Prevent tag edition for sagemaker resources

0

I am creating a iam policy for sagemaker resources access. I am using condition to create resources based on sagemaker tags. How can I prevent users to edit the resources tags after creation

  • Thanks all,

    I solved the issue by using these policy statements:( using these policies I can prevent the users to edit the sagemaker resource tags

    { "Sid": "VisualEditor222", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": "*" },

    {	
    		"Sid": "VisualEditor333",
    		"Effect": "Deny",
    		"Action": [
    			"sagemaker:DeleteTags"
    		],
    		"Resource": "*"
    	}
    
2 Answers
0

I'd suggest you to use service control policy(SCP) or permission boundary for this use case.

Best fit for your use case would be using permissions boundary and that permission boundary would be attached to roles which you want to prevent from untagging sagemaker resources.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Deny",
         "Action": [
           "sagemaker:UntagResource"
         ],
         "Resource": "*"
       }
     ]
   }

You can further limit it down using condition like, one can't untag resources, if that particular sagemaker resource has that specific tag/tags.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Deny",
         "Action": [
           "sagemaker:UntagResource"
         ],
         "Resource": "*",
         "Condition": {
             "StringEquals": {
                  "aws:RequestTag/YourTagKey": "YourTagValue"
              }
          }
       }
     ]
   }

Hope it helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
answered 10 months ago
profile picture
EXPERT
reviewed 10 months ago
0

In this IAM policy, the first Statement allows users to create SageMaker resources with the tag environment=production. The second Statement denies users from editing the tags of those resources after they are created. The Condition element in the second Statement checks whether the resource has the tag environment=production. If it does, the policy denies the action.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sagemaker:Create*",
        "sagemaker:TagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/environment": "production"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "sagemaker:TagResource",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/environment": "production"
        }
      }
    }
  ]
}

You can also use the Condition element to specify other conditions, such as the user's IAM role or the region in which the resource is located. For more information, see the IAM Policy Conditions: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html documentation.

profile pictureAWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions