How do I modify permissions so that an IAM user or role can't set up Amazon SageMaker Canvas?

2 minute read
0

I want to modify my AWS Identify and Access Management (IAM) and AWS IAM Identity Center user permissions so that users aren't allowed to set up Amazon SageMaker Canvas.

Resolution

To modify permissions so that an IAM identity isn't allowed to set up a SageMaker Canvas app, create an IAM policy that denies the permissions.

To attach the IAM policy to the SageMaker execution role, complete the following steps:

  1. Open the IAM console.

  2. In the navigation pane, choose Policies.

  3. Choose Create policy, and then choose the JSON tab.

  4. Enter the following IAM policy in the policy editor:

    {  "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowSageMakerCreateAppOperations",
          "Effect": "Allow",
          "Action": "sagemaker:CreateApp",
          "Resource": "*"
        },
        {
          "Sid": "DenySageMakerCanvasCreateApp",
          "Effect": "Deny",
          "Action": "sagemaker:CreateApp",
          "Resource": "arn:aws:sagemaker:example-region:1111222233334444:app/example-domain/example-user-name/canvas/*"
        }
      ]
    }

    Note: In the preceding policy, replace example-region with your AWS Region and 1111222233334444 with your AWS account ID. Also, replace example-domain with your SageMaker Studio domain ID and example-user-name with your SageMaker Studio user profile name.

  5. Resolve security warnings, errors, or general warnings generated during policy validation, and then choose Review policy.

  6. Choose Next: Tags.

  7. On the Review policy page, enter a name and an optional description for the policy.

  8. Review the policy summary, and then choose Create policy.

  9. In the list of policies, select your policy.

  10. Choose the Policy usage tab, and then choose Attach.

  11. From the list of IAM users and roles, select the SageMaker execution role for the Studio user.

  12. Choose Attach policy.

If the IAM user tries to set up a SageMaker Canvas app after you attach the IAM policy, then the user gets the following error:

"SageMaker is unable to use your associated ExecutionRole [SageMaker Studio User Execution Role] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp'."

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago