Amazon SageMaker JumpStart solutions are a feature within Amazon SageMaker Studio that allow a simple-click experience to set up your own machine learning (ML) workflows. When you launch a solution, various of AWS resources are set up in your account to demonstrate how the business problem can be solved using the pre-built architecture. The solutions use AWS CloudFormation templates for quick deployment, which means the resources are fully customizable. As of today, there are up to 18 end-to-end solutions that cover different aspects of real-world business problems, such as demand forecasting, product defect detection, and document understanding.
Starting today, we’re excited to announce that JumpStart solutions now supports custom AWS Identity and Access Management (IAM) roles be passed into services. This new feature enables you to take advantage of the rich security features offered by SageMaker and IAM.
In this post, we show you how to configure your SageMaker solution’s advanced parameters, and how this can benefit you when you use the pre-built solutions to start your ML journey.
In order to allow JumpStart create the AWS resources for you, the IAM roles attached with Amazon managed policies are auto-created in your account. For the services created by JumpStart to be able to interact with each other, an IAM role needs to be passed into each service so they have the necessary permissions to call other services.
With the new Advanced Parameters option, you can select Default Roles, Find Roles, or Input Roles when you launch a solution. This means each service uses their own IAM role with dedicated IAM policy attached, and is fully customizable. This allows you to follow the least-privilege permissions principle, so that only the permissions required to perform a task are granted.
The policies attached to the default roles contain the least amount of permissions needed for the solution. In addition to the default roles, you can also select from a drop-down list, or input your own roles with the custom permissions you want to grant. This can greatly benefit you if you want to expand on the existing solution and perform even more tasks with these pre-built AWS services.
Before you use this feature, make sure you have the latest SageMaker domain enabled. You can create a new SageMaker domain if you haven’t done so, or update your SageMaker domain to create the default roles required for JumpStart solution. Then complete the following steps:
The roles are passed into each service and grant each service permission to interact with other services. The CloudFormation template deploys these services in your account. You can then explore the ML solution for the business problem. Keep in mind that for each service, they now have the precise permissions you have granted them when you configured the advanced parameters. This gives you a fully controlled and secured environment when using JumpStart solutions.
Today, we announced support for configuring IAM roles when you launch a JumpStart solution. We also showed you how to configure the Advanced Parameters options before launching a solution.
Try out any JumpStart solution on Studio with this new feature enabled. If you have any questions and feedback regarding JumpStart solutions, please speak to your AWS support contact or post a message in the Amazon SageMaker discussion forums.
Haotian An is a Software Development Engineer at Amazon SageMaker Jumpstart. He focuses on building tools and products to make machine learning easier to access for customers.
Manan Shah is a Software Development Manager at Amazon Web Services. He is a ML enthusiast and focuses on building no-code/low-code AI/ML products. I thrive empowering other talented, technical people to build great software.