How do I prevent an IAM user or role from setting up Amazon SageMaker Canvas?

2 minute read

I want to prevent AWS Identify and Access Management (IAM) users and AWS IAM Identity Center (successor to AWS Single Sign-On) users from setting up Amazon SageMaker Canvas.


To prevent an IAM user or role from setting up the SageMaker Canvas app, first create an IAM policy to deny the required permissions. Then, attach this policy to the SageMaker execution role.

Do the following:

1.    Open the IAM console.

2.    In the navigation pane, choose Policies.

3.    Choose Create policy, and then choose the JSON tab.

4.    Copy and paste the following IAM policy in the policy editor:

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "AllowSageMakerCreateAppOperations",
      "Effect": "Allow",
      "Action": "sagemaker:CreateApp",
      "Resource": "*"
      "Sid": "DenySageMakerCanvasCreateApp",
      "Effect": "Deny",
      "Action": "sagemaker:CreateApp",
      "Resource": "arn:aws:sagemaker:example-region:1111222233334444:app/example-domain/example-user-name/canvas/*"

Be sure to replace the following in the policy:

  • example-region with the Region of your choice
  • 1111222233334444 with your account ID.
  • example-domain with your SageMaker Studio domain ID.
  • example-user-name with your SageMaker Studio user profile name.

5.    Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Review policy.

6.    Choose Next: Tags.

7.    On the Review policy page, enter a Name and a Description (optional) for the policy that you're creating. Review the policy Summary, and then choose Create policy to save your work.

8.    In the list of policies displayed, choose the policy that you created.

9.    Choose the Policy usage tab, and then choose Attach.

10.    From the list of IAM users and roles that appears, select the SageMaker execution role for the Studio user.

11.    Choose Attach policy.

If you try to set up the SageMaker Canvas app after completing the preceding steps, you get the following error:

SageMaker is unable to use your associated ExecutionRole [<SageMaker Studio User Execution Role>] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp'.

Related information

Amazon SageMaker Canvas

AWS OFFICIALUpdated 7 months ago