How do I prevent an IAM user or role from setting up Amazon SageMaker Canvas?

2 minute read

I want to prevent AWS Identify and Access Management (IAM) users and AWS IAM Identity Center (successor to AWS Single Sign-On) users from setting up Amazon SageMaker Canvas.

Resolution

To prevent an IAM user or role from setting up the SageMaker Canvas app, first create an IAM policy to deny the required permissions. Then, attach this policy to the SageMaker execution role.

Do the following:

1. Open the IAM console.

2. In the navigation pane, choose Policies.

3. Choose Create policy, and then choose the JSON tab.

4. Copy and paste the following IAM policy in the policy editor:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSageMakerCreateAppOperations",
      "Effect": "Allow",
      "Action": "sagemaker:CreateApp",
      "Resource": "*"
    },
    {
      "Sid": "DenySageMakerCanvasCreateApp",
      "Effect": "Deny",
      "Action": "sagemaker:CreateApp",
      "Resource": "arn:aws:sagemaker:example-region:1111222233334444:app/example-domain/example-user-name/canvas/*"
    }
  ]
}

Be sure to replace the following in the policy:

example-region with the Region of your choice
1111222233334444 with your account ID.
example-domain with your SageMaker Studio domain ID.
example-user-name with your SageMaker Studio user profile name.

5. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Review policy.

6. Choose Next: Tags.

7. On the Review policy page, enter a Name and a Description (optional) for the policy that you're creating. Review the policy Summary, and then choose Create policy to save your work.

8. In the list of policies displayed, choose the policy that you created.

9. Choose the Policy usage tab, and then choose Attach.

10. From the list of IAM users and roles that appears, select the SageMaker execution role for the Studio user.

11. Choose Attach policy.

If you try to set up the SageMaker Canvas app after completing the preceding steps, you get the following error:

SageMaker is unable to use your associated ExecutionRole [<SageMaker Studio User Execution Role>] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp'.

Related information

Amazon SageMaker Canvas

Topics

Machine Learning & AI

Relevant content

Exporting Model from Sagemaker Canvas to Sagemaker studio
Fahad-Hassan
asked a year ago
Help setting up IAM Roles Anywhere
Accepted Answer
virshu
asked 2 years ago
SageMaker Canvas connect Redshift failed
Accepted Answer
AWS-User-8556114
asked 2 years ago
Timeseries Model not getting imported from SageMaker Canvas to SageMaker Studio
Aamna Mohsin
asked a year ago
SageMaker Canvas Integration
AWS-User-0952941
asked 2 years ago
How do I check what role my Amazon SageMaker Studio user uses, and how do I change this role?
AWS OFFICIALUpdated 5 months ago
How do I assign an existing IAM role to an EC2 instance?
AWS OFFICIALUpdated a year ago
How can I prevent IAM policies from allowing a user or role to access a KMS key in AWS KMS?
AWS OFFICIALUpdated a year ago
How do I provide IAM users with a link to assume an IAM role?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago