Policy Summary
Managed Policies
22
Group Inline Policies
7
Role Inline Policies
3
Total Policies
32
Managed Policies
edge-prod-b001-policy-s3-level2-project-buckets-only
Effect
Allow
Actions
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetBucketLocation
Resources
arn:aws:s3:::*
Effect
Allow
Actions
s3:ListBucket
s3:GetBucketVersioning
s3:GetBucketVersioning
Resources
arn:aws:s3:::edge-prod-b001-*
Effect
Allow
Actions
s3:GetObject
s3:GetObjectVersion
s3:PutObject
s3:PutObjectTagging
s3:GetObjectTagging
s3:GetObjectVersion
s3:PutObject
s3:PutObjectTagging
s3:GetObjectTagging
Resources
arn:aws:s3:::edge-prod-b001-*
arn:aws:s3:::edge-prod-b001-*/*
arn:aws:s3:::edge-prod-b001-*/*
edge-prod-b001-policy-sagemaker-level1-prod-read-only-invoke
Effect
Allow
Actions
sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
Resources
*
Effect
Allow
Actions
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
Resources
*
Effect
Allow
Actions
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DescribeScalingPolicies
Resources
*
Effect
Allow
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
arn:aws:sagemaker:*:*:endpoint/*
edge-prod-b001-policy-ecr-level1-read-only
Effect
Allow
Actions
ecr:GetAuthorizationToken
Resources
*
Effect
Allow
Actions
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:DescribeImageScanFindings
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:DescribeImageScanFindings
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
edge-prod-b001-policy-kms-level1-read-only
Effect
Allow
Actions
kms:GetPublicKey
kms:GetKeyRotationStatus
kms:GetKeyPolicy
kms:DescribeKey
kms:ListKeyPolicies
kms:ListResourceTags
tag:GetResources
kms:GetKeyRotationStatus
kms:GetKeyPolicy
kms:DescribeKey
kms:ListKeyPolicies
kms:ListResourceTags
tag:GetResources
Resources
arn:aws:kms:*:716716271756:key/*
Effect
Allow
Actions
kms:ListKeys
kms:ListAliases
kms:ListAliases
Resources
*
edge-prod-b001-policy-bedrock-level1-invoke-only
Effect
Allow
Actions
bedrock:ListFoundationModels
bedrock:GetFoundationModel
bedrock:GetFoundationModel
Resources
*
Effect
Allow
Actions
bedrock:InvokeModel
bedrock:InvokeModelWithResponseStream
bedrock:InvokeModelWithResponseStream
Resources
*
Effect
Allow
Actions
bedrock:Converse
bedrock:ConverseStream
bedrock:ConverseStream
Resources
*
edge-prod-b001-policy-ops-services-read-only
Effect
Allow
Actions
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetBucketLocation
Resources
arn:aws:s3:::*
Effect
Allow
Actions
s3:GetObject
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
Resources
arn:aws:s3:::edge-prod-b001-*
arn:aws:s3:::edge-prod-b001-*/*
arn:aws:s3:::edge-prod-b001-*/*
Effect
Allow
Actions
ecr:GetAuthorizationToken
Resources
*
Effect
Allow
Actions
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:DescribeImageScanFindings
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:DescribeImageScanFindings
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
Effect
Allow
Actions
sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
Resources
*
Effect
Allow
Actions
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
Resources
*
Effect
Allow
Actions
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DescribeScalingPolicies
Resources
*
Effect
Deny
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
*
Effect
Allow
Actions
lambda:ListFunctions
Resources
*
Effect
Allow
Actions
lambda:ListAliases
lambda:ListTags
lambda:GetFunction
lambda:GetFunctionConfiguration
lambda:GetPolicy
lambda:GetAlias
lambda:GetFunctionUrlConfig
lambda:ListFunctionUrlConfigs
lambda:GetProvisionedConcurrencyConfig
lambda:ListProvisionedConcurrencyConfigs
lambda:ListTags
lambda:GetFunction
lambda:GetFunctionConfiguration
lambda:GetPolicy
lambda:GetAlias
lambda:GetFunctionUrlConfig
lambda:ListFunctionUrlConfigs
lambda:GetProvisionedConcurrencyConfig
lambda:ListProvisionedConcurrencyConfigs
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:InvokeFunction
lambda:InvokeFunctionUrl
lambda:GetFunctionEventInvokeConfig
lambda:ListFunctionEventInvokeConfigs
lambda:GetFunctionConcurrency
lambda:InvokeFunctionUrl
lambda:GetFunctionEventInvokeConfig
lambda:ListFunctionEventInvokeConfigs
lambda:GetFunctionConcurrency
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
bedrock:ListFoundationModels
bedrock:GetFoundationModel
bedrock:GetFoundationModel
Resources
*
Effect
Allow
Actions
bedrock:InvokeModel
bedrock:InvokeModelWithResponseStream
bedrock:InvokeModelWithResponseStream
Resources
*
Effect
Allow
Actions
bedrock:Converse
bedrock:ConverseStream
bedrock:ConverseStream
Resources
*
edge-prod-b001-policy-sagemaker-level3-prod-invoke
Effect
Allow
Actions
sagemaker:DescribeEndpoint
sagemaker:ListEndpoints
sagemaker:ListEndpoints
Resources
*
Effect
Allow
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
arn:aws:sagemaker:*:*:endpoint/*-prod-*
Effect
Deny
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
Effect
Deny
Actions
sagemaker:CreateEndpoint
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:CreateEndpointConfig
sagemaker:DeleteEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:CreateEndpointConfig
sagemaker:DeleteEndpointConfig
Resources
*
edge-prod-b001-policy-ecr-level2-dev-read-write
Effect
Allow
Actions
ecr:GetAuthorizationToken
Resources
*
Effect
Allow
Actions
ecr:DescribeRepositories
ecr:DescribeImages
ecr:ListImages
ecr:BatchGetImage
ecr:GetRepositoryPolicy
ecr:GetLifecyclePolicy
ecr:ListTagsForResource
ecr:DescribeImageScanFindings
ecr:DescribeImages
ecr:ListImages
ecr:BatchGetImage
ecr:GetRepositoryPolicy
ecr:GetLifecyclePolicy
ecr:ListTagsForResource
ecr:DescribeImageScanFindings
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
Effect
Allow
Actions
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
ecr:GetDownloadUrlForLayer
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
Effect
Allow
Actions
ecr:CreateRepository
ecr:StartImageScan
ecr:StartImageScan
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
edge-prod-b001-policy-sagemaker-level4-ci-deploy-only
Effect
Allow
Actions
sagemaker:CreateEndpoint
sagemaker:CreateEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DescribeEndpoint
sagemaker:DescribeEndpointConfig
sagemaker:ListEndpoints
sagemaker:ListEndpointConfigs
sagemaker:CreateEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DescribeEndpoint
sagemaker:DescribeEndpointConfig
sagemaker:ListEndpoints
sagemaker:ListEndpointConfigs
Resources
*
Effect
Allow
Actions
sagemaker:CreateModel
sagemaker:CreateModelPackage
sagemaker:CreateModelPackageGroup
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:DescribeModelPackageGroup
sagemaker:ListModels
sagemaker:ListModelPackages
sagemaker:ListModelPackageGroups
sagemaker:UpdateModelPackage
sagemaker:CreateModelPackage
sagemaker:CreateModelPackageGroup
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:DescribeModelPackageGroup
sagemaker:ListModels
sagemaker:ListModelPackages
sagemaker:ListModelPackageGroups
sagemaker:UpdateModelPackage
Resources
*
Effect
Allow
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
*
Effect
Allow
Actions
application-autoscaling:RegisterScalableTarget
application-autoscaling:PutScalingPolicy
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
cloudwatch:PutMetricAlarm
cloudwatch:DescribeAlarms
application-autoscaling:PutScalingPolicy
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
cloudwatch:PutMetricAlarm
cloudwatch:DescribeAlarms
Resources
*
Effect
Allow
Actions
sagemaker:AddTags
sagemaker:ListTags
sagemaker:ListTags
Resources
*
Effect
Allow
Actions
iam:PassRole
Resources
arn:aws:iam::*:role/edge-prod-*-role-*
Condition
StringEquals:
iam:PassedToService: sagemaker.amazonaws.com
iam:PassedToService: sagemaker.amazonaws.com
Effect
Deny
Actions
sagemaker:DeleteEndpoint
sagemaker:DeleteEndpointConfig
sagemaker:DeleteModel
sagemaker:DeleteModelPackage
sagemaker:DeleteModelPackageGroup
sagemaker:UpdateEndpointWeightsAndCapacities
sagemaker:DeleteDomain
sagemaker:DeleteUserProfile
sagemaker:DeleteEndpointConfig
sagemaker:DeleteModel
sagemaker:DeleteModelPackage
sagemaker:DeleteModelPackageGroup
sagemaker:UpdateEndpointWeightsAndCapacities
sagemaker:DeleteDomain
sagemaker:DeleteUserProfile
Resources
*
edge-prod-b001-policy-mlops-services-c
Effect
Allow
Actions
bedrock:InvokeModel
bedrock:InvokeModelWithResponseStream
bedrock:InvokeModelWithResponseStream
Resources
*
Effect
Allow
Actions
bedrock:Converse
bedrock:ConverseStream
bedrock:ConverseStream
Resources
*
Effect
Allow
Actions
bedrock:GetFoundationModel
bedrock:ListFoundationModels
bedrock:PutModelInvocationLoggingConfiguration
bedrock:GetModelInvocationLoggingConfiguration
bedrock:ListModelInvocationJobs
bedrock:PutFoundationModelEntitlement
bedrock:PutUseCaseForModelAccess
bedrock:ListFoundationModelAgreementOffers
bedrock:CreateFoundationModelAgreement
bedrock:GetFoundationModelAvailability
bedrock:DeleteFoundationModelAgreement
bedrock:ListFoundationModels
bedrock:PutModelInvocationLoggingConfiguration
bedrock:GetModelInvocationLoggingConfiguration
bedrock:ListModelInvocationJobs
bedrock:PutFoundationModelEntitlement
bedrock:PutUseCaseForModelAccess
bedrock:ListFoundationModelAgreementOffers
bedrock:CreateFoundationModelAgreement
bedrock:GetFoundationModelAvailability
bedrock:DeleteFoundationModelAgreement
Resources
*
Effect
Allow
Actions
bedrock:CreateGuardrail
bedrock:UpdateGuardrail
bedrock:CreateGuardrailVersion
bedrock:GetGuardrail
bedrock:ListGuardrails
bedrock:UpdateGuardrail
bedrock:CreateGuardrailVersion
bedrock:GetGuardrail
bedrock:ListGuardrails
Resources
*
Effect
Allow
Actions
bedrock:ImportModel
bedrock:GetCustomModel
bedrock:ListCustomModels
bedrock:CreateModelImportJob
bedrock:GetModelImportJob
bedrock:ListModelImportJobs
bedrock:StopModelImportJob
bedrock:GetCustomModel
bedrock:ListCustomModels
bedrock:CreateModelImportJob
bedrock:GetModelImportJob
bedrock:ListModelImportJobs
bedrock:StopModelImportJob
Resources
*
Effect
Allow
Actions
bedrock:CreateInferenceProfile
bedrock:GetInferenceProfile
bedrock:ListInferenceProfiles
bedrock:UpdateInferenceProfile
bedrock:GetInferenceProfile
bedrock:ListInferenceProfiles
bedrock:UpdateInferenceProfile
Resources
*
Effect
Allow
Actions
cloudwatch:GetMetricData
cloudwatch:ListMetrics
logs:DescribeLogGroups
logs:GetLogEvents
cloudwatch:ListMetrics
logs:DescribeLogGroups
logs:GetLogEvents
Resources
*
Effect
Deny
Actions
bedrock:DeleteCustomModel
bedrock:DeleteModelInvocationLoggingConfiguration
bedrock:DeleteProvisionedModelThroughput
bedrock:DeleteModelImportJob
bedrock:DeleteCustomModelDeployment
bedrock:DeleteInferenceProfile
bedrock:DeletePromptRouter
bedrock:DeleteGuardrail
bedrock:DeleteKnowledgeBase
bedrock:DeleteAgent
bedrock:DeleteModelInvocationLoggingConfiguration
bedrock:DeleteProvisionedModelThroughput
bedrock:DeleteModelImportJob
bedrock:DeleteCustomModelDeployment
bedrock:DeleteInferenceProfile
bedrock:DeletePromptRouter
bedrock:DeleteGuardrail
bedrock:DeleteKnowledgeBase
bedrock:DeleteAgent
Resources
*
edge-prod-b001-policy-pipeline-level3-project-ci
Effect
Allow
Actions
sagemaker:CreatePipeline
sagemaker:UpdatePipeline
sagemaker:DescribePipeline
sagemaker:ListPipelines
sagemaker:StartPipelineExecution
sagemaker:StopPipelineExecution
sagemaker:DescribePipelineExecution
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
sagemaker:UpdatePipeline
sagemaker:DescribePipeline
sagemaker:ListPipelines
sagemaker:StartPipelineExecution
sagemaker:StopPipelineExecution
sagemaker:DescribePipelineExecution
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
Resources
arn:aws:sagemaker:*:*:pipeline/edge-prod-b001-*
Effect
Allow
Actions
s3:GetObject
s3:ListBucket
s3:ListBucket
Resources
arn:aws:s3:::edge-prod-b001-*
arn:aws:s3:::edge-prod-b001-*/*
arn:aws:s3:::edge-prod-b001-*/*
Effect
Allow
Actions
secretsmanager:GetSecretValue
ssm:GetParameter
ssm:GetParameters
ssm:GetParameter
ssm:GetParameters
Resources
arn:aws:secretsmanager:*:*:secret:edge-prod-b001-*
arn:aws:ssm:*:*:parameter/edge-prod-b001/*
arn:aws:ssm:*:*:parameter/edge-prod-b001/*
Effect
Allow
Actions
ecr:GetAuthorizationToken
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
Resources
*
Effect
Allow
Actions
iam:PassRole
Resources
arn:aws:iam::*:role/edge-prod-b001-role-*
Condition
StringEquals:
iam:PassedToService: sagemaker.amazonaws.com
iam:PassedToService: sagemaker.amazonaws.com
edge-prod-b001-policy-s3-level3-project-buckets-full
Effect
Allow
Actions
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetBucketLocation
Resources
arn:aws:s3:::*
Effect
Allow
Actions
s3:ListBucket
s3:GetBucketVersioning
s3:GetBucketVersioning
Resources
arn:aws:s3:::edge-prod-b001-*
Effect
Allow
Actions
s3:GetObject
s3:GetObjectVersion
s3:PutObject
s3:PutObjectTagging
s3:GetObjectTagging
s3:GetObjectVersion
s3:PutObject
s3:PutObjectTagging
s3:GetObjectTagging
Resources
arn:aws:s3:::edge-prod-b001-*
arn:aws:s3:::edge-prod-b001-*/*
arn:aws:s3:::edge-prod-b001-*/*
edge-prod-b001-policy-sagemaker-level1-read-only
Effect
Allow
Actions
sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
Resources
*
Effect
Allow
Actions
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
Resources
*
Effect
Allow
Actions
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DescribeScalingPolicies
Resources
*
Effect
Deny
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
*
edge-prod-b001-policy-pipeline-level1-read-only
Effect
Allow
Actions
codepipeline:GetPipeline
codepipeline:GetPipelineExecution
codepipeline:GetPipelineState
codepipeline:ListPipelines
codepipeline:ListPipelineExecutions
codepipeline:ListActionTypes
codepipeline:ListTagsForResource
codepipeline:GetPipelineExecution
codepipeline:GetPipelineState
codepipeline:ListPipelines
codepipeline:ListPipelineExecutions
codepipeline:ListActionTypes
codepipeline:ListTagsForResource
Resources
*
Effect
Allow
Actions
codebuild:BatchGetBuilds
codebuild:ListBuilds
codebuild:ListBuilds
Resources
*
Effect
Allow
Actions
logs:GetLogEvents
logs:DescribeLogStreams
logs:DescribeLogStreams
Resources
*
Effect
Allow
Actions
sagemaker:ListPipelines
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
sagemaker:DescribePipeline
sagemaker:DescribePipelineExecution
sagemaker:DescribePipelineDefinitionForExecution
sagemaker:GetSearchSuggestions
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
sagemaker:DescribePipeline
sagemaker:DescribePipelineExecution
sagemaker:DescribePipelineDefinitionForExecution
sagemaker:GetSearchSuggestions
Resources
*
edge-prod-b001-policy-lambda-level1-invoke-only
Effect
Allow
Actions
lambda:ListFunctions
Resources
*
Effect
Allow
Actions
lambda:ListAliases
lambda:ListTags
lambda:GetFunction
lambda:GetFunctionConfiguration
lambda:GetPolicy
lambda:GetAlias
lambda:GetFunctionUrlConfig
lambda:ListFunctionUrlConfigs
lambda:GetProvisionedConcurrencyConfig
lambda:ListProvisionedConcurrencyConfigs
lambda:ListTags
lambda:GetFunction
lambda:GetFunctionConfiguration
lambda:GetPolicy
lambda:GetAlias
lambda:GetFunctionUrlConfig
lambda:ListFunctionUrlConfigs
lambda:GetProvisionedConcurrencyConfig
lambda:ListProvisionedConcurrencyConfigs
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:InvokeFunction
lambda:InvokeFunctionUrl
lambda:GetFunctionEventInvokeConfig
lambda:ListFunctionEventInvokeConfigs
lambda:GetFunctionConcurrency
lambda:InvokeFunctionUrl
lambda:GetFunctionEventInvokeConfig
lambda:ListFunctionEventInvokeConfigs
lambda:GetFunctionConcurrency
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
edge-prod-b001-policy-sagemaker-level2-dev-invoke
Effect
Allow
Actions
sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
sagemaker:GetSearchSuggestions
sagemaker:DescribeEndpoint
sagemaker:ListEndpointConfigs
sagemaker:DescribeEndpointConfig
sagemaker:ListModels
sagemaker:DescribeModel
sagemaker:DescribeModelPackage
sagemaker:ListModelPackages
sagemaker:GetSearchSuggestions
Resources
*
Effect
Allow
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
arn:aws:sagemaker:*:*:endpoint/*-sandbox-*
arn:aws:sagemaker:*:*:endpoint/*-dev-*
arn:aws:sagemaker:*:*:endpoint/*-staging-*
arn:aws:sagemaker:*:*:endpoint/*-dev-*
arn:aws:sagemaker:*:*:endpoint/*-staging-*
Effect
Allow
Actions
sagemaker:CreateEndpoint
sagemaker:CreateEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:DeleteEndpointConfig
sagemaker:CreateEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:DeleteEndpointConfig
Resources
arn:aws:sagemaker:*:*:endpoint/*-sandbox-*
arn:aws:sagemaker:*:*:endpoint/*-dev-*
arn:aws:sagemaker:*:*:endpoint/*-staging-*
arn:aws:sagemaker:*:*:endpoint-config/*-sandbox-*
arn:aws:sagemaker:*:*:endpoint-config/*-dev-*
arn:aws:sagemaker:*:*:endpoint-config/*-staging-*
arn:aws:sagemaker:*:*:endpoint/*-dev-*
arn:aws:sagemaker:*:*:endpoint/*-staging-*
arn:aws:sagemaker:*:*:endpoint-config/*-sandbox-*
arn:aws:sagemaker:*:*:endpoint-config/*-dev-*
arn:aws:sagemaker:*:*:endpoint-config/*-staging-*
Effect
Allow
Actions
sagemaker:CreateModel
sagemaker:CreateModelPackage
sagemaker:CreateModelPackageGroup
sagemaker:CreateModelPackage
sagemaker:CreateModelPackageGroup
Resources
*
Effect
Deny
Actions
sagemaker:CreateEndpoint
sagemaker:CreateEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:DeleteEndpointConfig
sagemaker:CreateEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:DeleteEndpointConfig
Resources
arn:aws:sagemaker:*:*:endpoint/*-prod-*
arn:aws:sagemaker:*:*:endpoint-config/*-prod-*
arn:aws:sagemaker:*:*:endpoint-config/*-prod-*
edge-prod-b001-policy-mlops-services-a
Effect
Allow
Actions
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetBucketLocation
Resources
arn:aws:s3:::*
Effect
Allow
Actions
s3:ListBucket
s3:GetBucketVersioning
s3:GetBucketVersioning
Resources
arn:aws:s3:::edge-prod-b001-*
Effect
Allow
Actions
s3:GetObject
s3:GetObjectVersion
s3:PutObject
s3:PutObjectTagging
s3:GetObjectTagging
s3:GetObjectVersion
s3:PutObject
s3:PutObjectTagging
s3:GetObjectTagging
Resources
arn:aws:s3:::edge-prod-b001-*
arn:aws:s3:::edge-prod-b001-*/*
arn:aws:s3:::edge-prod-b001-*/*
Effect
Allow
Actions
ecr:GetAuthorizationToken
Resources
*
Effect
Allow
Actions
ecr:CreateRepository
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
Effect
Allow
Actions
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:GetRepositoryPolicy
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:BatchGetImage
ecr:GetLifecyclePolicy
ecr:GetLifecyclePolicyPreview
ecr:ListTagsForResource
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
ecr:GetDownloadUrlForLayer
ecr:GetRepositoryPolicy
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:BatchGetImage
ecr:GetLifecyclePolicy
ecr:GetLifecyclePolicyPreview
ecr:ListTagsForResource
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
Effect
Allow
Actions
sagemaker:CreatePipeline
sagemaker:UpdatePipeline
sagemaker:DescribePipeline
sagemaker:ListPipelines
sagemaker:StartPipelineExecution
sagemaker:StopPipelineExecution
sagemaker:DescribePipelineExecution
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
sagemaker:UpdatePipeline
sagemaker:DescribePipeline
sagemaker:ListPipelines
sagemaker:StartPipelineExecution
sagemaker:StopPipelineExecution
sagemaker:DescribePipelineExecution
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
Resources
arn:aws:sagemaker:*:*:pipeline/edge-prod-b001-*
Effect
Allow
Actions
s3:GetObject
s3:ListBucket
s3:ListBucket
Resources
arn:aws:s3:::edge-prod-b001-*
arn:aws:s3:::edge-prod-b001-*/*
arn:aws:s3:::edge-prod-b001-*/*
Effect
Allow
Actions
secretsmanager:GetSecretValue
ssm:GetParameter
ssm:GetParameters
ssm:GetParameter
ssm:GetParameters
Resources
arn:aws:secretsmanager:*:*:secret:edge-prod-b001-*
arn:aws:ssm:*:*:parameter/edge-prod-b001/*
arn:aws:ssm:*:*:parameter/edge-prod-b001/*
Effect
Allow
Actions
ecr:GetAuthorizationToken
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
Resources
*
Effect
Allow
Actions
iam:PassRole
Resources
arn:aws:iam::*:role/edge-prod-b001-role-*
Condition
StringEquals:
iam:PassedToService: sagemaker.amazonaws.com
iam:PassedToService: sagemaker.amazonaws.com
Effect
Allow
Actions
sagemaker:DescribeEndpoint
sagemaker:ListEndpoints
sagemaker:ListEndpoints
Resources
*
Effect
Allow
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
arn:aws:sagemaker:*:*:endpoint/*-prod-*
Effect
Deny
Actions
sagemaker:InvokeEndpoint
sagemaker:InvokeEndpointAsync
sagemaker:InvokeEndpointAsync
Resources
Effect
Deny
Actions
sagemaker:CreateEndpoint
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:CreateEndpointConfig
sagemaker:DeleteEndpointConfig
sagemaker:UpdateEndpoint
sagemaker:DeleteEndpoint
sagemaker:CreateEndpointConfig
sagemaker:DeleteEndpointConfig
Resources
*
edge-prod-b001-policy-mlops-services-b
Effect
Allow
Actions
lambda:GetAccountSettings
lambda:ListFunctions
lambda:ListLayers
lambda:ListLayerVersions
lambda:ListCodeSigningConfigs
lambda:ListEventSourceMappings
lambda:ListFunctions
lambda:ListLayers
lambda:ListLayerVersions
lambda:ListCodeSigningConfigs
lambda:ListEventSourceMappings
Resources
*
Effect
Allow
Actions
lambda:GetAlias
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConcurrency
lambda:GetFunctionConfiguration
lambda:GetFunctionEventInvokeConfig
lambda:GetFunctionUrlConfig
lambda:GetPolicy
lambda:GetProvisionedConcurrencyConfig
lambda:GetRuntimeManagementConfig
lambda:ListAliases
lambda:ListFunctionEventInvokeConfigs
lambda:ListFunctionUrlConfigs
lambda:ListProvisionedConcurrencyConfigs
lambda:ListTags
lambda:ListVersionsByFunction
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConcurrency
lambda:GetFunctionConfiguration
lambda:GetFunctionEventInvokeConfig
lambda:GetFunctionUrlConfig
lambda:GetPolicy
lambda:GetProvisionedConcurrencyConfig
lambda:GetRuntimeManagementConfig
lambda:ListAliases
lambda:ListFunctionEventInvokeConfigs
lambda:ListFunctionUrlConfigs
lambda:ListProvisionedConcurrencyConfigs
lambda:ListTags
lambda:ListVersionsByFunction
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:GetLayerVersion
lambda:GetLayerVersionPolicy
lambda:GetLayerVersionPolicy
Resources
arn:aws:lambda:us-west-1:716716271756:layer:edge-prod-*
Effect
Allow
Actions
lambda:InvokeFunction
lambda:InvokeFunctionUrl
lambda:InvokeFunctionUrl
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:CreateFunction
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:PublishVersion
lambda:CreateAlias
lambda:UpdateAlias
lambda:PutFunctionConcurrency
lambda:PutFunctionEventInvokeConfig
lambda:PutProvisionedConcurrencyConfig
lambda:CreateFunctionUrlConfig
lambda:UpdateFunctionUrlConfig
lambda:TagResource
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:PublishVersion
lambda:CreateAlias
lambda:UpdateAlias
lambda:PutFunctionConcurrency
lambda:PutFunctionEventInvokeConfig
lambda:PutProvisionedConcurrencyConfig
lambda:CreateFunctionUrlConfig
lambda:UpdateFunctionUrlConfig
lambda:TagResource
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:PublishLayerVersion
Resources
arn:aws:lambda:us-west-1:716716271756:layer:edge-prod-*
Effect
Allow
Actions
iam:PassRole
Resources
arn:aws:iam::716716271756:role/edge-prod-*-role-*
Condition
StringEquals:
iam:PassedToService: lambda.amazonaws.com
iam:PassedToService: lambda.amazonaws.com
Effect
Deny
Actions
lambda:DeleteFunction
lambda:DeleteAlias
lambda:DeleteFunctionUrlConfig
lambda:DeleteFunctionConcurrency
lambda:DeleteFunctionEventInvokeConfig
lambda:DeleteProvisionedConcurrencyConfig
lambda:DeleteLayerVersion
lambda:AddPermission
lambda:RemovePermission
lambda:DeleteAlias
lambda:DeleteFunctionUrlConfig
lambda:DeleteFunctionConcurrency
lambda:DeleteFunctionEventInvokeConfig
lambda:DeleteProvisionedConcurrencyConfig
lambda:DeleteLayerVersion
lambda:AddPermission
lambda:RemovePermission
Resources
*
edge-prod-b001-policy-lambda-level2-deploy-manage
Effect
Allow
Actions
lambda:GetAccountSettings
lambda:ListFunctions
lambda:ListLayers
lambda:ListLayerVersions
lambda:ListCodeSigningConfigs
lambda:ListEventSourceMappings
lambda:ListFunctions
lambda:ListLayers
lambda:ListLayerVersions
lambda:ListCodeSigningConfigs
lambda:ListEventSourceMappings
Resources
*
Effect
Allow
Actions
lambda:GetAlias
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConcurrency
lambda:GetFunctionConfiguration
lambda:GetFunctionEventInvokeConfig
lambda:GetFunctionUrlConfig
lambda:GetPolicy
lambda:GetProvisionedConcurrencyConfig
lambda:GetRuntimeManagementConfig
lambda:ListAliases
lambda:ListFunctionEventInvokeConfigs
lambda:ListFunctionUrlConfigs
lambda:ListProvisionedConcurrencyConfigs
lambda:ListTags
lambda:ListVersionsByFunction
lambda:GetFunction
lambda:GetFunctionCodeSigningConfig
lambda:GetFunctionConcurrency
lambda:GetFunctionConfiguration
lambda:GetFunctionEventInvokeConfig
lambda:GetFunctionUrlConfig
lambda:GetPolicy
lambda:GetProvisionedConcurrencyConfig
lambda:GetRuntimeManagementConfig
lambda:ListAliases
lambda:ListFunctionEventInvokeConfigs
lambda:ListFunctionUrlConfigs
lambda:ListProvisionedConcurrencyConfigs
lambda:ListTags
lambda:ListVersionsByFunction
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:GetLayerVersion
lambda:GetLayerVersionPolicy
lambda:GetLayerVersionPolicy
Resources
arn:aws:lambda:us-west-1:716716271756:layer:edge-prod-*
Effect
Allow
Actions
lambda:InvokeFunction
lambda:InvokeFunctionUrl
lambda:InvokeFunctionUrl
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:CreateFunction
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:PublishVersion
lambda:CreateAlias
lambda:UpdateAlias
lambda:PutFunctionConcurrency
lambda:PutFunctionEventInvokeConfig
lambda:PutProvisionedConcurrencyConfig
lambda:CreateFunctionUrlConfig
lambda:UpdateFunctionUrlConfig
lambda:TagResource
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:PublishVersion
lambda:CreateAlias
lambda:UpdateAlias
lambda:PutFunctionConcurrency
lambda:PutFunctionEventInvokeConfig
lambda:PutProvisionedConcurrencyConfig
lambda:CreateFunctionUrlConfig
lambda:UpdateFunctionUrlConfig
lambda:TagResource
Resources
arn:aws:lambda:us-west-1:716716271756:function:edge-prod-*
Effect
Allow
Actions
lambda:PublishLayerVersion
Resources
arn:aws:lambda:us-west-1:716716271756:layer:edge-prod-*
Effect
Allow
Actions
iam:PassRole
Resources
arn:aws:iam::716716271756:role/edge-prod-*-role-*
Condition
StringEquals:
iam:PassedToService: lambda.amazonaws.com
iam:PassedToService: lambda.amazonaws.com
Effect
Deny
Actions
lambda:DeleteFunction
lambda:DeleteAlias
lambda:DeleteFunctionUrlConfig
lambda:DeleteFunctionConcurrency
lambda:DeleteFunctionEventInvokeConfig
lambda:DeleteProvisionedConcurrencyConfig
lambda:DeleteLayerVersion
lambda:AddPermission
lambda:RemovePermission
lambda:DeleteAlias
lambda:DeleteFunctionUrlConfig
lambda:DeleteFunctionConcurrency
lambda:DeleteFunctionEventInvokeConfig
lambda:DeleteProvisionedConcurrencyConfig
lambda:DeleteLayerVersion
lambda:AddPermission
lambda:RemovePermission
Resources
*
edge-prod-b001-policy-s3-level1-read-only
Effect
Allow
Actions
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetBucketLocation
Resources
arn:aws:s3:::*
Effect
Allow
Actions
s3:GetObject
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
s3:GetObjectVersion
s3:ListBucket
s3:ListBucketVersions
Resources
arn:aws:s3:::edge-prod-b001-*
arn:aws:s3:::edge-prod-b001-*/*
arn:aws:s3:::edge-prod-b001-*/*
edge-prod-b001-policy-ecr-level3-ci-read-write
Effect
Allow
Actions
ecr:GetAuthorizationToken
Resources
*
Effect
Allow
Actions
ecr:CreateRepository
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
Effect
Allow
Actions
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:GetRepositoryPolicy
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:BatchGetImage
ecr:GetLifecyclePolicy
ecr:GetLifecyclePolicyPreview
ecr:ListTagsForResource
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
ecr:GetDownloadUrlForLayer
ecr:GetRepositoryPolicy
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:BatchGetImage
ecr:GetLifecyclePolicy
ecr:GetLifecyclePolicyPreview
ecr:ListTagsForResource
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
ecr:TagResource
Resources
arn:aws:ecr:*:*:repository/edge-prod/*
edge-prod-b001-policy-pipeline-level2-project-dev
Effect
Allow
Actions
codepipeline:CreatePipeline
codepipeline:UpdatePipeline
codepipeline:GetPipeline
codepipeline:GetPipelineExecution
codepipeline:GetPipelineState
codepipeline:ListPipelines
codepipeline:ListPipelineExecutions
codepipeline:ListActionTypes
codepipeline:ListTagsForResource
codepipeline:StartPipelineExecution
codepipeline:StopPipelineExecution
codepipeline:RetryStageExecution
codepipeline:TagResource
codepipeline:UpdatePipeline
codepipeline:GetPipeline
codepipeline:GetPipelineExecution
codepipeline:GetPipelineState
codepipeline:ListPipelines
codepipeline:ListPipelineExecutions
codepipeline:ListActionTypes
codepipeline:ListTagsForResource
codepipeline:StartPipelineExecution
codepipeline:StopPipelineExecution
codepipeline:RetryStageExecution
codepipeline:TagResource
Resources
arn:aws:codepipeline:*:*:edge-prod-b001-*
Effect
Allow
Actions
codebuild:StartBuild
codebuild:StopBuild
codebuild:BatchGetBuilds
codebuild:ListBuilds
codebuild:StopBuild
codebuild:BatchGetBuilds
codebuild:ListBuilds
Resources
arn:aws:codebuild:*:*:project/edge-prod-b001-*
Effect
Allow
Actions
logs:GetLogEvents
logs:DescribeLogStreams
logs:DescribeLogStreams
Resources
*
Effect
Allow
Actions
sagemaker:CreatePipeline
sagemaker:UpdatePipeline
sagemaker:DescribePipeline
sagemaker:StartPipelineExecution
sagemaker:StopPipelineExecution
sagemaker:DescribePipelineExecution
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
sagemaker:UpdatePipeline
sagemaker:DescribePipeline
sagemaker:StartPipelineExecution
sagemaker:StopPipelineExecution
sagemaker:DescribePipelineExecution
sagemaker:ListPipelineExecutions
sagemaker:ListPipelineExecutionSteps
Resources
arn:aws:sagemaker:*:*:pipeline/edge-prod-b001-*
IAM Group Inline Policies
assume-roles
Attached to: edge-prod-b001-group-data-scientists
Effect
Allow
Actions
sts:AssumeRole
Resources
!GetAtt AmlEngineerRole.Arn
assume-roles
Attached to: edge-prod-b001-group-data-engineers
Effect
Allow
Actions
sts:AssumeRole
Resources
!GetAtt AdataScientistRole.Arn
assume-roles
Attached to: edge-prod-b001-group-mlops-engineers
Effect
Allow
Actions
sts:AssumeRole
Resources
!GetAtt AmlEngineerRole.Arn
assume-roles
Attached to: edge-prod-b001-group-ml-engineers
Effect
Allow
Actions
sts:AssumeRole
Resources
!GetAtt AdataScientistRole.Arn
assume-roles
Attached to: edge-prod-b001-group-ai-governance
Effect
Allow
Actions
sts:AssumeRole
Resources
!GetAtt ModelApproverRole.Arn
assume-roles
Attached to: edge-prod-b001-group-security-team
Effect
Allow
Actions
sts:AssumeRole
Resources
!GetAtt SecurityAdminRole.Arn
assume-roles
Attached to: edge-prod-b001-group-qa-testing
Effect
Allow
Actions
sts:AssumeRole
Resources
!GetAtt AdataScientistRole.Arn
Role Inline Policies
edge-prod-b001-role-model-approver-inline
Attached to: edge-prod-b001-role-model-approver
Effect
Allow
Actions
sagemaker:UpdateModelPackage
Resources
arn:aws:sagemaker:*:*:model-package/*
edge-prod-b001-role-security-admin-inline
Attached to: edge-prod-b001-role-security-admin
Effect
Allow
Actions
guardduty:CreateDetector
guardduty:UpdateDetector
guardduty:ArchiveFindings
guardduty:UpdateFindings
securityhub:BatchUpdateFindings
securityhub:UpdateFindings
securityhub:EnableSecurityHub
config:PutConfigRule
config:PutConfigurationRecorder
config:StartConfigRulesEvaluation
access-analyzer:CreateAnalyzer
access-analyzer:CreateArchiveRule
access-analyzer:StartResourceScan
guardduty:UpdateDetector
guardduty:ArchiveFindings
guardduty:UpdateFindings
securityhub:BatchUpdateFindings
securityhub:UpdateFindings
securityhub:EnableSecurityHub
config:PutConfigRule
config:PutConfigurationRecorder
config:StartConfigRulesEvaluation
access-analyzer:CreateAnalyzer
access-analyzer:CreateArchiveRule
access-analyzer:StartResourceScan
Resources
*
deployment_permissions
Attached to: edge-prod-b001-xacct-deployment-role
Effect
Allow
Actions
cloudformation:*
iam:PassRole
iam:PassRole
Resources
*