architecture, Machine Learning, SageMaker

Access management in AWS SageMaker

  1. Restricting access to AWS SageMaker S3 Buckets.

A bucket policy and a user policy are two of the access policy options available for you to grant permission to your S3 resources [1]. The documentation on this includes a number of example policies for both. I have included it here for you [2].

I have also included a link to one of aws security blogs that outlines how to restrict S3 access to a specific IAM role [3]. While the following article from aws Knowledge center demonstrates how you can use IAM policies to grant user-specific access to specific folders [4].

  1. Restricting access to AWS SageMaker Jupiter Notebooks.

There are two things to consider here:

2.1 AWS Sagemaker Authentication and Access Control

Access to SageMaker requires credentials and those credentials must have permissions to access AWS resources, such as a SageMaker notebook instance or an EC2 instance. The following provides details on how you can use IAM and SageMaker to help secure access to your resources [5].

2.2 Sagemaker Roles

As SageMaker is a managed service, it performs operations on your behalf on the hardware that is managed by SageMaker. SageMaker can only perform operations that the user permits i.e. a SageMaker user can grant permissions with an IAM role (execution role), where the user then passes the role when making API calls.

You would attach a trust policy to the IAM role which grants SageMaker principal permissions to assume the role. This is the same for all of the execution roles. For example, I have included the following for your reference as it contains a number of execution role examples for CreateNotebookInstance, CreateHyperParameterTuningJob, CreateTrainingJob, and CreateModel [6].

  1. Restricting Notebook instance type & Training instance type for Data Science Team

Usually to allow users to create or modify resources and perform tasks, you must create IAM policies that grant your users permissions for the specific resources and API actions they’ll need to use, and then attach those policies to the users or groups that require those permissions [7]. The following describes the resources that are created or modified by EC2 actions, and the ARNs and EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular EC2 resources [8]. For example, you can also refer to individual resources within your policy by specifying the resources ARN [9].

However that being said, as the instance types for the Sagemaker service are ‘ml’ and differ from that of EC2, I will need to perform some testing on this on my own end and get back to you.

In short, SageMaker has no service-specific context keys that can be used in the Condition element of policy statements [B1]. I had a look at the list of the global context keys [B2] that are available to all services but unfortunately nothing specific.

To elaborate a bit further:

It is possible to restrict a users ability to launch particular instance types among other things [B3,B 4]. I tested this on my own environment by attaching a policy to a user and restricting the instance type to only t2.medium. I have included my sample policy here to illustrate this:

“Sid”: “MyRestrictedPolicy”,
“Effect”: “Allow”,
“Action”: “ec2:RunInstances”,
“Resource”: “arn:aws:ec2:REGION:ACCOUNT-ID:instance/*”,
“Condition”: {
“StringEquals”: {
“ec2:InstanceType”: “t2.medium”

The result of the policy was that my user was unable to launch instances unless they were of type “t2.medium”. Unfortunately, as stated previously SageMaker currently does not have service-specific context keys that can be used in the Condition element as is the case in the above policy.

Instead, you can restrict users access using the ARN of a notebook instance or training job i.e. the resource will need to be set up and the ARN of that resource then added to a policy in order to restrict users access to only this resource. For example, the ARNs would look like the following for both the Notebook Instance and the Training Job [5]:

Notebook Instance        arn:aws:sagemaker:REGION:ACCOUNT-ID:notebook-instance/notebookInstanceName
Training Job             arn:aws:sagemaker:REGION:ACCOUNT-ID:training-job/trainingJobName

You can see the syntax for the resources ARN for each of Sagemakers API operations here [B6, B7].

Finally, I have included a link to a number of AWS managed policies for job functions [B8] for your reference. In particular I thought you might be interested in the Data Scientist policy [B9].

  1. Restricting Sage Maker Model deployment.

SageMaker uses the endpoint to provision resources and deploy models.

To restrict model deployment, you can restrict users access to the following API calls, CreateEndpointConfig [10], which creates an endpoint configuration that SageMaker hosting services uses to deploy models and, CreateEndpoint [11], which creates an endpoint using the endpoint configuration specified.

  1. Notebook access ONLY. No AWS console Access.

To provide access to a notebook and not the AWS console, you can create a presigned notebook instance URL that you can use to connect to the Jupyter server from a notebook instance [12].

For example, when you use the SageMaker console and you choose “Open” next to a notebook instance, SageMaker opens a new tab showing the Jupyter server home page from the notebook instance. The console is using this API call to get the URL and show you the page.

7 persistent storage to save you notebook.

The directory /home/ec2-user/SageMaker/  is persistent while the directory /home/ec2-user/ is not persistent. So you can save the notebooks in .

You can mount an s3 bucket as directory on the notebook and store all your notebooks on the bucket instead of on the instance volume storage. For this you have to install package called ‘s3contents’ [C1] on the notebook instance.

Please be aware that the configuration file is located in the path ~/.jupyter/ which may not be persistent. I am working on workaround to make the configuration persistent as well.

you can also use AWS EFS :


Finally, the following actions are supported by the SageMaker Service [13]. As demonstrated above in outlining CreatePresignedNotebookInstanceUrl, CreateEndpoint, etc, you can use IAM alongside any of the Sagemaker actions and choose to allow or deny such actions for your users.

[1] Using Bucket Policies and User Policies –

[2] Amazon S3: Allows Read and Write Access to a Specific S3 Bucket  –

[3] How to Restrict Amazon S3 Bucket Access to a Specific IAM Role –

[4] How can I use IAM policies to grant user-specific access to specific folders? –

[5] Authentication and Access Control for Amazon SageMaker  –

[6] Amazon SageMaker Roles  –

[7] Granting IAM Users Required Permissions for Amazon EC2 Resources –

[8] Granting IAM Users Required Permissions for Amazon EC2 Resources – Instances –

[9] Policy Structure – Amazon Resource Names for Amazon EC2 –

[10] CreateEndpointConfig –

[11] CreateEndpoint –

[12] CreatePresignedNotebookInstanceUrl –

[13] Actions –


Section b ressources:

[B1] Actions, Resources, and Condition Keys for Amazon SageMaker  – Condition Keys for Amazon SageMaker –
[B2] AWS Global Condition Context Keys –
[B3] Example Policies for Working in the Amazon EC2 Console –
[B4] Policy Structure – Condition Keys for Amazon EC2 –
[B5] Overview of Managing Access Permissions to Your Amazon SageMaker Resources  – Amazon SageMaker Resources and Operations –
[B6] Actions, Resources, and Condition Keys for Amazon SageMaker  – Resources Defined by SageMaker –
[B7] Amazon SageMaker API Permissions: Actions, Permissions, and Resources Reference  –
[B8] AWS Managed Policies for Job Functions –
[B9] AWS Managed Policies for Job Functions – Data Scientist –



I put a lot of thoughts into these blogs, so I could share the information in a clear and useful way. If you have any comments, thoughts, questions, or you need someone to consult with, feel free to contact me:

Leave a Reply