- Newest
- Most votes
- Most comments
I'd suggest you to use service control policy(SCP) or permission boundary for this use case.
Best fit for your use case would be using permissions boundary and that permission boundary would be attached to roles which you want to prevent from untagging sagemaker resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"sagemaker:UntagResource"
],
"Resource": "*"
}
]
}
You can further limit it down using condition like, one can't untag resources, if that particular sagemaker resource has that specific tag/tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"sagemaker:UntagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/YourTagKey": "YourTagValue"
}
}
}
]
}
Hope it helps.
Comment here if you have additional questions, happy to help.
Abhishek
In this IAM policy, the first Statement allows users to create SageMaker resources with the tag environment=production. The second Statement denies users from editing the tags of those resources after they are created. The Condition element in the second Statement checks whether the resource has the tag environment=production. If it does, the policy denies the action.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:Create*",
"sagemaker:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "production"
}
}
},
{
"Effect": "Deny",
"Action": "sagemaker:TagResource",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "production"
}
}
}
]
}
You can also use the Condition element to specify other conditions, such as the user's IAM role or the region in which the resource is located. For more information, see the IAM Policy Conditions: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html documentation.
Relevant content
- Accepted Answerasked 5 years ago
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
Thanks all,
I solved the issue by using these policy statements:( using these policies I can prevent the users to edit the sagemaker resource tags
{ "Sid": "VisualEditor222", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": "*" },