By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to Enforce User-Based Resource Isolation in Amazon SageMaker Studio with ADFS Authentication?

0

I'm configuring Amazon SageMaker Studio and aim to implement user-based resource isolation. Specifically, I want each ADFS-authenticated user to only access their corresponding Amazon SageMaker user profile.

Context:
I plan to use the UPN Claim Type from ADFS as the identifier. For example, ADFS would pass bob.smith@acme.com as the UPN Claim Type.

Approach:
I'm thinking of using IAM policy conditions to compare this UPN claim to a custom tag set on the Amazon SageMaker user profile:

  • Tag key = upn
  • Tag value = bob.smith@acme.com

By doing this, the IAM policy could enforce that only users with a matching UPN Claim Type can access that profile.

Additional Restrictions:
I also aim to restrict users from editing the upn tag on their SageMaker user profiles. This ensures the tag can only be set or modified by admin users.

Questions:

  1. Is there a more efficient or straightforward way to accomplish user-based resource isolation with ADFS in SageMaker Studio?
  2. Can someone share a sample IAM policy that accomplishes this, especially the part that restricts tag editing?
  3. Would the condition to enforce this in the IAM policy look something like this? 
    "Condition": {
    "StringEquals": {
        "sagemaker:ResourceTag/upn": "${aws:PrincipalTag/upn}"
    }
}
Topics
Security, Identity, & ComplianceAWS Well-Architected FrameworkMachine Learning & AI
Tags
AWS Identity and Access ManagementAWS IAM Identity CenterSecurityAmazon SageMaker Studio
Language
English
AWS
yann_stoneman
asked 6 months ago112 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content