search

awslabs / sagemaker-explaining-credit-decisions

Amazon SageMaker Solution for explaining credit decisions.
Apache License 2.0
95 stars 28 forks source link

User isn't allowed to create CloudFormation Stack #4

Open thomelane opened 4 years ago

thomelane commented 4 years ago

User should have permission to create/delete stack and all the resources.

Using IAM, the following IAM Policy can be defined and then assigned to the user. It is minimal in terms of actions, but it is open in terms of resource.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:CreateRepository",
                "ecr:DeleteRepository"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateWorkflow",
                "glue:CreateTrigger",
                "glue:CreateJob",
                "glue:CreateDatabase",
                "glue:CreateCrawler",
                "glue:CreateClassifier",
                "glue:DeleteWorkflow",
                "glue:DeleteTrigger",
                "glue:DeleteJob",
                "glue:DeleteDatabase",
                "glue:DeleteCrawler",
                "glue:DeleteClassifier"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PutRolePolicy",
                "iam:DetachRolePolicy",
                "iam:DeleteRole",
                "iam:CreateRole",
                "iam:AttachRolePolicy"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:DeleteFunction",
                "lambda:CreateFunction"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketEncryption",
                "s3:CreateBucket"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:StopNotebookInstance",
                "sagemaker:DeleteNotebookInstance",
                "sagemaker:CreateNotebookInstanceLifecycleConfig",
                "sagemaker:CreateNotebookInstance"
            ],
            "Resource": "*"
        }
    ]
}