存貯體新增和擷取物件。這些物件僅限於不區分大小寫,且包含 “groundtruth” 或 “sagemaker” 的名稱,或以 “SageMaker” 標記的物件。
+ `cloudwatch` - 讓主體張貼 CloudWatch 指標。
+ `logs` - 讓主體建立和存取日誌串流,以及張貼日誌事件。
+ `sqs` - 讓主體建立 Amazon SQS 佇列,並傳送和接收 Amazon SQS 訊息。這些許可僅限於名稱包含 “GroundTruth” 的佇列。
+ `sns` - 讓主體訂閱並發佈訊息至不區分大小寫名稱包含 “groundtruth” 或 “sagemaker” 的 Amazon SNS 主題。
+ `ec2` - 讓主體建立、描述和刪除其 VPC 端點服務名稱包含 “sagemaker-task-resources” 或 “labeling” 的 Amazon VPC 端點。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CustomLabelingJobs",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*GtRecipe*",
"arn:aws:lambda:*:*:function:*LabelingFunction*",
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*GroundTruth*",
"arn:aws:s3:::*Groundtruth*",
"arn:aws:s3:::*groundtruth*",
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "StreamingQueue",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:SetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:*GroundTruth*"
},
{
"Sid": "StreamingTopicSubscribe",
"Effect": "Allow",
"Action": "sns:Subscribe",
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
],
"Condition": {
"StringEquals": {
"sns:Protocol": "sqs"
},
"StringLike": {
"sns:Endpoint": "arn:aws:sqs:*:*:*GroundTruth*"
}
}
},
{
"Sid": "StreamingTopic",
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*GroundTruth*",
"arn:aws:sns:*:*:*Groundtruth*",
"arn:aws:sns:*:*:*groundTruth*",
"arn:aws:sns:*:*:*groundtruth*",
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sageMaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "StreamingTopicUnsubscribe",
"Effect": "Allow",
"Action": [
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "WorkforceVPC",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:VpceServiceName": [
"*sagemaker-task-resources*",
"aws.sagemaker*labeling*"
]
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新 SageMaker AI Ground Truth 受管政策
檢視自此服務開始追蹤 Amazon SageMaker AI Ground Truth AWS 受管政策更新以來的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerGroundTruthExecution](#security-iam-awsmanpol-gt-AmazonSageMakerGroundTruthExecution) - 更新現有政策 | 3 | 新增 `ec2:CreateVpcEndpoint`、`ec2:DescribeVpcEndpoints` 和 `ec2:DeleteVpcEndpoints` 許可。 | 2022 年 4 月 29 日 |
| AmazonSageMakerGroundTruthExecution - 更新現有政策 | 2 | 移除 `sqs:SendMessageBatch` 許可。 | 2022 年 4 月 11 日 |
| AmazonSageMakerGroundTruthExecution - 新政策 | 1 | 初始政策 | 2020 年 7 月 20 日 |