Amazon SageMaker Studio provides a web-based visual interface where different users, such as data scientists, machine learning engineers, and developers, can build, train, debug, deploy, and monitor their ML models. These users rely on access to data in Amazon Simple Storage Service (Amazon S3) for tasks such as extracting data for model training, logging training metrics, and storing model artifacts post-training. For example, data scientists need access to datasets stored in Amazon S3 for tasks like data exploration and model training. ML engineers require access to intermediate model artifacts stored in Amazon S3 from previous training jobs.
Traditionally, access to data in Amazon S3 from SageMaker Studio is provided through roles configured in SageMaker Studio, either at the domain or user profile level. The SageMaker Studio domain role grants permissions for the SageMaker Studio domain to interact with other AWS services, providing access to data in Amazon S3 for all users within that domain. If specific user profile roles are not created, this role will apply to all user profiles, granting uniform access privileges across the domain. However, if different domain users have different access restrictions, then configuring individual user roles allows for more granular control. These roles define the specific actions and access each user profile can have within the environment, providing granular permissions.
Although this approach offers a degree of flexibility, it also implies frequent updates to the policies attached to these roles when access requirements change, which can add additional maintenance. This is where Amazon S3 Access Grants can significantly simplify the process. S3 Access Grants allow for more dynamic management of access to Amazon S3 data, without the need to constantly update AWS Identity and Access Management (IAM) roles. S3 Access Grants allow data owners or permission administrators to set permissions, such as read-only, write-only, or read/write access, at various levels of Amazon S3, such as bucket, prefix, or object level. Permissions can be granted to IAM principals or to users and groups from your corporate directory through integration with AWS IAM Identity Center.
This article demonstrates how to simplify access to Amazon S3 data from SageMaker Studio using S3 Access Grants, specifically for different users using IAM principals.
Now that we have discussed the benefits of S3 Access Grants, let’s see how grants can be applied with SageMaker Studio user roles and domain roles for granular access control.
Consider a scenario involving a product team with two members: User A and User B. They will use an S3 bucket where the following access requirements are implemented:
– All team members must have access to the folder named Product within the S3 bucket.
– The folder named UserA should be accessible only by User A.
– The folder named UserB should be accessible only by User B.
– User A will run an Amazon SageMaker Processing job that uses S3 Access Grants to retrieve data from the S3 bucket. The processing job will access the necessary data from the S3 bucket using temporary credentials provided by the access grants.
To validate access to the S3 bucket, we use the Abalone dataset. As part of the CloudFormation stack deployment process, a Lambda function is invoked to upload the data to Amazon S3. After the Lambda function completes, you should find the abalone.csv file in the Product, UserA, and UserB folders within the S3 bucket.
To avoid future charges, remove the CloudFormation stack. This will delete resources such as the SageMaker Studio domain, the S3 Access Grants instance, and the S3 bucket you created.
In this article, you learned how to control access to Amazon S3 data from SageMaker Studio using S3 Access Grants. S3 Access Grants provide a more flexible and scalable mechanism for defining access patterns at scale compared to IAM-based techniques. These grants not only support IAM principals but also allow for direct access to users and groups from a corporate directory synchronized with IAM Identity Center. Integrating S3 Access Grants into your AWS environment along with SageMaker Studio enables efficient collaboration, secure data access, and simplified access management for your team working in the SageMaker Studio environment.
via: MiMub in Spanish