# Identity and access management in AWS Data Exchange
To perform any operation in AWS Data Exchange, such as creating an import job using an AWS SDK, or subscribing to a product in the AWS Data Exchange console, AWS Identity and Access Management (IAM) requires that you authenticate that you're an approved AWS user. For example, if you're using the AWS Data Exchange console, you authenticate your identity by providing your AWS sign-in credentials.
After you authenticate your identity, IAM controls your access to AWS with a defined set of permissions on a set of operations and resources. If you're an account administrator, you can use IAM to control the access of other users to the resources that are associated with your account.
**Topics**
+ [Authentication](#authentication)
+ [Access control](access-control.md)
+ [AWS Data Exchange API permissions: actions and resources reference](api-permissions-ref.md)
+ [AWS managed policies for AWS Data Exchange](security-iam-awsmanpol.md)
## Authentication
You can access AWS with any of the following types of identities:
+ **AWS account root user** – When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
+ **User** – A [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) is an identity in your AWS account that has specific custom permissions. You can use your IAM credentials to sign in to secure AWS webpages like the AWS Management Console or the AWS Support Center.
+ **IAM role** – An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Roles with temporary credentials are useful in the following situations:
+ **Federated user access** – Instead of creating a user, you can use existing identities from Directory Service, your enterprise user directory, or a web identity provider. These are known as *federated users*. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see [Federated Users and Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html#intro-access-roles).
+ **AWS service access** – A service role is an IAM role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions that are required for the service to access the AWS resources that it needs. Service roles vary from service to service, but many allow you to choose your permissions as long as you meet the documented requirements for that service. Service roles provide access only within your account and cannot be used to grant access to services in other accounts. You can create, modify, and delete a service role from within IAM. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data from that bucket into an Amazon Redshift cluster. For more information, see [Creating a Role to Delegate Permissions to an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).
+ **Applications running on Amazon EC2** – You can use an IAM role to manage temporary credentials for applications that are running on an Amazon EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access keys in the Amazon EC2 instance. To assign an AWS role to an Amazon EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the Amazon EC2 instance to get temporary credentials. For more information, see [Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html).
# Access control
To create, update, delete, or list AWS Data Exchange resources, you need permissions to perform the operation and to access the corresponding resources. To perform the operation programmatically, you also need valid access keys.
## Overview of managing access permissions to your AWS Data Exchange resources
Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to users, groups, and roles. Some services (such as AWS Lambda) also support attaching permissions policies to resources.
**Note**
An *account administrator* (or administrator) is a user with administrator privileges. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
**Topics**
+ [AWS Data Exchange resources and operations](#access-control-resources)
+ [Understanding resource ownership](#access-control-owner)
+ [Managing access to resources](#access-control-manage-access-intro)
+ [Specifying policy elements: actions, effects, and principals](#access-control-specify-control-tower-actions)
+ [Specifying conditions in a policy](#specifying-conditions)
### AWS Data Exchange resources and operations
In AWS Data Exchange, there are two different kinds of primary resources with different control planes:
+ The primary resources for AWS Data Exchange are *data sets* and *jobs*. AWS Data Exchange also supports *revisions* and *assets*.
+ To facilitate transactions between providers and subscribers, AWS Data Exchange also uses AWS Marketplace concepts and resources, including products, offers, and subscriptions. You can use the AWS Marketplace Catalog API or the AWS Data Exchange console to manage your products, offers, subscription requests, and subscriptions.
### Understanding resource ownership
The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) (that is, the AWS account root user, a user, or a role) that authenticates the resource creation request. The following examples illustrate how this works.
#### Resource ownership
Any IAM entity in an AWS account with the correct permissions can create AWS Data Exchange data sets. When an IAM entity creates a data set, their AWS account owns the data set. Published data products can contain data sets that are owned only by the AWS account that created them.
To subscribe to an AWS Data Exchange product, the IAM entity needs permissions to use AWS Data Exchange, in addition to the `aws-marketplace:subscribe`, `aws-marketplace:aws-marketplace:CreateAgreementRequest`, and `aws-marketplace:AcceptAgreementRequest` IAM permissions for AWS Marketplace (assuming they pass any related subscription verifications). As a subscriber, your account has read access to entitled data sets; however, it does not own the entitled data sets. Any entitled data sets that are exported to Amazon S3 are owned by the subscriber's AWS account.
### Managing access to resources
This section discusses using IAM in the context of AWS Data Exchange. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS Identity and Access Management Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
A *permissions policy* describes who has access to what. The following section explains the options for creating permissions policies.
Policies attached to an IAM identity are referred to as *identity-based* policies (IAM policies). Policies attached to a resource are referred to as *resource-based* policies. AWS Data Exchange supports only identity-based policies (IAM policies).
**Topics**
+ [Identity-based policies and permissions](#access-control-manage-access-intro-iam-policies)
+ [Resource-based policies](#access-control-manage-access-intro-resource-policies)
#### Identity-based policies and permissions
AWS Data Exchange provides a set of managed policies. For more information about them and their permissions, see [AWS managed policies for AWS Data Exchange](security-iam-awsmanpol.md).
##### Amazon S3 permissions
When importing assets from Amazon S3 to AWS Data Exchange, you need permissions to write to the AWS Data Exchange service S3 buckets. Similarly, when exporting assets from AWS Data Exchange to Amazon S3, you need permissions to read from the AWS Data Exchange service S3 buckets. These permissions are included in the policies mentioned previously, but you can also create your own policy to allow just what you want your users to be able to do. You can scope these permissions to buckets that contain `aws-data-exchange` in their name and use the [ CalledVia](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-calledvia) permission to restrict the usage of the permission to requests made by AWS Data Exchange on behalf of the principal.
For example, you could create a policy to allow importing and exporting to AWS Data Exchange that includes these permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*aws-data-exchange*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"dataexchange.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*aws-data-exchange*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"dataexchange.amazonaws.com"
]
}
}
}
]
}
```
------
These permissions allow providers to import and export with AWS Data Exchange. The policy includes the following permissions and restrictions:
+ **s3:PutObject** and **s3:PutObjectAcl** – These permissions are restricted only to S3 buckets that contain `aws-data-exchange` in their name. These permissions allows providers to write to AWS Data Exchange service buckets when importing from Amazon S3.
+ **s3:GetObject** – This permission is restricted to S3 buckets that contain `aws-data-exchange` in their name. This permission allows customers to read from AWS Data Exchange service buckets when exporting from AWS Data Exchange to Amazon S3.
+ These permissions are restricted to requests made by using AWS Data Exchange with the IAM `CalledVia` condition. This allows the S3 `PutObject` permissions to only be used in the context of the AWS Data Exchange console or API.
+ **AWS Lake Formation**** and** **AWS Resource Access Manager** **(AWS RAM)** **–** To use AWS Lake Formation data sets you'll need to accept the AWS RAM share invitation for each net new provider that you have a subscription with. In order to accept the AWS RAM share invitation you will need to assume a role that has permission to accept a AWS RAM share invitation. To learn more about how AWS managed policies for AWS RAM, see [Managed policies for AWS RAM.](https://docs.aws.amazon.com/ram/latest/userguide/security-iam-managed-policies.html)
+ To create AWS Lake Formation data sets, you'll need to create the data set with an assumed role that allows IAM to pass a role to AWS Data Exchange. This will allow AWS Data Exchange to grant and revoke permissions to Lake Formation resources on your behalf. See an example policy below:
```
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "dataexchange.amazonaws.com"
}
}
}
```
**Note**
Your users may also need additional permissions to read to or write from your own S3 buckets and objects that are not covered in this example.
For more information about users, groups, roles, and permissions, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
#### Resource-based policies
AWS Data Exchange does not support resource-based policies.
Other services, such as Amazon S3, do support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket.
### Specifying policy elements: actions, effects, and principals
To use AWS Data Exchange, your user permissions must be defined in an IAM policy.
The following are the most basic policy elements:
+ **Resource** – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. All AWS Data Exchange API operations support resource level permissions (RLP), but AWS Marketplace actions don't support RLP. For more information, see [AWS Data Exchange resources and operations](#access-control-resources).
+ **Action** – You use action keywords to identify resource operations that you want to allow or deny.
+ **Effect** – You specify the effect (allow or deny) when the user requests the specific action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). AWS Data Exchange doesn't support resource-based policies.
For more information about IAM policy syntax and descriptions, see [AWS Identity and Access Management Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
### Specifying conditions in a policy
When you grant permissions, you can use the IAM policy language to specify the conditions when a policy should take effect. With AWS Data Exchange, the `CreateJob`, `StartJob`, `GetJob`, and `CancelJob` API operations support conditional permissions. You can provide permissions at the `JobType` level.
**AWS Data Exchange condition key reference**
| Condition key | Description | Type |
| --- | --- | --- |
| "dataexchange:JobType":"IMPORT\$1ASSETS\$1FROM\$1S3" | Scopes permissions to jobs that import assets from Amazon S3. | String |
| "dataexchange:JobType":IMPORT\$1ASSETS\$1FROM\$1LAKE\$1FORMATION\$1TAG\$1POLICY" (Preview) | Scopes permissions to jobs that import assets from AWS Lake Formation (Preview) | String |
| "dataexchange:JobType":"IMPORT\$1ASSET\$1FROM\$1SIGNED\$1URL" | Scopes permissions to jobs that import assets from a signed URL. | String |
| "dataexchange:JobType":"IMPORT\$1ASSET\$1FROM\$1REDSHIFT\$1DATA\$1SHARES" | Scopes permissions to jobs that import assets from Amazon Redshift. | String |
| "dataexchange:JobType":"IMPORT\$1ASSET\$1FROM\$1API\$1GATEWAY\$1API" | Scopes permissions to jobs that import assets from Amazon API Gateway. | String |
| "dataexchange:JobType":"EXPORT\$1ASSETS\$1TO\$1S3" | Scopes permissions to jobs that export assets to Amazon S3. | String |
| "dataexchange:JobType":"EXPORT\$1ASSETS\$1TO\$1SIGNED\$1URL" | Scopes permissions to jobs that export assets to a signed URL. | String |
| "dataexchange:JobType":EXPORT\$1REVISIONS\$1TO\$1S3" | Scopes permissions to jobs that export revisions to Amazon S3. | String |
For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition) in the *IAM User Guide*.
To express conditions, you use predefined condition keys. AWS Data Exchange has the `JobType` condition for API operations. However, there are AWS wide condition keys that you can use, as appropriate. For a complete list of AWS wide keys, see the [https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
# AWS Data Exchange API permissions: actions and resources reference
Use the following table as a reference when you are setting up [Access control](access-control.md) and writing a permissions policy that you can attach to an AWS Identity and Access Management (IAM) identity (identity-based policies). The table lists each AWS Data Exchange API operation, the actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's `Action` field. You specify the resource value in the policy's `Resource` field.
**Note**
To specify an action, use the `dataexchange:` prefix followed by the API operation name (for example, `dataexchange:CreateDataSet`).
**AWS Data Exchange API and required permissions for actions**
| AWS Data Exchange API operations | Required permissions (API actions) | Resources | Conditions |
| --- | --- | --- | --- |
| CreateDataSet | dataexchange:CreateDataSet | N/A | `aws:TagKeys` `aws:RequestTag` |
| GetDataSet | dataexchange:GetDataSet | Data set | aws:RequestTag |
| UpdateDataSet | dataexchange:UpdateDataSet | Data set | aws:RequestTag |
| PublishDataSet | dataexchange:PublishDataSet | Data set | aws:RequestTag |
| DeleteDataSet | dataexchange:DeleteDataSet | Data set | aws:RequestTag |
| ListDataSets | dataexchange:ListDataSets | N/A | N/A |
| CreateRevision | dataexchange:CreateRevision | Data set | `aws:TagKeys` `aws:RequestTag` |
| GetRevision | dataexchange:GetRevision | Revision | aws:RequestTag |
| DeleteRevision | dataexchange:DeleteRevision | Revision | aws:RequestTag |
| ListDataSetRevisions | dataexchange:ListDataSetRevisions | Data set | aws:RequestTag |
| ListRevisionAssets | dataexchange:ListRevisionAssets | Revision | aws:RequestTag |
| CreateEventAction | dataexchange:CreateEventAction | N/A | N/A |
| UpdateEventAction | dataexchange:UpdateEventAction | EventAction | N/A |
| GetEventAction | dataexchange:GetEventAction | EventAction | N/A |
| ListEventActions | dataexchange:ListEventActions | N/A | N/A |
| DeleteEventAction | dataexchange:DeleteEventAction | EventAction | N/A |
| CreateJob | dataexchange:CreateJob | N/A | dataexchange:JobType |
| GetJob | dataexchange:GetJob | Job | dataexchange:JobType |
| StartJob\$1\$1 | dataexchange:StartJob | Job | dataexchange:JobType |
| CancelJob | dataexchange:CancelJob | Job | dataexchange:JobType |
| ListJobs | dataexchange:ListJobs | N/A | N/A |
| ListTagsForResource | dataexchange:ListTagsForResource | Revision | aws:RequestTag |
| TagResource | dataexchange:TagResource | Revision | `aws:TagKeys` `aws:RequestTag` |
| UnTagResource | dataexchange:UnTagResource | Revision | `aws:TagKeys` `aws:RequestTag` |
| UpdateRevision | dataexchange:UpdateRevision | Revision | aws:RequestTag |
| DeleteAsset | dataexchange:DeleteAsset | Asset | N/A |
| GetAsset | dataexchange:GetAsset | Asset | N/A |
| UpdateAsset | dataexchange:UpdateAsset | Asset | N/A |
| SendApiAsset | dataexchange:SendApiAsset | Asset | N/A |
**\$1\$1** Additional IAM permissions might be needed depending on the type of the job you are starting. See the following table for the AWS Data Exchange job types and associated additional IAM permissions. For more information about jobs, see [Jobs in AWS Data Exchange](jobs.md).
**Note**
Currently, the `SendApiAsset` operation is not supported for the following SDKs:
SDK for .NET
AWS SDK for C\$1\$1
SDK for Java 2.x
**AWS Data Exchange job type permissions for `StartJob`**
| Job type | Additional IAM permissions needed |
| --- | --- |
| IMPORT\$1ASSETS\$1FROM\$1S3 | dataexchange:CreateAsset |
| IMPORT\$1ASSET\$1FROM\$1SIGNED\$1URL | dataexchange:CreateAsset |
| IMPORT\$1ASSETS\$1FROM\$1API\$1GATEWAY\$1API | dataexchange:CreateAsset |
| IMPORT\$1ASSETS\$1FROM\$1REDSHIFT\$1DATA\$1SHARES | dataexchange:CreateAsset, redshift:AuthorizeDataShare |
| EXPORT\$1ASSETS\$1TO\$1S3 | dataexchange:GetAsset |
| EXPORT\$1ASSETS\$1TO\$1SIGNED\$1URL | dataexchange:GetAsset |
| EXPORT\$1REVISIONS\$1TO\$1S3 | dataexchange:GetRevision dataexchange:GetDataSet The IAM permission `dataexchange:GetDataSet` is only needed if you are using `DataSet.Name` as the dynamic reference for the `EXPORT_REVISIONS_TO_S3` job type. |
You can scope data set actions to the revision or asset level through the use of wildcards, as in the following example.
```
arn:aws:dataexchange:us-east-1:123456789012:data-sets/99EXAMPLE23c7c272897cf1EXAMPLE7a/revisions/*/assets/*
```
Some AWS Data Exchange actions can only be performed on the AWS Data Exchange console. These actions are integrated with AWS Marketplace functionality. The actions require the AWS Marketplace permissions shown in the following table.
**AWS Data Exchange console-only actions for subscribers**
| Console action | IAM permission |
| --- | --- |
| Subscribe to a product | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| Send subscription verification request | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| Enable subscription auto-renew | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| View auto-renew status on a subscription | `aws-marketplace:ListEntitlementDetails` `aws-marketplace:ViewSubscriptions` `aws-marketplace:GetAgreementTerms` |
| Disable subscription auto-renew | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| List active subscriptions | `aws-marketplace:ViewSubscriptions` `aws-marketplace:SearchAgreements` `aws-marketplace:GetAgreementTerms` |
| View subscription | `aws-marketplace:ViewSubscriptions` `aws-marketplace:SearchAgreements` `aws-marketplace:GetAgreementTerms` `aws-marketplace:DescribeAgreement` |
| List subscription verification requests | `aws-marketplace:ListAgreementRequests` |
| View subscription verification request | `aws-marketplace:GetAgreementRequest` |
| Cancel subscription verification request | `aws-marketplace:CancelAgreementRequest` |
| View all offers targeted to the account | `aws-marketplace:ListPrivateListings` |
| View details of a specific offer | `aws-marketplace:GetPrivateListing` |
**AWS Data Exchange console-only actions for providers**
| Console action | IAM permission |
| --- | --- |
| Tag product | `aws-marketplace:TagResource` `aws-marketplace:UntagResource` `aws-marketplace:ListTagsForResource` |
| Tag offer | `aws-marketplace:TagResource` `aws-marketplace:UntagResource` `aws-marketplace:ListTagsForResource` |
| Publish product | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` `dataexchange:PublishDataSet` |
| Unpublish product | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| Edit product | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| Create custom offer | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| Edit custom offer | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| View product details | `aws-marketplace:DescribeEntity` `aws-marketplace:ListEntities` |
| View product's custom offer | aws-marketplace:DescribeEntity |
| View product dashboard | `aws-marketplace:ListEntities` `aws-marketplace:DescribeEntity` |
| List products to which a data set or revision has been published | `aws-marketplace:ListEntities` `aws-marketplace:DescribeEntity` |
| List subscription verification requests | `aws-marketplace:ListAgreementApprovalRequests` `aws-marketplace:GetAgreementApprovalRequest` |
| Approve subscription verification requests | `aws-marketplace:AcceptAgreementApprovalRequest` |
| Decline subscription verification requests | `aws-marketplace:RejectAgreementApprovalRequest` |
| Delete information from subscription verification requests | `aws-marketplace:UpdateAgreementApprovalRequest` |
| View subscription details | `aws-marketplace:SearchAgreements` `aws-marketplace:GetAgreementTerms` |
# AWS managed policies for AWS Data Exchange
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Topics**
+ [AWS managed policy: AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess)
+ [AWS managed policy: AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess)
+ [AWS managed policy: AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly)
+ [AWS managed policy: AWSDataExchangeServiceRolePolicyForLicenseManagement](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyforlicensemanagement)
+ [AWS managed policy: AWSDataExchangeServiceRolePolicyForOrganizationDiscovery](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyfororganizationdiscovery)
+ [AWS managed policy: AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess)
+ [AWS managed policy: AWSDataExchangeDataGrantOwnerFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantownerfullaccess)
+ [AWS managed policy: AWSDataExchangeDataGrantReceiverFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantreceiverfullaccess)
+ [AWS Data Exchange updates to AWS managed policies](#security-iam-awsmanpol-updates)
## AWS managed policy: AWSDataExchangeFullAccess
You can attach the `AWSDataExchangeFullAccess` policy to your IAM identities.
This policy grants administrative permissions that allow full access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeProviderFullAccess
You can attach the `AWSDataExchangeProviderFullAccess` policy to your IAM identities.
This policy grants contributor permissions that provide data provider access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeProviderFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeProviderFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeReadOnly
You can attach the `AWSDataExchangeReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow read-only access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeReadOnly.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeReadOnly.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeServiceRolePolicyForLicenseManagement
You can't attach the `AWSDataExchangeServiceRolePolicyForLicenseManagement` to your IAM entities. This policy is attached to a service-linked role that allows AWS Data Exchange to perform actions on your behalf. It grants role permissions that allow AWS Data Exchange to retrieve information about your AWS organization and manage AWS Data Exchange data grants licenses. For more information, see [Service-linked role for AWS Data Exchange license management](using-service-linked-roles-license-management.md) later in this section.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForLicenseManagement.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForLicenseManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeServiceRolePolicyForOrganizationDiscovery
You can't attach the `AWSDataExchangeServiceRolePolicyForOrganizationDiscovery` to your IAM entities. This policy is attached to a service-linked role that allows AWS Data Exchange to perform actions on your behalf. It grants role permissions that allow AWS Data Exchange to retrieve information about your AWS organization to determine eligibility for AWS Data Exchange data grants license distribution. For more information, see [Service-linked roles for AWS Organization discovery in AWS Data Exchange](using-service-linked-roles-aws-org-discovery.md).
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeSubscriberFullAccess
You can attach the `AWSDataExchangeSubscriberFullAccess` policy to your IAM identities.
This policy grants contributor permissions that allow data subscriber access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeSubscriberFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeSubscriberFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeDataGrantOwnerFullAccess
You can attach the `AWSDataExchangeDataGrantOwnerFullAccess` policy to your IAM identities.
This policy gives a Data Grant owner access to AWS Data Exchange actions using the AWS Management Console and SDKs.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantOwnerFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantOwnerFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeDataGrantReceiverFullAccess
You can attach the `AWSDataExchangeDataGrantReceiverFullAccess` policy to your IAM identities.
This policy gives a Data Grant receiver access to AWS Data Exchange actions using the AWS Management Console and SDKs.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantReceiverFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantReceiverFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS Data Exchange updates to AWS managed policies
The following table provides details about updates to AWS managed policies for AWS Data Exchange since this service began tracking these changes. For automatic alerts about changes to this page (and any other changes to this user guide), subscribe to the RSS feed on the [Document history for AWS Data Exchange](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSDataExchangeDataGrantOwnerFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantownerfullaccess) – New policy | AWS Data Exchange added a new policy to grant Data Grant owners access to AWS Data Exchange actions. | October 24, 2024 |
| [AWSDataExchangeDataGrantReceiverFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantreceiverfullaccess) – New policy | AWS Data Exchange added a new policy to grant Data Grant receivers access to AWS Data Exchange actions. | October 24, 2024 |
| [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly) – Update to an existing policy | Added necessary permissions to the `AWSDataExchangeReadOnly` AWS managed policy for the new data grants feature. | October 24, 2024 |
| [AWSDataExchangeServiceRolePolicyForLicenseManagement](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyforlicensemanagement) – New policy | Added a new policy to support service-linked roles to manage license grants in customer accounts. | October 17, 2024 |
| [AWSDataExchangeServiceRolePolicyForOrganizationDiscovery](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyfororganizationdiscovery) – New policy | Added a new policy to support service-linked roles to provide read access to account information in your AWS Organization. | October 17, 2024 |
| [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly) | Added statement IDs to make the policy easier to read, expanded the wild carded permissions to the full list of read only ADX permissions, and added new actions: aws-marketplace:ListTagsForResource and aws-marketplace:ListPrivateListings. | July 9, 2024 |
| [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) | Removed action: aws-marketplace:GetPrivateListing | May 22, 2024 |
| [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess) | Added statement IDs to make the policy easier to read and added new action: aws-marketplace:ListPrivateListings. | April 30, 2024 |
| [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) | Added statement IDs to make the policy easier to read and added new actions: aws-marketplace:TagResource, aws-marketplace:UntagResource, aws-marketplace:ListTagsForResource, aws-marketplace:ListPrivateListings, aws-marketplace:GetPrivateListing, and aws-marketplace:DescribeAgreement. | April 30, 2024 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) | Added statement IDs to make the policy easier to read. | August 9, 2024 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) | Added dataexchange:SendDataSetNotification, a new permission to send data set notifications. | March 5, 2024 |
| [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess), [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly),[AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess), and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added granular actions across all managed policies. New actions added are `aws-marketplace:CreateAgreementRequest`, `aws-marketplace:AcceptAgreementRequest`, `aws-marketplace:ListEntitlementDetails`, `aws-marketplace:ListPrivateListings`, `aws-marketplace:GetPrivateListing`, `license-manager:ListReceivedGrants` `aws-marketplace:TagResource`, `aws-marketplace:UntagResource`, `aws-marketplace:ListTagsForResource`, `aws-marketplace:DescribeAgreement`, `aws-marketplace:GetAgreementTerms` `aws-marketplace:GetLicense`. | July 31, 2023 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) – Update to existing policy | Added `dataexchange:RevokeRevision`, a new permission to revoke a revision. | March 15, 2022 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `apigateway:GET`, a new permission to retrieve an API asset from Amazon API Gateway. | December 3, 2021 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess) – Update to existing policies | Added `dataexchange:SendApiAsset`, a new permission to send a request to an API asset. | November 29, 2021 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `redshift:AuthorizeDataShare`, `redshift:DescribeDataSharesForProducer`, and` redshift:DescribeDataShares`, new permissions to authorize access to and create Amazon Redshift data sets. | November 1, 2021 |
| [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess) – Update to an existing policy | Added `dataexchange:CreateEventAction`, `dataexchange:UpdateEventAction`, and `dataexchange:DeleteEventAction`, new permissions to control access to automatically export new revisions of data sets. | September 30, 2021 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `dataexchange:PublishDataSet`, a new permission to control access to publishing new versions of data sets. | May 25, 2021 |
| [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly), [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess), and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `aws-marketplace:SearchAgreements` and `aws-marketplace:GetAgreementTerms` to enable viewing subscriptions for products and offers. | May 12, 2021 |
| AWS Data Exchange started tracking changes | AWS Data Exchange started tracking changes for its AWS managed policies. | April 20, 2021 |