本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Amazon SageMaker AI 的 受管政策
若要新增許可給使用者、群組和角色,使用 AWS 受管政策比自行撰寫政策更容易。建立 [IAM 客戶受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。若要快速開始使用,您可以使用我們的 AWS 受管政策。這些政策涵蓋常見的使用案例,並可在您的帳戶中使用 AWS 。如需 AWS 受管政策的詳細資訊,請參閱《*IAM 使用者指南*》中的 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
AWS 服務會維護和更新 AWS 受管政策。您無法變更 AWS 受管政策中的許可。服務偶爾會在 AWS 受管政策中新增其他許可以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新操作可用時,服務很可能會更新 AWS 受管政策。服務不會從 AWS 受管政策中移除許可,因此政策更新不會破壞您現有的許可。
此外, AWS 支援跨多個 服務之任務函數的受管政策。例如, `ReadOnlyAccess` AWS 受管政策提供所有 AWS 服務和資源的唯讀存取權。當服務啟動新功能時, 會為新操作和資源 AWS 新增唯讀許可。如需任務職能政策的清單和說明,請參閱 *IAM 使用者指南*中[有關任務職能的AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
**重要**
我們建議您使用允許您執行使用案例的最受限政策。
下列 AWS 受管政策是 Amazon SageMaker AI 特有的,您可以連接到您帳戶中的使用者:
+ **`AmazonSageMakerFullAccess`** - 授予 Amazon SageMaker AI 和 SageMaker AI 地理空間資源以及所支援操作的完整存取權。這不提供不受限制的 Amazon S3 存取,但是支援使用特定 `sagemaker` 標籤的儲存貯體與物件。此政策允許將所有 IAM 角色傳遞至 Amazon SageMaker AI,但僅允許將其中具有「AmazonSageMaker」的 IAM 角色傳遞至 AWS Glue AWS Step Functions、 和 AWS RoboMaker 服務。
+ **`AmazonSageMakerReadOnly`** - 允許對 Amazon SageMaker AI 資源進行唯讀存取。
下列 AWS 受管政策可以連接到您帳戶中的使用者,但不建議使用:
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator) – 為所有 AWS 服務與帳戶中的所有資源授予所有操作許可。
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_data-scientist) – 授予各種許可來涵蓋大部分的資料科學家遇到的使用案例 (主要用於分析與商用智慧)。
您可以透過登入 IAM; 主控台並搜尋以檢閱上述許可政策。
您也可以建立自己的自訂 IAM 政策,以允許在您需要 Amazon SageMaker AI 動作和資源時使用它們的許可。您可以將這些自訂政策連接至需要這些政策的 使用者或群組。
**Topics**
+ [AWS 受管政策:AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess)
+ [AWS 受管政策:AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly)
+ [AWS Amazon SageMaker Canvas 的 受管政策](security-iam-awsmanpol-canvas.md)
+ [AWS Amazon SageMaker Feature Store 的 受管政策](security-iam-awsmanpol-feature-store.md)
+ [AWS Amazon SageMaker 地理空間的 受管政策](security-iam-awsmanpol-geospatial.md)
+ [AWS Amazon SageMaker Ground Truth 的受管政策](security-iam-awsmanpol-ground-truth.md)
+ [AWS Amazon SageMaker HyperPod 的 受管政策](security-iam-awsmanpol-hyperpod.md)
+ [AWS SageMaker AI 模型控管的受管政策](security-iam-awsmanpol-governance.md)
+ [AWS 模型登錄檔的受管政策](security-iam-awsmanpol-model-registry.md)
+ [AWS SageMaker 筆記本的受管政策](security-iam-awsmanpol-notebooks.md)
+ [AWS Amazon SageMaker 合作夥伴 AI 應用程式的 受管政策](security-iam-awsmanpol-partner-apps.md)
+ [AWS SageMaker 管道的受管政策](security-iam-awsmanpol-pipelines.md)
+ [AWS SageMaker 訓練計畫的 受管政策](security-iam-awsmanpol-training-plan.md)
+ [AWS SageMaker 專案和 JumpStart 的受管政策](security-iam-awsmanpol-sc.md)
+ [AWS 受管政策的 SageMaker AI 更新](#security-iam-awsmanpol-updates)
## AWS 受管政策:AmazonSageMakerFullAccess
此政策授予管理許可,允許對所有 Amazon SageMaker AI 和 SageMaker AI 地理空間資源以及操作進行主體完整存取。該策略還提供對相關服務的選擇存取許可。此政策允許將所有 IAM 角色傳遞至 Amazon SageMaker AI,但僅允許將其中具有「AmazonSageMaker」的 IAM 角色傳遞至 AWS Glue AWS Step Functions和 AWS RoboMaker 服務。此政策不包含建立 Amazon SageMaker AI 網域的許可。如需建立領域所需政策的資訊,請參閱[完成 Amazon SageMaker AI 先決條件](gs-set-up.md)。
**許可詳細資訊**
此政策包含以下許可。
+ `application-autoscaling` - 可讓主體自動擴展 SageMaker AI 即時推論端點。
+ `athena` – 允許主體從中查詢資料目錄、資料庫和資料表中繼資料的清單 Amazon Athena。
+ `aws-marketplace` – 允許主體檢視 AWS AI Marketplace 訂閱。如果您想要存取 AWS Marketplace中訂閱的 SageMaker AI 軟體,則需要此許可。
+ `cloudformation` – 允許主體取得使用 SageMaker AI JumpStart 解決方案和管道的 AWS CloudFormation 範本。SageMaker AI JumpStart 會建立執行端對端機器學習解決方案所需的資源,將 SageMaker AI 與其他 AWS 服務結合。SageMaker AI 管道會建立由 Service Catalog 支援的新專案。
+ `cloudwatch` - 允許主體張貼 CloudWatch 指標、與警示互動,以及將日誌上傳到您的帳戶中的 CloudWatch Logs。
+ `codebuild` – 允許主體存放 SageMaker AI 管道和專案的 AWS CodeBuild 成品。
+ `codecommit` – 與 SageMaker AI 筆記本執行個體 AWS CodeCommit 整合時需要。
+ `cognito-idp` - Amazon SageMaker Ground Truth需要用來定義您的私有人力資源和工作團隊。
+ `ec2` - 需要此許可,SageMaker AI 才能在您為 SageMaker AI 任務、模型、端點和筆記本執行個體指定 Amazon VPC 時,管理 Amazon EC2 資源和網路介面。
+ `ecr` - 需要此許可,才能為 Amazon SageMaker Studio Classic (自訂映像)、訓練、處理、批次推論和推論端點提取和存放 Docker 成品。在 SageMaker AI 中使用您自己的容器時也需要此許可。需要 SageMaker JumpStart AI 解決方案的其他許可,才能代表使用者建立和移除自訂映像。
+ `elasticfilesystem` - 讓主體存取 Amazon Elastic File System。需要此許可,SageMaker AI 才能使用 Amazon Elastic File System 中的資料來源來訓練機器學習模型。
+ `fsx` – 讓主體存取 Amazon FSx。需要此許可,SageMaker AI 才能使用 Amazon FSx 中的資料來源來訓練機器學習模型。
+ `glue` - 需要此許可,才能從 SageMaker AI 筆記本執行個體內預先處理推論管道。
+ `groundtruthlabeling` - 用於 Ground Truth 標籤工作。`groundtruthlabeling` 端點是由 Ground Truth 主控台存取。
+ `iam` - 需要此許可,才能授予 SageMaker AI 主控台存取可用 IAM 角色的權限,以及建立服務連結角色。
+ `kms` – 需要讓 SageMaker AI AWS KMS 主控台存取可用的 AWS KMS 金鑰,並為任務和端點中的任何指定別名擷取這些金鑰。
+ `lambda` - 讓主體調用並取得 AWS Lambda 函式清單。
+ `logs` - 需要此許可,才能允許 SageMaker AI 任務和端點發佈日誌串流。
+ `redshift` - 讓主體存取 Amazon Redshift 叢集憑證。
+ `redshift-data` - 讓主體使用來自 Amazon Redshift 的資料執行、描述和取消陳述式;取得陳述式結果,以及列出結構描述和資料表。
+ `robomaker` – 允許主體擁有建立、取得描述和 delete AWS RoboMaker 模擬應用程式和任務的完整存取權。在筆記本執行個體上執行強化學習範例時也需要。
+ `s3, s3express` - 允許主體完整存取與 SageMaker AI 相關的 Amazon S3 和 Amazon S3 Express 資源,但不能存取所有的 Amazon S3 或 Amazon S3 Express。
+ `sagemaker` - 允許主體在 SageMaker AI 使用者設定檔上列出標籤,並將標籤新增至 SageMaker AI 應用程式和空間。僅允許存取 sagemaker:WorkteamType "private-crowd" 或 "vendor-crowd" 的 SageMaker AI 流程定義。允許在可存取訓練計畫功能的所有 AWS 區域中,使用和描述 SageMaker AI 訓練計畫和 SageMaker 訓練任務和 SageMaker HyperPod 叢集中的預留容量。
+ `sagemaker` 和 `sagemaker-geospatial` - 允許主體對 SageMaker AI 網域和使用者設定檔進行唯讀存取。
+ `secretsmanager` - 讓主體完整存取 AWS Secrets Manager。主體可以安全地加密、存放與擷取資料庫及其他服務的憑證。具有使用 GitHub 的 SageMaker AI 程式碼儲存庫的 SageMaker AI 筆記本執行個體也需要此許可。
+ `servicecatalog` - 讓主體使用 Service Catalog。主體可以建立、取得、更新或終止佈建產品的清單,例如使用 AWS 資源部署的伺服器、資料庫、網站或應用程式。SageMaker AI JumpStart 和專案需要此許可,才能尋找和讀取服務目錄產品並啟動使用者中的 AWS 資源。
+ `sns` - 允許主體取得 Amazon SNS 主題清單。啟用非同步推論的端點需要此功能,才能通知使用者其推論已完成。
+ `states` - 需要此許可,SageMaker AI JumpStart 和 Pipelines 才能使用服務目錄來建立步驟函式資源。
+ `tag` - 需要此許可,SageMaker AI Pipelines 才能在 Studio Classic 中呈現。Studio Classic 需要使用特定 `sagemaker:project-id` 標籤金鑰標記的資源。此動作需要 `tag:GetResources` 許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllNonAdminSageMakerActions",
"Effect": "Allow",
"Action": [
"sagemaker:*",
"sagemaker-geospatial:*"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:space/*",
"arn:aws:sagemaker:*:*:partner-app/*",
"arn:aws:sagemaker:*:*:flow-definition/*",
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowAddTagsForSpace",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:space/*"
],
"Condition": {
"StringEquals": {
"sagemaker:TaggingAction": "CreateSpace"
}
}
},
{
"Sid": "AllowAddTagsForApp",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:app/*"
]
},
{
"Sid": "AllowUseOfTrainingPlanResources",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateCluster",
"sagemaker:UpdateCluster",
"sagemaker:DescribeTrainingPlan"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-plan/*",
"arn:aws:sagemaker:*:*:reserved-capacity/*"
]
},
{
"Sid": "AllowStudioActions",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:DescribeSpace",
"sagemaker:ListSpaces",
"sagemaker:DescribeApp",
"sagemaker:ListApps"
],
"Resource": "*"
},
{
"Sid": "AllowAppActionsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/*/*/*/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "AllowAppActionsForSharedSpaces",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Shared"
]
}
}
},
{
"Sid": "AllowMutatingActionsOnSharedSpacesWithoutOwner",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"Null": {
"sagemaker:OwnerUserProfileArn": "true"
}
}
},
{
"Sid": "RestrictMutatingActionsOnSpacesToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateSpace",
"sagemaker:UpdateSpace",
"sagemaker:DeleteSpace"
],
"Resource": "arn:aws:sagemaker:*:*:space/${sagemaker:DomainId}/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private",
"Shared"
]
}
}
},
{
"Sid": "RestrictMutatingActionsOnPrivateSpaceAppsToOwnerUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:CreateApp",
"sagemaker:DeleteApp"
],
"Resource": "arn:aws:sagemaker:*:*:app/${sagemaker:DomainId}/*/*/*",
"Condition": {
"ArnLike": {
"sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
},
"StringEquals": {
"sagemaker:SpaceSharingType": [
"Private"
]
}
}
},
{
"Sid": "AllowFlowDefinitionActions",
"Effect": "Allow",
"Action": "sagemaker:*",
"Resource": [
"arn:aws:sagemaker:*:*:flow-definition/*"
],
"Condition": {
"StringEqualsIfExists": {
"sagemaker:WorkteamType": [
"private-crowd",
"vendor-crowd"
]
}
}
},
{
"Sid": "AllowAWSServiceActions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:RegisterScalableTarget",
"aws-marketplace:ViewSubscriptions",
"cloudformation:GetTemplateSummary",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutMetricData",
"codecommit:BatchGetRepositories",
"codecommit:CreateRepository",
"codecommit:GetRepository",
"codecommit:List*",
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:CreateGroup",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:List*",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateVpcEndpoint",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CreateRepository",
"ecr:Describe*",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:StartImageScan",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"fsx:DescribeFileSystems",
"glue:CreateJob",
"glue:DeleteJob",
"glue:GetJob*",
"glue:GetTable*",
"glue:GetWorkflowRun",
"glue:ResetJobBookmark",
"glue:StartJobRun",
"glue:StartWorkflowRun",
"glue:UpdateJob",
"groundtruthlabeling:*",
"iam:ListRoles",
"kms:DescribeKey",
"kms:ListAliases",
"lambda:ListFunctions",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery",
"robomaker:CreateSimulationApplication",
"robomaker:DescribeSimulationApplication",
"robomaker:DeleteSimulationApplication",
"robomaker:CreateSimulationJob",
"robomaker:DescribeSimulationJob",
"robomaker:CancelSimulationJob",
"secretsmanager:ListSecrets",
"servicecatalog:Describe*",
"servicecatalog:List*",
"servicecatalog:ScanProvisionedProducts",
"servicecatalog:SearchProducts",
"servicecatalog:SearchProvisionedProducts",
"sns:ListTopics",
"tag:GetResources"
],
"Resource": "*"
},
{
"Sid": "AllowECRActions",
"Effect": "Allow",
"Action": [
"ecr:SetRepositoryPolicy",
"ecr:CompleteLayerUpload",
"ecr:BatchDeleteImage",
"ecr:UploadLayerPart",
"ecr:DeleteRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:DeleteRepository",
"ecr:PutImage"
],
"Resource": [
"arn:aws:ecr:*:*:repository/*sagemaker*"
]
},
{
"Sid": "AllowCodeCommitActions",
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": [
"arn:aws:codecommit:*:*:*sagemaker*",
"arn:aws:codecommit:*:*:*SageMaker*",
"arn:aws:codecommit:*:*:*Sagemaker*"
]
},
{
"Sid": "AllowCodeBuildActions",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker*",
"arn:aws:codebuild:*:*:build/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowStepFunctionsActions",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StartExecution",
"states:StopExecution",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*:*:statemachine:*sagemaker*",
"arn:aws:states:*:*:execution:*sagemaker*:*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid": "AllowReadOnlySecretManagerActions",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowServiceCatalogProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:ProvisionProduct"
],
"Resource": "*"
},
{
"Sid": "AllowServiceCatalogTerminateUpdateProvisionProduct",
"Effect": "Allow",
"Action": [
"servicecatalog:TerminateProvisionedProduct",
"servicecatalog:UpdateProvisionedProduct"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"servicecatalog:userLevel": "self"
}
}
},
{
"Sid": "AllowS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*",
"arn:aws:s3:::*aws-glue*"
]
},
{
"Sid": "AllowS3GetObjectWithSageMakerExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Sid": "AllowS3GetObjectWithServiceCatalogProvisioningExistingObjectTag",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
},
{
"Sid": "AllowS3BucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketCors",
"s3:PutBucketCors"
],
"Resource": "*"
},
{
"Sid": "AllowS3BucketACL",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowLambdaInvokeFunction",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*",
"arn:aws:lambda:*:*:function:*LabelingFunction*"
]
},
{
"Sid": "AllowCreateServiceLinkedRoleForSageMakerApplicationAutoscaling",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateServiceLinkedRoleForRobomaker",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "robomaker.amazonaws.com"
}
}
},
{
"Sid": "AllowSNSActions",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:CreateTopic",
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:*:*SageMaker*",
"arn:aws:sns:*:*:*Sagemaker*",
"arn:aws:sns:*:*:*sagemaker*"
]
},
{
"Sid": "AllowPassRoleForSageMakerRoles",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*AmazonSageMaker*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"glue.amazonaws.com",
"robomaker.amazonaws.com",
"states.amazonaws.com"
]
}
}
},
{
"Sid": "AllowPassRoleToSageMaker",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Sid": "AllowAthenaActions",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowGlueCreateTable",
"Effect": "Allow",
"Action": [
"glue:CreateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueUpdateTable",
"Effect": "Allow",
"Action": [
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:table/sagemaker_featurestore/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore"
]
},
{
"Sid": "AllowGlueDeleteTable",
"Effect": "Allow",
"Action": [
"glue:DeleteTable"
],
"Resource": [
"arn:aws:glue:*:*:table/*/sagemaker_tmp_*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetTablesAndDatabases",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables"
],
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid": "AllowGlueGetAndCreateDatabase",
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:GetDatabase"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker_featurestore",
"arn:aws:glue:*:*:database/sagemaker_processing",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/sagemaker_data_wrangler"
]
},
{
"Sid": "AllowRedshiftDataActions",
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowRedshiftGetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid": "AllowListTagsForUserProfile",
"Effect": "Allow",
"Action": [
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:user-profile/*"
]
},
{
"Sid": "AllowCloudformationListStackResources",
"Effect": "Allow",
"Action": [
"cloudformation:ListStackResources"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
},
{
"Sid": "AllowS3ExpressObjectActions",
"Effect": "Allow",
"Action": [
"s3express:CreateSession"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*",
"arn:aws:s3express:*:*:bucket/*aws-glue*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressCreateBucketActions",
"Effect": "Allow",
"Action": [
"s3express:CreateBucket"
],
"Resource": [
"arn:aws:s3express:*:*:bucket/*SageMaker*",
"arn:aws:s3express:*:*:bucket/*Sagemaker*",
"arn:aws:s3express:*:*:bucket/*sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowS3ExpressListBucketActions",
"Effect": "Allow",
"Action": [
"s3express:ListAllMyDirectoryBuckets"
],
"Resource": "*"
}
]
}
```
------
## AWS 受管政策:AmazonSageMakerReadOnly
此政策透過 AWS 管理主控台 和 SDK 授予對 Amazon SageMaker AI 的唯讀存取權。
**許可詳細資訊**
此政策包含以下許可。
+ `application-autoscaling` - 允許使用者瀏覽可擴展 SageMaker AI 即時推論端點的描述。
+ `aws-marketplace` – 允許使用者檢視 AWS AI Marketplace 訂閱。
+ `cloudwatch` - 可讓使用者接收 CloudWatch 警示。
+ `cognito-idp` - Amazon SageMaker Ground Truth 需要用來瀏覽描述與您的私有人力資源和工作團隊清單。
+ `ecr` - 用於讀取 Docker 成品供訓練和推論所用。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:Describe*",
"sagemaker:List*",
"sagemaker:BatchGetMetrics",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetSearchSuggestions",
"sagemaker:BatchGetRecord",
"sagemaker:GetRecord",
"sagemaker:Search",
"sagemaker:QueryLineage",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:GetModelPackageGroupPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"aws-marketplace:ViewSubscriptions",
"cloudwatch:DescribeAlarms",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListUserPoolClients",
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"cognito-idp:ListUsersInGroup",
"ecr:Describe*"
],
"Resource": "*"
}
]
}
```
------
## AWS 受管政策的 SageMaker AI 更新
檢視自此服務開始追蹤這些變更以來SageMaker AI AWS 受管政策更新的詳細資訊。
| 政策 | 版本 | 變更 | Date |
| --- | --- | --- | --- |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) - 更新現有政策 | 27 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/sagemaker/latest/dg/security-iam-awsmanpol.html) | 2024 年 12 月 4 日 |
| [AmazonSageMakerFullAccess](#security-iam-awsmanpol-AmazonSageMakerFullAccess) - 更新現有政策 | 26 | 新增 `sagemaker:AddTags` 許可。 | 2024 年 3 月 29 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 25 | 新增 `sagemaker:CreateApp`、`sagemaker:DescribeApp`、`sagemaker:DeleteApp`、`sagemaker:CreateSpace`、`sagemaker:UpdateSpace`、`sagemaker:DeleteSpace`、`s3express:CreateSession`、`s3express:CreateBucket` 和 `s3express:ListAllMyDirectoryBuckets` 許可。 | 2023 年 11 月 30 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 24 | 新增 `sagemaker-geospatial:*`、`sagemaker:AddTags`、`sagemaker-ListTags`、`sagemaker-DescribeSpace` 和 `sagemaker:ListSpaces` 許可。 | 2022 年 11 月 30 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 23 | 新增 `glue:UpdateTable`。 | 2022 年 6 月 29 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 22 | 新增 `cloudformation:ListStackResources`。 | 2022 年 5 月 1 日 |
| [AmazonSageMakerReadOnly](#security-iam-awsmanpol-AmazonSageMakerReadOnly) - 更新現有政策 | 11 | 新增 `sagemaker:QueryLineage`、`sagemaker:GetLineageGroupPolicy`、`sagemaker:BatchDescribeModelPackage`、`sagemaker:GetModelPackageGroupPolicy` 許可。 | 2021 年 12 月 1 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 21 | 為啟用非同步推論的端點新增 `sns:Publish` 權限。 | 2021 年 9 月 8 日 |
| AmazonSageMakerFullAccess - 更新現有政策 | 20 | 更新 `iam:PassRole` 資源和許可。 | 2021 年 7 月 15 日 |
| AmazonSageMakerReadOnly - 更新現有政策 | 10 | 為 SageMaker AI Feature Store 新增了新的 API `BatchGetRecord`。 | 2021 年 6 月 10 日 |
| | | SageMaker AI 開始追蹤其 AWS 受管政策的變更。 | 2021 年 6 月 1 日 |