Limiting instances types on aws sagemaker via iam policy

Question

I am trying to limit sagemker studio from launching anything that is 48xl, 32xl, or 24xl

here is the IAM policy but not sure why its not working,

        {
        "Action": [
            "sagemaker:CreateApp"
        ],
        "Resource": [
            "*"
        ],
        "Effect": "Deny",
        "Sid": "BlockSagemaker",
        "Condition": {
            "ForAnyValue:StringLike": {
                "sagemaker:InstanceTypes": [
                    "*.*.48xlarge",
                    "*.*.32xlarge",
                    "*.*.24xlarge",
                    "system",
                    "default"
                ]
            }
        }
    }

"not sure why its not working," - so why not to use it it and check if its working or not? — Marcin, Jun 08 '23 at 00:18

score 0 · Answer 1 · answered Jun 18 '23 at 10:34

Testing out the policy should help, but without "system", "default".

Here is a sample that worked for me, it restricts use of any instance except ml.t3.medium and ml.t3.xlarge

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "sagemaker:CreateApp",
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringNotLike": {
                    "sagemaker:InstanceTypes": [
                        "ml.t3.medium",
                        "default",
                        "system",
                        "ml.t3.xlarge"
                    ]
                }
            }
        }
    ]
}

You can use the following, it should restrict starting of any instance of 24xl, 32xl or 48xl to back you sagemaker notebook.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "sagemaker:CreateApp",
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringLike": {
                    "sagemaker:InstanceTypes": [
                        "*.*.48xlarge",
                        "*.*.32xlarge",
                        "*.*.24xlarge"
                    ]
                }
            }
        }
    ]
}

Reference:

Limiting instances types on aws sagemaker via iam policy

1 Answers1