How to Enforce User-Based Resource Isolation in Amazon SageMaker Studio with ADFS Authentication?

I'm configuring Amazon SageMaker Studio and aim to implement user-based resource isolation. Specifically, I want each ADFS-authenticated user to only access their corresponding Amazon SageMaker user profile.

Context:
I plan to use the UPN Claim Type from ADFS as the identifier. For example, ADFS would pass bob.smith@acme.com as the UPN Claim Type.

Approach:
I'm thinking of using IAM policy conditions to compare this UPN claim to a custom tag set on the Amazon SageMaker user profile:

Tag key = upn
Tag value = bob.smith@acme.com

By doing this, the IAM policy could enforce that only users with a matching UPN Claim Type can access that profile.

Additional Restrictions:
I also aim to restrict users from editing the upn tag on their SageMaker user profiles. This ensures the tag can only be set or modified by admin users.

Questions:

Is there a more efficient or straightforward way to accomplish user-based resource isolation with ADFS in SageMaker Studio?
Can someone share a sample IAM policy that accomplishes this, especially the part that restricts tag editing?

Would the condition to enforce this in the IAM policy look something like this?

"Condition": {
    "StringEquals": {
        "sagemaker:ResourceTag/upn": "${aws:PrincipalTag/upn}"
    }
}

Themen

Sicherheit, Identität & Konformität AWS Framework mit guter Struktur Maschinelles Lernen & KI

Relevanter Inhalt

Wie behebe ich Fehler, wenn ich mit SageMaker Data Wrangler Daten in mein Amazon SageMaker Studio importiere?
AWS OFFICIALAktualisiert vor 2 Jahren
Warum kann ich Amazon SageMaker Studio nicht starten?
AWS OFFICIALAktualisiert vor einem Jahr
Wie behebe ich Probleme, wenn ich in SageMaker Studio auf ein Amazon-SageMaker-Projekt zugreife?
AWS OFFICIALAktualisiert vor einem Jahr
Wie verwende ich den lokalen Modus des Amazon SageMaker Python SDK mit SageMaker Studio?
AWS OFFICIALAktualisiert vor einem Jahr