AmazonDataZoneEnvironmentRolePermissionsBoundary
Description: Amazon DataZone creates IAM roles for Environments to perform data analytics actions, and uses this policy when creating these roles to define the boundary of their permissions.
AmazonDataZoneEnvironmentRolePermissionsBoundary is an AWS managed policy.
Using this policy
You can attach AmazonDataZoneEnvironmentRolePermissionsBoundary to your users, groups, and roles.
Policy details
-
Type: AWS managed policy
-
Creation time: September 11, 2023, 23:38 UTC
-
Edited time: November 17, 2023, 23:29 UTC
-
ARN:
arn:aws:iam::aws:policy/AmazonDataZoneEnvironmentRolePermissionsBoundary
Policy version
Policy version: v4 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "CreateGlueConnection", "Effect" : "Allow", "Action" : [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource" : [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition" : { "ForAllValues:StringEquals" : { "aws:TagKeys" : [ "aws-glue-service-resource" ] } } }, { "Sid" : "GlueOperations", "Effect" : "Allow", "Action" : [ "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow" ], "Resource" : "*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonDataZoneEnvironment" : "false" } } }, { "Sid" : "PassRole", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : [ "arn:aws:iam::*:role/datazone*" ], "Condition" : { "StringEquals" : { "iam:PassedToService" : "glue.amazonaws.com" } } }, { "Sid" : "SameAccountKmsOperations", "Effect" : "Allow", "Action" : [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys" ], "Resource" : "*", "Condition" : { "StringNotEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "KmsOperationsWithResourceTag", "Effect" : "Allow", "Action" : [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys", "kms:Encrypt", "kms:GenerateDataKey", "kms:Verify", "kms:Sign" ], "Resource" : "*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonDataZoneEnvironment" : "false" } } }, { "Sid" : "AnalyticsOperations", "Effect" : "Allow", "Action" : [ "datazone:*", "sqlworkbench:*" ], "Resource" : "*" }, { "Sid" : "QueryOperations", "Effect" : "Allow", "Action" : [ "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:Describe*", "glue:BatchCreatePartition", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:SearchTables", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateDatabase", "glue:UpdatePartition", "glue:UpdateTable", "iam:GetRole", "iam:GetRolePolicy", "iam:ListGroups", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:DescribeMetricFilters", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "secretsmanager:ListSecrets", "tag:GetResources" ], "Resource" : "*" }, { "Sid" : "QueryOperationsWithResourceTag", "Effect" : "Allow", "Action" : [ "athena:GetQueryResultsStream" ], "Resource" : "*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonDataZoneEnvironment" : "false" } } }, { "Sid" : "SecretsManagerOperationsWithTagKeys", "Effect" : "Allow", "Action" : [ "secretsmanager:CreateSecret", "secretsmanager:TagResource" ], "Resource" : "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition" : { "StringLike" : { "aws:ResourceTag/AmazonDataZoneDomain" : "*", "aws:ResourceTag/AmazonDataZoneProject" : "*" }, "Null" : { "aws:TagKeys" : "false" }, "ForAllValues:StringEquals" : { "aws:TagKeys" : [ "AmazonDataZoneDomain", "AmazonDataZoneProject" ] } } }, { "Sid" : "DataZoneS3Buckets", "Effect" : "Allow", "Action" : [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject" ], "Resource" : [ "arn:aws:s3:::*/datazone/*" ] }, { "Sid" : "DataZoneS3BucketLocation", "Effect" : "Allow", "Action" : [ "s3:GetBucketLocation" ], "Resource" : "*" }, { "Sid" : "ListDataZoneS3Bucket", "Effect" : "Allow", "Action" : [ "s3:ListBucket" ], "Resource" : [ "*" ], "Condition" : { "StringLike" : { "s3:prefix" : [ "*/datazone/*", "datazone/*" ] } } }, { "Sid" : "NotDeniedOperations", "Effect" : "Deny", "NotAction" : [ "datazone:*", "sqlworkbench:*", "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:DeleteNetworkInterface", "ec2:DeleteTags", "ec2:Describe*", "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow", "iam:GetRole", "iam:GetRolePolicy", "iam:List*", "iam:PassRole", "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ListKeys", "kms:Verify", "kms:Sign", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetBucketLocation", "s3:ListBucket", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject", "secretsmanager:CreateSecret", "secretsmanager:ListSecrets", "secretsmanager:TagResource", "tag:GetResources" ], "Resource" : [ "*" ] } ] }
Learn more
