AmazonSageMakerCanvasFullAccess - AWS Managed Policy (original) (raw)
Description: Provides full access to Amazon SageMaker Canvas resources and operations. The policy also provides select access to related services (e.g., S3, IAM, VPC, ECR, CloudWatch Logs, Redshift, Secrets Manager, and Forecast). This policy should be attached to the Amazon SageMaker Domain/User Profile execution role.
AmazonSageMakerCanvasFullAccess is an AWS managed policy.
Using this policy
You can attach AmazonSageMakerCanvasFullAccess to your users, groups, and roles.
Policy details
- Type: AWS managed policy
- Creation time: September 09, 2022, 00:44 UTC
- Edited time: August 16, 2024, 04:35 UTC
- ARN:
arn:aws:iam::aws:policy/AmazonSageMakerCanvasFullAccess
Policy version
Policy version: v11 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "SageMakerUserDetailsAndPackageOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:DescribeDomain",
"sagemaker:DescribeUserProfile",
"sagemaker:ListTags",
"sagemaker:ListModelPackages",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListEndpoints"
],
"Resource" : "*"
},
{
"Sid" : "SageMakerPackageGroupOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelPackage"
],
"Resource" : [
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*"
]
},
{
"Sid" : "SageMakerTrainingOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateAutoMLJobV2",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeAutoMLJobV2",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:AddTags",
"sagemaker:DeleteApp"
],
"Resource" : [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*",
"arn:aws:sagemaker:*:*:*model-compilation-*"
]
},
{
"Sid" : "SageMakerHostingOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:InvokeEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:InvokeEndpointAsync"
],
"Resource" : [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*"
]
},
{
"Sid" : "EC2VPCOperation",
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServices"
],
"Resource" : "*"
},
{
"Sid" : "ECROperations",
"Effect" : "Allow",
"Action" : [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource" : "*"
},
{
"Sid" : "IAMGetOperations",
"Effect" : "Allow",
"Action" : [
"iam:GetRole"
],
"Resource" : "arn:aws:iam::*:role/*"
},
{
"Sid" : "IAMPassOperation",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "sagemaker.amazonaws.com"
}
}
},
{
"Sid" : "LoggingOperation",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
},
{
"Sid" : "S3Operations",
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:GetBucketCors",
"s3:GetBucketLocation"
],
"Resource" : [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid" : "ReadSageMakerJumpstartArtifacts",
"Effect" : "Allow",
"Action" : "s3:GetObject",
"Resource" : [
"arn:aws:s3:::jumpstart-cache-prod-us-west-2/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-1/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-2/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*"
]
},
{
"Sid" : "S3ListOperations",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource" : "*"
},
{
"Sid" : "GlueOperations",
"Effect" : "Allow",
"Action" : "glue:SearchTables",
"Resource" : [
"arn:aws:glue:*:*:table/*/*",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:catalog"
]
},
{
"Sid" : "SecretsManagerARNBasedOperation",
"Effect" : "Allow",
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:PutResourcePolicy"
],
"Resource" : [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid" : "SecretManagerTagBasedOperation",
"Effect" : "Allow",
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"secretsmanager:ResourceTag/SageMaker" : "true"
}
}
},
{
"Sid" : "RedshiftOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables",
"redshift-data:DescribeTable"
],
"Resource" : "*"
},
{
"Sid" : "RedshiftGetCredentialsOperation",
"Effect" : "Allow",
"Action" : [
"redshift:GetClusterCredentials"
],
"Resource" : [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid" : "ForecastOperations",
"Effect" : "Allow",
"Action" : [
"forecast:CreateExplainabilityExport",
"forecast:CreateExplainability",
"forecast:CreateForecastEndpoint",
"forecast:CreateAutoPredictor",
"forecast:CreateDatasetImportJob",
"forecast:CreateDatasetGroup",
"forecast:CreateDataset",
"forecast:CreateForecast",
"forecast:CreateForecastExportJob",
"forecast:CreatePredictorBacktestExportJob",
"forecast:CreatePredictor",
"forecast:DescribeExplainabilityExport",
"forecast:DescribeExplainability",
"forecast:DescribeAutoPredictor",
"forecast:DescribeForecastEndpoint",
"forecast:DescribeDatasetImportJob",
"forecast:DescribeDataset",
"forecast:DescribeForecast",
"forecast:DescribeForecastExportJob",
"forecast:DescribePredictorBacktestExportJob",
"forecast:GetAccuracyMetrics",
"forecast:InvokeForecastEndpoint",
"forecast:GetRecentForecastContext",
"forecast:DescribePredictor",
"forecast:TagResource",
"forecast:DeleteResourceTree"
],
"Resource" : [
"arn:aws:forecast:*:*:*Canvas*"
]
},
{
"Sid" : "RDSOperation",
"Effect" : "Allow",
"Action" : "rds:DescribeDBInstances",
"Resource" : "*"
},
{
"Sid" : "IAMPassOperationForForecast",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "forecast.amazonaws.com"
}
}
},
{
"Sid" : "AutoscalingOperations",
"Effect" : "Allow",
"Action" : [
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget"
],
"Resource" : "arn:aws:application-autoscaling:*:*:scalable-target/*",
"Condition" : {
"StringEquals" : {
"application-autoscaling:service-namespace" : "sagemaker",
"application-autoscaling:scalable-dimension" : "sagemaker:variant:DesiredInstanceCount"
}
}
},
{
"Sid" : "AsyncEndpointOperations",
"Effect" : "Allow",
"Action" : [
"cloudwatch:DescribeAlarms",
"sagemaker:DescribeEndpointConfig"
],
"Resource" : "*"
},
{
"Sid" : "DescribeScalingOperations",
"Effect" : "Allow",
"Action" : [
"application-autoscaling:DescribeScalingActivities"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerCloudWatchUpdate",
"Effect" : "Allow",
"Action" : [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource" : [
"arn:aws:cloudwatch:*:*ā°TargetTracking*"
],
"Condition" : {
"StringEquals" : {
"aws:CalledViaLast" : "application-autoscaling.amazonaws.com"
}
}
},
{
"Sid" : "AutoscalingSageMakerEndpointOperation",
"Action" : "iam:CreateServiceLinkedRole",
"Effect" : "Allow",
"Resource" : "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition" : {
"StringLike" : {
"iam:AWSServiceName" : "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid" : "AthenaOperation",
"Action" : [
"athena:ListTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases"
],
"Effect" : "Allow",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "GlueOperation",
"Action" : [
"glue:GetDatabases",
"glue:GetPartitions",
"glue:GetTables"
],
"Effect" : "Allow",
"Resource" : [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "QuicksightOperation",
"Action" : [
"quicksight:ListNamespaces"
],
"Effect" : "Allow",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "AllowUseOfKeyInAccount",
"Effect" : "Allow",
"Action" : [
"kms:DescribeKey"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/Source" : "SageMakerCanvas",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessCreateApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:CreateApplication",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListApplications",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessApplicationOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:UpdateApplication",
"emr-serverless:StopApplication",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessStartJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:StartJobRun",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListJobRuns",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessJobRunOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessTagResourceOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:TagResource",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "IAMPassOperationForEMRServerless",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "emr-serverless.amazonaws.com",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
}
]
}