Restrict Sagemaker Studio Instance Size

aws / amazon-sagemaker-examples

Example 📓 Jupyter notebooks that demonstrate how to build, train, and deploy machine learning models using 🧠 Amazon SageMaker.

https://sagemaker-examples.readthedocs.io

Apache License 2.0

10.14k stars 6.78k forks source link

Restrict Sagemaker Studio Instance Size #1499

Closed himachalbanik40 closed 3 years ago

himachalbanik40 commented 4 years ago

In jupyter notebooks of sagemaker studio one can select instance size on the fly. But what i want for an IAM user is to restrict him to specific instance type. For example the user cannot select any other instances except ml.t3.* . So far i have tried by making roles and adding conditions to instance types but nothing worked. Is there any way we can do this?

seanpmorgan commented 3 years ago

The easiest way to do this would be to limit the IAM SageMakerExecutionRole for a given Studio Domain. Please let us know if this doesn't satisfy your request, and we can re-open this and discuss alternate strategies

manoj1madhavan commented 3 years ago

@seanpmorgan - Sorry for re-opening this thread.

We had a very similar requirement and was trying to limit the access to specific instance types based on the user profiles/roles, rather than having them restricted at the domain level. Is this supported or should we always enforce the instance types on the Studio Domain Role ?

Tried with the createApp and deny, and it works for profiles that have the default App created. For a new user, the launch fails citing createApp permissions, though.

Could find the instance type assigned as "system" when issuing the describe App against the default JupyterServer. I could get everything else working, with the below condition - but could not find any documentation on the "system" .

Is it advisable to have a condition to permit the createApp for "instance type" of "system" - would this be an ok approach ?

"ForAnyValue:StringNotEqualsIgnoreCase": { "sagemaker:InstanceTypes": "system" }

aldegoeij commented 3 years ago

{
    "Action": [
        "sagemaker:CreateApp"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Deny",
    "Sid": "BlockSagemakerOtherThanT3",
    "Condition": {
        "ForAnyValue:StringNotLike": {
            "sagemaker:InstanceTypes": [
                "ml.t3.medium",
                "ml.t3.xlarge",
                "system",
                "default"
            ]
        }
    }
}

manoj1madhavan commented 3 years ago

Thank you - Yes, was using the same and it has been working fine so far. Would have been great if there was a way to enforce the Tag to these "APPS" - would help control access. Was working on a model to track the App run status along with the Tag Name - instead of the user profile it is associated with, to support the Cost/Billing side (for a recharge model).

iliassboutechdat commented 4 months ago

Hello,

I have tried the same approach but I can still create instances bigger than the one I mentioned, any tips?

adv4000 commented 3 months ago

ForAnyValue:StringNotLike

Update ForAnyValue:StringNotEquals to ForAnyValue:StringNotLike