# Limiting Access for a Training Job This guide shows how to create a secure, time-bound IAM policy for a model training job. The policy grants fine-grained access to specific buckets used during training—ensuring isolation between jobs and minimizing potential impact in case of a credential leak. ## Use Case[​](#use-case "Direct link to Use Case") This example demonstrates how to: * Grant **read-only access** to a specific training dataset. * Grant **read-only access** to a shared base model collection. * Grant **write-only access** to a destination bucket for finetuned models. * Restrict access to a **specific time window** and/or **IP address**, ensuring the job can only run under controlled conditions. If the access key is compromised, the blast radius is minimal: * Only one dataset and the base model collection are readable (but not writable). * The only write target is the dedicated finetuned model bucket. * Other datasets and model jobs remain protected. ## Example Policy: Dataset Read, Model Output Write, Time + IP Restricted[​](#example-policy-dataset-read-model-output-write-time--ip-restricted "Direct link to Example Policy: Dataset Read, Model Output Write, Time + IP Restricted") ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "WikipediaReadOnly", "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::acmeco-training-datasets-wikipedia-2025-07-01", "arn:aws:s3:::acmeco-training-datasets-wikipedia-2025-07-01/*" ] }, { "Sid": "BaseModelsReadOnly", "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::acmeco-base-models", "arn:aws:s3:::acmeco-base-models/*" ] }, { "Sid": "FinetunedModelsWrite", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:CompleteMultipartUpload" ], "Resource": [ "arn:aws:s3:::acmeco-finetuned-models", "arn:aws:s3:::acmeco-finetuned-models/*" ], "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2025-07-16T01:00:00Z" }, "DateLessThan": { "aws:CurrentTime": "2025-07-16T04:00:00Z" }, "IpAddress": { "aws:SourceIp": "203.0.113.42/32" } } } ] } ``` This policy allows the training job to: * Read input data and models * Write its finetuned results * Only during a 3-hour window * Only from a specific machine or IP block ## Explanation[​](#explanation "Direct link to Explanation") | Field | Description | | ------------- | ------------------------------------------------------------------------- | | `Action` | Read-only for datasets, write-only for output bucket. | | `Resource` | Limits access to only the buckets involved in this specific training job. | | `Condition` | Applies both a time window and IP address restriction. | | `Time Format` | ISO 8601 in UTC (e.g., `2025-07-16T01:00:00Z`). | | `IpAddress` | Limits access to your job runner, GPU node, or secure NAT address. | ## Next Steps[​](#next-steps "Direct link to Next Steps") * **Rotate the key** once the job is complete. * **Use a scheduler** to dynamically apply time- and IP-based conditions per job.