By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Prevent tag edition for sagemaker resources

0

I am creating a iam policy for sagemaker resources access. I am using condition to create resources based on sagemaker tags. How can I prevent users to edit the resources tags after creation

  • Abdelrahman Sheham
    8 months ago

    Thanks all,

    I solved the issue by using these policy statements:( using these policies I can prevent the users to edit the sagemaker resource tags

    { "Sid": "VisualEditor222", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": "*" },

    {	
		"Sid": "VisualEditor333",
		"Effect": "Deny",
		"Action": [
			"sagemaker:DeleteTags"
		],
		"Resource": "*"
	}
Topics
Machine Learning & AISecurity, Identity, & Compliance
Tags
Amazon SageMakerMachine Learning & AIAWS IAM Identity CenterIAM Policies
Language
English
Abdelrahman Sheham
asked 8 months ago235 views
2 Answers
0

I'd suggest you to use service control policy(SCP) or permission boundary for this use case.

Best fit for your use case would be using permissions boundary and that permission boundary would be attached to roles which you want to prevent from untagging sagemaker resources.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Deny",
         "Action": [
           "sagemaker:UntagResource"
         ],
         "Resource": "*"
       }
     ]
   }

You can further limit it down using condition like, one can't untag resources, if that particular sagemaker resource has that specific tag/tags.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Deny",
         "Action": [
           "sagemaker:UntagResource"
         ],
         "Resource": "*",
         "Condition": {
             "StringEquals": {
                  "aws:RequestTag/YourTagKey": "YourTagValue"
              }
          }
       }
     ]
   }

Hope it helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 8 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 8 months ago
0

In this IAM policy, the first Statement allows users to create SageMaker resources with the tag environment=production. The second Statement denies users from editing the tags of those resources after they are created. The Condition element in the second Statement checks whether the resource has the tag environment=production. If it does, the policy denies the action.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sagemaker:Create*",
        "sagemaker:TagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/environment": "production"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "sagemaker:TagResource",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/environment": "production"
        }
      }
    }
  ]
}

You can also use the Condition element to specify other conditions, such as the user's IAM role or the region in which the resource is located. For more information, see the IAM Policy Conditions: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html documentation.

profile pictureAWS
Dave Connelly AWS
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content