AmazonSageMakerCanvasDataPrepFullAccess details (in AWS console)
Policy Name
AmazonSageMakerCanvasDataPrepFullAccess
Description
Provides full access to Amazon SageMaker resources and operations for data preparation in Canvas. The policy also provides select access to related services (e.g., S3, IAM, KMS, RDS, CloudWatch Logs, Redshift, Athena, Glue, EventBridge, Secrets Manager). This policy should be attached to the Amazon SageMaker Domain/User Profile execution role.
ARN
arn:aws:iam::aws:policy/AmazonSageMakerCanvasDataPrepFullAccess
Path
/
PolicyId
ANPAZKAPJZG4CKHJVSVSQ
AttachmentCount
0
[
{
"Effect": "Allow",
"Action": [
"sagemaker:ListFeatureGroups"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateFeatureGroup",
"sagemaker:DescribeFeatureGroup"
],
"Resource": [
"arn:aws:sagemaker:*:*:feature-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateProcessingJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
]
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListProcessingJobs"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sagemaker:DescribePipeline",
"sagemaker:CreatePipeline",
"sagemaker:UpdatePipeline",
"sagemaker:DeletePipeline",
"sagemaker:StartPipelineExecution",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:DescribePipelineExecution"
],
"Resource": [
"arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:*:*:key/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::*:role/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutRule"
],
"Resource": [
"arn:aws:events:*:*:rule/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:PutTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:TagResource"
],
"Resource": [
"arn:aws:events:*:*:rule/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:ListTagsForResource"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:SearchTables"
],
"Resource": [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups"
],
"Resource": [
"arn:aws:elasticmapreduce:*:*:cluster/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:ListClusters"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"arn:aws:athena:*:*:workgroup/*"
]
},
{
"Effect": "Allow",
"Action": [
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"arn:aws:athena:*:*:datacatalog/*"
]
},
{
"Effect": "Allow",
"Action": [
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"redshift-data:ExecuteStatement",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource": [
"arn:aws:redshift:*:*:cluster:*"
]
},
{
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
]
}
]