Skip to content

Commit 41f8dc4

Browse files
author
MAMIP Bot
committed
SageMakerStudioUserIAMPermissiveExecutionPolicy - Policy Version v3
1 parent 3b5fbae commit 41f8dc4

File tree

1 file changed

+228
-7
lines changed

1 file changed

+228
-7
lines changed

policies/SageMakerStudioUserIAMPermissiveExecutionPolicy

Lines changed: 228 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"PolicyVersion": {
3-
"CreateDate": "2025-08-26T21:34:07Z",
4-
"VersionId": "v2",
3+
"CreateDate": "2025-10-30T19:34:08Z",
4+
"VersionId": "v3",
55
"Document": {
66
"Version": "2012-10-17",
77
"Statement": [
@@ -26,30 +26,49 @@
2626
"codewhisperer:*",
2727
"q:*",
2828
"sagemaker:*",
29+
"sagemaker-mlflow:*",
2930
"scheduler:*",
30-
"sqlworkbench:*"
31+
"sqlworkbench:*",
32+
"emr-serverless:*"
3133
],
3234
"Resource": "*",
3335
"Effect": "Allow",
3436
"Sid": "ComputeAccess"
3537
},
3638
{
3739
"Action": [
40+
"datazone:AcceptPredictions",
41+
"datazone:AcceptSubscriptionRequest",
42+
"datazone:CancelMetadataGenerationRun",
43+
"datazone:CancelSubscription",
3844
"datazone:CreateAsset*",
3945
"datazone:CreateConnection",
46+
"datazone:CreateListingChangeSet",
4047
"datazone:CreateProject",
48+
"datazone:CreateSubscriptionGrant",
49+
"datazone:CreateSubscriptionRequest",
4150
"datazone:DeleteAsset*",
4251
"datazone:DeleteConnection",
52+
"datazone:DeleteListing",
4353
"datazone:DeleteProject",
54+
"datazone:DeleteSubscriptionGrant",
55+
"datazone:DeleteSubscriptionRequest",
4456
"datazone:Get*",
4557
"datazone:List*",
4658
"datazone:PostLineageEvent",
59+
"datazone:RejectPredictions",
60+
"datazone:RejectSubscriptionRequest",
61+
"datazone:RevokeSubscription",
4762
"datazone:Search",
4863
"datazone:SearchListings",
64+
"datazone:SearchRules",
65+
"datazone:SearchTypes",
4966
"datazone:SearchUserProfiles",
67+
"datazone:StartMetadataGenerationRun",
5068
"datazone:UpdateAssetFilter",
5169
"datazone:UpdateConnection",
52-
"datazone:UpdateProject"
70+
"datazone:UpdateProject",
71+
"datazone:UpdateSubscriptionRequest"
5372
],
5473
"Resource": "*",
5574
"Effect": "Allow",
@@ -139,9 +158,14 @@
139158
},
140159
{
141160
"Action": [
161+
"lakeformation:BatchGrantPermissions",
162+
"lakeformation:BatchRevokePermissions",
142163
"lakeformation:DescribeResource",
143164
"lakeformation:GetDataAccess",
144-
"lakeformation:ListResources"
165+
"lakeformation:GrantPermissions",
166+
"lakeformation:ListResources",
167+
"lakeformation:ListPermissions",
168+
"lakeformation:RevokePermissions"
145169
],
146170
"Resource": "*",
147171
"Effect": "Allow",
@@ -164,8 +188,12 @@
164188
},
165189
{
166190
"Action": [
191+
"secretsmanager:CreateSecret",
192+
"secretsmanager:DeleteSecret",
167193
"secretsmanager:DescribeSecret",
168-
"secretsmanager:GetSecretValue"
194+
"secretsmanager:GetSecretValue",
195+
"secretsmanager:UpdateSecret",
196+
"secretsmanager:PutResourcePolicy"
169197
],
170198
"Resource": "*",
171199
"Effect": "Allow",
@@ -178,8 +206,10 @@
178206
},
179207
{
180208
"Action": [
209+
"secretsmanager:CreateSecret",
181210
"secretsmanager:DescribeSecret",
182-
"secretsmanager:GetSecretValue"
211+
"secretsmanager:GetSecretValue",
212+
"secretsmanager:UpdateSecret"
183213
],
184214
"Resource": "*",
185215
"Effect": "Allow",
@@ -201,6 +231,197 @@
201231
"Resource": "*",
202232
"Effect": "Allow",
203233
"Sid": "Ecr"
234+
},
235+
{
236+
"Action": [
237+
"codeconnections:UseConnection",
238+
"codeconnections:ListConnections",
239+
"codeconnections:GetConnection",
240+
"codeconnections:GetHost",
241+
"codeconnections:ListTagsForResource",
242+
"codestar-connections:UseConnection",
243+
"codestar-connections:ListConnections",
244+
"codestar-connections:GetConnection",
245+
"codestar-connections:GetHost",
246+
"codestar-connections:ListTagsForResource"
247+
],
248+
"Resource": "*",
249+
"Effect": "Allow",
250+
"Sid": "CodeConnectionsUser"
251+
},
252+
{
253+
"Action": [
254+
"kms:DescribeKey",
255+
"kms:ListAliases",
256+
"kms:ListGrants"
257+
],
258+
"Resource": "*",
259+
"Effect": "Allow",
260+
"Sid": "KmsListAndDescribe"
261+
},
262+
{
263+
"Action": [
264+
"kms:Decrypt",
265+
"kms:GenerateDataKey"
266+
],
267+
"Resource": "*",
268+
"Effect": "Allow",
269+
"Condition": {
270+
"ForAnyValue:StringEquals": {
271+
"kms:EncryptionContextKeys": "aws:datazone:domainId"
272+
},
273+
"StringLike": {
274+
"kms:ViaService": "datazone.*.amazonaws.com"
275+
}
276+
},
277+
"Sid": "DataZoneKms"
278+
},
279+
{
280+
"Action": [
281+
"kms:Decrypt",
282+
"kms:GenerateDataKey"
283+
],
284+
"Resource": "*",
285+
"Effect": "Allow",
286+
"Condition": {
287+
"Null": {
288+
"kms:EncryptionContext:aws:s3:arn": "false"
289+
},
290+
"StringLike": {
291+
"kms:ViaService": "s3.*.amazonaws.com"
292+
}
293+
},
294+
"Sid": "S3Kms"
295+
},
296+
{
297+
"Action": [
298+
"kms:Decrypt",
299+
"kms:GenerateDataKey"
300+
],
301+
"Resource": "*",
302+
"Effect": "Allow",
303+
"Condition": {
304+
"Null": {
305+
"kms:EncryptionContext:aws:scheduler:schedule:arn": "false"
306+
},
307+
"StringLike": {
308+
"kms:ViaService": "scheduler.*.amazonaws.com"
309+
}
310+
},
311+
"Sid": "SchedulerKms"
312+
},
313+
{
314+
"Action": [
315+
"kms:Decrypt",
316+
"kms:Encrypt",
317+
"kms:GenerateDataKey"
318+
],
319+
"Resource": "*",
320+
"Effect": "Allow",
321+
"Condition": {
322+
"Null": {
323+
"kms:EncryptionContext:SecretARN": "false"
324+
},
325+
"StringLike": {
326+
"kms:ViaService": "secretsmanager.*.amazonaws.com"
327+
}
328+
},
329+
"Sid": "SecretsKms"
330+
},
331+
{
332+
"Action": [
333+
"kms:Decrypt",
334+
"kms:Encrypt",
335+
"kms:GenerateDataKey",
336+
"kms:GenerateDataKeyWithoutPlaintext"
337+
],
338+
"Resource": "*",
339+
"Effect": "Allow",
340+
"Condition": {
341+
"Null": {
342+
"kms:EncryptionContextKeys": "false"
343+
},
344+
"StringLike": {
345+
"kms:ViaService": "sagemaker.*.amazonaws.com"
346+
}
347+
},
348+
"Sid": "SageMakerKms"
349+
},
350+
{
351+
"Action": [
352+
"kms:CreateGrant"
353+
],
354+
"Resource": "*",
355+
"Effect": "Allow",
356+
"Condition": {
357+
"StringLike": {
358+
"kms:ViaService": "sagemaker.*.amazonaws.com"
359+
}
360+
},
361+
"Sid": "SageMakerCreateGrant"
362+
},
363+
{
364+
"Action": [
365+
"kms:Decrypt",
366+
"kms:Encrypt",
367+
"kms:GenerateDataKey",
368+
"kms:GenerateDataKeyWithoutPlaintext"
369+
],
370+
"Resource": "*",
371+
"Effect": "Allow",
372+
"Condition": {
373+
"Null": {
374+
"kms:EncryptionContextKeys": "false"
375+
},
376+
"StringLike": {
377+
"kms:ViaService": "glue.*.amazonaws.com"
378+
}
379+
},
380+
"Sid": "GlueKms"
381+
},
382+
{
383+
"Action": [
384+
"kms:CreateGrant",
385+
"kms:Decrypt",
386+
"kms:GenerateDataKey"
387+
],
388+
"Resource": "*",
389+
"Effect": "Allow",
390+
"Condition": {
391+
"Null": {
392+
"kms:EncryptionContextKeys": "false"
393+
},
394+
"StringLike": {
395+
"kms:ViaService": "bedrock.*.amazonaws.com"
396+
}
397+
},
398+
"Sid": "BedrockKms"
399+
},
400+
{
401+
"Action": "ec2:Describe*",
402+
"Resource": "*",
403+
"Effect": "Allow",
404+
"Sid": "Ec2DescribeOnly"
405+
},
406+
{
407+
"Action": [
408+
"ec2:CreateNetworkInterface",
409+
"ec2:DeleteNetworkInterface"
410+
],
411+
"Resource": "*",
412+
"Effect": "Allow",
413+
"Sid": "VpcAccess"
414+
},
415+
{
416+
"Action": [
417+
"ec2:CreateTags",
418+
"ec2:DeleteTags"
419+
],
420+
"Resource": [
421+
"arn:aws:ec2:*:*:network-interface/*"
422+
],
423+
"Effect": "Allow",
424+
"Sid": "EC2TagAccessForVpc"
204425
}
205426
]
206427
},

0 commit comments

Comments
 (0)