SageMaker Access Blocked

[jeixav]

SageMaker access seems to be blocked with the reference service control policies. I wish to understand if there exists a recommended method to provide SageMaker access under ASEA.

After consultation with an AWS support engineer, my understanding is neither the sandbox, sensitive nor unclass SCPs white-list SageMaker and this blocks access. The support engineer suggested SCP modifications such as below to make SageMaker accessible. Is it possible to get confirmation this is recommended by the ASEA team?

Add SageMaker to whitelist

{
"Sid": "GLB1",
"Effect": "Deny",
"NotAction": [
  "a4b:*",
  "access-analyzer:*",
  …
  "sagemaker:*"
…
}

Create role that bypasses GLB1 denials:

"ArnNotLike": {
  "aws:PrincipalARN": [
    "arn:aws:iam::*:role/${ACCELERATOR_PREFIX}*",
    "arn:aws:iam::*:role/${ORG_ADMIN_ROLE}",
    "arn:aws:iam::*:role/AWSServiceRoleFor*",
    "arn:aws:iam::*:role/RoleAllowedToBypassThisSCP",
  …
  ]

[Brian969]

The allow-list is to enable the use of GLOBAL services. Sagemaker is not blocked in the ASEA home region (i.e. ca-central-1), and there is likely another reason you are having trouble - i.e. not using an encrypted EBS volume on the Sagemaker instances.

[Brian969]

BTW: if you want you can get the support engineer to ping me internally (bmycroft).

[jeixav]

Will do! Thanks for offering help.

[Brian969]

To add some additional context to the solution in case others experience the same challenge as you - AWS Policy Simulator does not support global condition keys, which are used in these SCPs and therefore it incorrectly reports that Sagemaker was blocked. Unfortunately, Policy Simulator cannot be used to validate the effectiveness of these SCPs. I know this is a nuance that, while documented, is not obvious to many customers. Sorry for the inconvenience.