# Security
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from multiple data centers and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security of the cloud and security in the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. The effectiveness of our security is regularly tested and verified by third-party auditors as part of [AWS compliance programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Data Exchange, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS services that you use. You are also responsible for other factors, including the sensitivity of your data, your organization's requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when you use AWS Data Exchange. The following topics show you how to configure AWS Data Exchange to meet your security and compliance objectives. You also learn how to use other AWS services that help you monitor and secure your AWS Data Exchange resources.
# Data protection in AWS Data Exchange
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Data Exchange. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with AWS Data Exchange or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
AWS Data Exchange provides the following options that you can use to help secure the content that exists in your data sets:
**Topics**
+ [Encryption at rest](#data-protection-encryption-rest)
+ [Encryption in transit](#data-protection-encryption-in-transit)
+ [Restrict access to content](#data-protection-restrict-access)
## Encryption at rest
AWS Data Exchange always encrypts all data products stored in the service at rest without requiring any additional configuration. This encryption is automatic when you use AWS Data Exchange.
## Encryption in transit
AWS Data Exchange uses Transport Layer Security (TLS) and client-side encryption for encryption in transit. Communication with AWS Data Exchange is always done over HTTPS so your data is always encrypted in transit. This encryption is configured by default when you use AWS Data Exchange.
## Restrict access to content
As a best practice, you should restrict access to the appropriate subset of users. With AWS Data Exchange, you can do this by ensuring that users, groups, and roles who use your AWS account have the right permissions. For more information about roles and policies for IAM entities, see *[IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)*.
# Key management for Amazon S3 data access
This page is specific to the Amazon S3 data access type where the provider is sharing objects encrypted using SSE-KMS. The subscriber must have a grant on the keys used for access.
If your Amazon S3 bucket contains data encrypted using AWS KMS customer managed keys, you must share these AWS KMS keys with AWS Data Exchange to configure your Amazon S3 data access data set. For more information, see [Step 2: Configure Amazon S3 data access](publish-s3-data-access-product.md#configure-s3-data-access-product).
**Topics**
+ [Creating AWS KMS grants](#create-kms-grants)
+ [Encryption context and grant constraints](#encryption-context-grant-constraint)
+ [Monitoring your AWS KMS keys in AWS Data Exchange](#monitoring-your-kms-keys)
## Creating AWS KMS grants
When you provide AWS KMS keys as part of your Amazon S3 data access data set, AWS Data Exchange creates an AWS KMS grant on each AWS KMS key shared. This grant, known as the *parent grant*, is used to give AWS Data Exchange permission to create additional AWS KMS grants for subscribers. These additional grants are known as *child grants*. Each subscriber is permitted one AWS KMS grant. Subscribers get permission to decrypt the AWS KMS key. Then, they can decrypt and use the encrypted Amazon S3 objects shared with them. For more information, see [Grants in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) in the *AWS Key Management Service Developer Guide*.
AWS Data Exchange also uses the AWS KMS parent grant to manage the lifecycle of the AWS KMS grant that it creates. When a subscription ends, AWS Data Exchange retires the AWS KMS child grant created for the corresponding subscriber. If the revision is revoked, or the data set is deleted, AWS Data Exchange retires the AWS KMS parent grant. For more information about AWS KMS actions, see the [AWS KMS API reference](https://docs.aws.amazon.com/kms/latest/APIReference/API_Operations.html).
## Encryption context and grant constraints
AWS Data Exchange uses grant constraints to permit the decrypt operation only when the request includes the specified encryption context. You can use the Amazon S3 Bucket Key feature to encrypt your Amazon S3 objects and share it with AWS Data Exchange. The bucket Amazon Resource Name (ARN) is implicitly used by Amazon S3 as the encryption context. The following example shows that AWS Data Exchange uses the bucket ARN as the grant constraint for all AWS KMS grants that it creates.
```
"Constraints": {
"EncryptionContextSubset": "aws:s3:arn": “arn:aws:s3:::"
}
}
```
## Monitoring your AWS KMS keys in AWS Data Exchange
When you share AWS KMS customer managed keys with AWS Data Exchange, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) to track requests that AWS Data Exchange or data subscribers send to AWS KMS. The following are examples of what your CloudTrail logs will look like for the `CreateGrant` and `Decrypt` calls to AWS KMS.
------
#### [ CreateGrant for parent ]
`CreateGrant` is for parent grants created by AWS Data Exchange for itself.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Provider01",
"arn": "arn:aws:sts:::assumed-role/Admin/Provider01",
"accountId": "",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam:::role/Admin/Provider01”,
"accountId": "",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-02-16T17:29:23Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-16T17:32:47Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "",
"operations": [
"CreateGrant",
"Decrypt",
"RetireGrant"
],
"granteePrincipal": "dataexchange.us-east-2.amazonaws.com",
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
AWS:s3:arn": "arn:aws:s3:::"
}
}
},
"responseElements": {
"grantId": "",
"keyId": ""
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "",
"type": "AWS::KMS::Key",
"ARN": ""
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "",
"eventCategory": "Management"
}
```
------
#### [ CreateGrant for child ]
`CreateGrant` is for child grants created by AWS Data Exchange for subscribers.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-15T23:15:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "",
"operations": [
"Decrypt"
],
"granteePrincipal": “”,
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
"aws:s3:arn": "arn:aws:s3:::"
}
}
},
"responseElements": {
"grantId": "",
"keyId": ""
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "",
"type": "AWS::KMS::Key",
"ARN": ""
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE ",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
`Decrypt` is called by subscribers when they attempt to read the encrypted data in which they're subscribed.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AROAIGDTESTANDEXAMPLE:Subscriber01",
"accountId": "",
"invokedBy": ""
},
"eventTime": "2023-02-15T23:28:30Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-2",
"sourceIPAddress": "",
"userAgent": "",
"requestParameters": {
"encryptionContext": {
"aws:s3:arn": "arn:aws:s3:::"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE”,
"readOnly": true,
"resources": [
{
"accountId": "",
"type": "AWS::KMS::Key",
"ARN": ""
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "602466227860",
"sharedEventID": "bcf4d02a-31ea-4497-9c98-4c3549f20a7b",
"eventCategory": "Management"
}
```
------
# Identity and access management in AWS Data Exchange
To perform any operation in AWS Data Exchange, such as creating an import job using an AWS SDK, or subscribing to a product in the AWS Data Exchange console, AWS Identity and Access Management (IAM) requires that you authenticate that you're an approved AWS user. For example, if you're using the AWS Data Exchange console, you authenticate your identity by providing your AWS sign-in credentials.
After you authenticate your identity, IAM controls your access to AWS with a defined set of permissions on a set of operations and resources. If you're an account administrator, you can use IAM to control the access of other users to the resources that are associated with your account.
**Topics**
+ [Authentication](#authentication)
+ [Access control](access-control.md)
+ [AWS Data Exchange API permissions: actions and resources reference](api-permissions-ref.md)
+ [AWS managed policies for AWS Data Exchange](security-iam-awsmanpol.md)
## Authentication
You can access AWS with any of the following types of identities:
+ **AWS account root user** – When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
+ **User** – A [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) is an identity in your AWS account that has specific custom permissions. You can use your IAM credentials to sign in to secure AWS webpages like the AWS Management Console or the AWS Support Center.
+ **IAM role** – An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Roles with temporary credentials are useful in the following situations:
+ **Federated user access** – Instead of creating a user, you can use existing identities from Directory Service, your enterprise user directory, or a web identity provider. These are known as *federated users*. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see [Federated Users and Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html#intro-access-roles).
+ **AWS service access** – A service role is an IAM role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions that are required for the service to access the AWS resources that it needs. Service roles vary from service to service, but many allow you to choose your permissions as long as you meet the documented requirements for that service. Service roles provide access only within your account and cannot be used to grant access to services in other accounts. You can create, modify, and delete a service role from within IAM. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data from that bucket into an Amazon Redshift cluster. For more information, see [Creating a Role to Delegate Permissions to an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).
+ **Applications running on Amazon EC2** – You can use an IAM role to manage temporary credentials for applications that are running on an Amazon EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access keys in the Amazon EC2 instance. To assign an AWS role to an Amazon EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the Amazon EC2 instance to get temporary credentials. For more information, see [Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html).
# Access control
To create, update, delete, or list AWS Data Exchange resources, you need permissions to perform the operation and to access the corresponding resources. To perform the operation programmatically, you also need valid access keys.
## Overview of managing access permissions to your AWS Data Exchange resources
Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to users, groups, and roles. Some services (such as AWS Lambda) also support attaching permissions policies to resources.
**Note**
An *account administrator* (or administrator) is a user with administrator privileges. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
**Topics**
+ [AWS Data Exchange resources and operations](#access-control-resources)
+ [Understanding resource ownership](#access-control-owner)
+ [Managing access to resources](#access-control-manage-access-intro)
+ [Specifying policy elements: actions, effects, and principals](#access-control-specify-control-tower-actions)
+ [Specifying conditions in a policy](#specifying-conditions)
### AWS Data Exchange resources and operations
In AWS Data Exchange, there are two different kinds of primary resources with different control planes:
+ The primary resources for AWS Data Exchange are *data sets* and *jobs*. AWS Data Exchange also supports *revisions* and *assets*.
+ To facilitate transactions between providers and subscribers, AWS Data Exchange also uses AWS Marketplace concepts and resources, including products, offers, and subscriptions. You can use the AWS Marketplace Catalog API or the AWS Data Exchange console to manage your products, offers, subscription requests, and subscriptions.
### Understanding resource ownership
The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) (that is, the AWS account root user, a user, or a role) that authenticates the resource creation request. The following examples illustrate how this works.
#### Resource ownership
Any IAM entity in an AWS account with the correct permissions can create AWS Data Exchange data sets. When an IAM entity creates a data set, their AWS account owns the data set. Published data products can contain data sets that are owned only by the AWS account that created them.
To subscribe to an AWS Data Exchange product, the IAM entity needs permissions to use AWS Data Exchange, in addition to the `aws-marketplace:subscribe`, `aws-marketplace:aws-marketplace:CreateAgreementRequest`, and `aws-marketplace:AcceptAgreementRequest` IAM permissions for AWS Marketplace (assuming they pass any related subscription verifications). As a subscriber, your account has read access to entitled data sets; however, it does not own the entitled data sets. Any entitled data sets that are exported to Amazon S3 are owned by the subscriber's AWS account.
### Managing access to resources
This section discusses using IAM in the context of AWS Data Exchange. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS Identity and Access Management Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
A *permissions policy* describes who has access to what. The following section explains the options for creating permissions policies.
Policies attached to an IAM identity are referred to as *identity-based* policies (IAM policies). Policies attached to a resource are referred to as *resource-based* policies. AWS Data Exchange supports only identity-based policies (IAM policies).
**Topics**
+ [Identity-based policies and permissions](#access-control-manage-access-intro-iam-policies)
+ [Resource-based policies](#access-control-manage-access-intro-resource-policies)
#### Identity-based policies and permissions
AWS Data Exchange provides a set of managed policies. For more information about them and their permissions, see [AWS managed policies for AWS Data Exchange](security-iam-awsmanpol.md).
##### Amazon S3 permissions
When importing assets from Amazon S3 to AWS Data Exchange, you need permissions to write to the AWS Data Exchange service S3 buckets. Similarly, when exporting assets from AWS Data Exchange to Amazon S3, you need permissions to read from the AWS Data Exchange service S3 buckets. These permissions are included in the policies mentioned previously, but you can also create your own policy to allow just what you want your users to be able to do. You can scope these permissions to buckets that contain `aws-data-exchange` in their name and use the [ CalledVia](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-calledvia) permission to restrict the usage of the permission to requests made by AWS Data Exchange on behalf of the principal.
For example, you could create a policy to allow importing and exporting to AWS Data Exchange that includes these permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*aws-data-exchange*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"dataexchange.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*aws-data-exchange*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"dataexchange.amazonaws.com"
]
}
}
}
]
}
```
------
These permissions allow providers to import and export with AWS Data Exchange. The policy includes the following permissions and restrictions:
+ **s3:PutObject** and **s3:PutObjectAcl** – These permissions are restricted only to S3 buckets that contain `aws-data-exchange` in their name. These permissions allows providers to write to AWS Data Exchange service buckets when importing from Amazon S3.
+ **s3:GetObject** – This permission is restricted to S3 buckets that contain `aws-data-exchange` in their name. This permission allows customers to read from AWS Data Exchange service buckets when exporting from AWS Data Exchange to Amazon S3.
+ These permissions are restricted to requests made by using AWS Data Exchange with the IAM `CalledVia` condition. This allows the S3 `PutObject` permissions to only be used in the context of the AWS Data Exchange console or API.
+ **AWS Lake Formation**** and** **AWS Resource Access Manager** **(AWS RAM)** **–** To use AWS Lake Formation data sets you'll need to accept the AWS RAM share invitation for each net new provider that you have a subscription with. In order to accept the AWS RAM share invitation you will need to assume a role that has permission to accept a AWS RAM share invitation. To learn more about how AWS managed policies for AWS RAM, see [Managed policies for AWS RAM.](https://docs.aws.amazon.com/ram/latest/userguide/security-iam-managed-policies.html)
+ To create AWS Lake Formation data sets, you'll need to create the data set with an assumed role that allows IAM to pass a role to AWS Data Exchange. This will allow AWS Data Exchange to grant and revoke permissions to Lake Formation resources on your behalf. See an example policy below:
```
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "dataexchange.amazonaws.com"
}
}
}
```
**Note**
Your users may also need additional permissions to read to or write from your own S3 buckets and objects that are not covered in this example.
For more information about users, groups, roles, and permissions, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
#### Resource-based policies
AWS Data Exchange does not support resource-based policies.
Other services, such as Amazon S3, do support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket.
### Specifying policy elements: actions, effects, and principals
To use AWS Data Exchange, your user permissions must be defined in an IAM policy.
The following are the most basic policy elements:
+ **Resource** – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. All AWS Data Exchange API operations support resource level permissions (RLP), but AWS Marketplace actions don't support RLP. For more information, see [AWS Data Exchange resources and operations](#access-control-resources).
+ **Action** – You use action keywords to identify resource operations that you want to allow or deny.
+ **Effect** – You specify the effect (allow or deny) when the user requests the specific action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). AWS Data Exchange doesn't support resource-based policies.
For more information about IAM policy syntax and descriptions, see [AWS Identity and Access Management Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
### Specifying conditions in a policy
When you grant permissions, you can use the IAM policy language to specify the conditions when a policy should take effect. With AWS Data Exchange, the `CreateJob`, `StartJob`, `GetJob`, and `CancelJob` API operations support conditional permissions. You can provide permissions at the `JobType` level.
**AWS Data Exchange condition key reference**
| Condition key | Description | Type |
| --- | --- | --- |
| "dataexchange:JobType":"IMPORT\$1ASSETS\$1FROM\$1S3" | Scopes permissions to jobs that import assets from Amazon S3. | String |
| "dataexchange:JobType":IMPORT\$1ASSETS\$1FROM\$1LAKE\$1FORMATION\$1TAG\$1POLICY" (Preview) | Scopes permissions to jobs that import assets from AWS Lake Formation (Preview) | String |
| "dataexchange:JobType":"IMPORT\$1ASSET\$1FROM\$1SIGNED\$1URL" | Scopes permissions to jobs that import assets from a signed URL. | String |
| "dataexchange:JobType":"IMPORT\$1ASSET\$1FROM\$1REDSHIFT\$1DATA\$1SHARES" | Scopes permissions to jobs that import assets from Amazon Redshift. | String |
| "dataexchange:JobType":"IMPORT\$1ASSET\$1FROM\$1API\$1GATEWAY\$1API" | Scopes permissions to jobs that import assets from Amazon API Gateway. | String |
| "dataexchange:JobType":"EXPORT\$1ASSETS\$1TO\$1S3" | Scopes permissions to jobs that export assets to Amazon S3. | String |
| "dataexchange:JobType":"EXPORT\$1ASSETS\$1TO\$1SIGNED\$1URL" | Scopes permissions to jobs that export assets to a signed URL. | String |
| "dataexchange:JobType":EXPORT\$1REVISIONS\$1TO\$1S3" | Scopes permissions to jobs that export revisions to Amazon S3. | String |
For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition) in the *IAM User Guide*.
To express conditions, you use predefined condition keys. AWS Data Exchange has the `JobType` condition for API operations. However, there are AWS wide condition keys that you can use, as appropriate. For a complete list of AWS wide keys, see the [https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
# AWS Data Exchange API permissions: actions and resources reference
Use the following table as a reference when you are setting up [Access control](access-control.md) and writing a permissions policy that you can attach to an AWS Identity and Access Management (IAM) identity (identity-based policies). The table lists each AWS Data Exchange API operation, the actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's `Action` field. You specify the resource value in the policy's `Resource` field.
**Note**
To specify an action, use the `dataexchange:` prefix followed by the API operation name (for example, `dataexchange:CreateDataSet`).
**AWS Data Exchange API and required permissions for actions**
| AWS Data Exchange API operations | Required permissions (API actions) | Resources | Conditions |
| --- | --- | --- | --- |
| CreateDataSet | dataexchange:CreateDataSet | N/A | `aws:TagKeys` `aws:RequestTag` |
| GetDataSet | dataexchange:GetDataSet | Data set | aws:RequestTag |
| UpdateDataSet | dataexchange:UpdateDataSet | Data set | aws:RequestTag |
| PublishDataSet | dataexchange:PublishDataSet | Data set | aws:RequestTag |
| DeleteDataSet | dataexchange:DeleteDataSet | Data set | aws:RequestTag |
| ListDataSets | dataexchange:ListDataSets | N/A | N/A |
| CreateRevision | dataexchange:CreateRevision | Data set | `aws:TagKeys` `aws:RequestTag` |
| GetRevision | dataexchange:GetRevision | Revision | aws:RequestTag |
| DeleteRevision | dataexchange:DeleteRevision | Revision | aws:RequestTag |
| ListDataSetRevisions | dataexchange:ListDataSetRevisions | Data set | aws:RequestTag |
| ListRevisionAssets | dataexchange:ListRevisionAssets | Revision | aws:RequestTag |
| CreateEventAction | dataexchange:CreateEventAction | N/A | N/A |
| UpdateEventAction | dataexchange:UpdateEventAction | EventAction | N/A |
| GetEventAction | dataexchange:GetEventAction | EventAction | N/A |
| ListEventActions | dataexchange:ListEventActions | N/A | N/A |
| DeleteEventAction | dataexchange:DeleteEventAction | EventAction | N/A |
| CreateJob | dataexchange:CreateJob | N/A | dataexchange:JobType |
| GetJob | dataexchange:GetJob | Job | dataexchange:JobType |
| StartJob\$1\$1 | dataexchange:StartJob | Job | dataexchange:JobType |
| CancelJob | dataexchange:CancelJob | Job | dataexchange:JobType |
| ListJobs | dataexchange:ListJobs | N/A | N/A |
| ListTagsForResource | dataexchange:ListTagsForResource | Revision | aws:RequestTag |
| TagResource | dataexchange:TagResource | Revision | `aws:TagKeys` `aws:RequestTag` |
| UnTagResource | dataexchange:UnTagResource | Revision | `aws:TagKeys` `aws:RequestTag` |
| UpdateRevision | dataexchange:UpdateRevision | Revision | aws:RequestTag |
| DeleteAsset | dataexchange:DeleteAsset | Asset | N/A |
| GetAsset | dataexchange:GetAsset | Asset | N/A |
| UpdateAsset | dataexchange:UpdateAsset | Asset | N/A |
| SendApiAsset | dataexchange:SendApiAsset | Asset | N/A |
**\$1\$1** Additional IAM permissions might be needed depending on the type of the job you are starting. See the following table for the AWS Data Exchange job types and associated additional IAM permissions. For more information about jobs, see [Jobs in AWS Data Exchange](jobs.md).
**Note**
Currently, the `SendApiAsset` operation is not supported for the following SDKs:
SDK for .NET
AWS SDK for C\$1\$1
SDK for Java 2.x
**AWS Data Exchange job type permissions for `StartJob`**
| Job type | Additional IAM permissions needed |
| --- | --- |
| IMPORT\$1ASSETS\$1FROM\$1S3 | dataexchange:CreateAsset |
| IMPORT\$1ASSET\$1FROM\$1SIGNED\$1URL | dataexchange:CreateAsset |
| IMPORT\$1ASSETS\$1FROM\$1API\$1GATEWAY\$1API | dataexchange:CreateAsset |
| IMPORT\$1ASSETS\$1FROM\$1REDSHIFT\$1DATA\$1SHARES | dataexchange:CreateAsset, redshift:AuthorizeDataShare |
| EXPORT\$1ASSETS\$1TO\$1S3 | dataexchange:GetAsset |
| EXPORT\$1ASSETS\$1TO\$1SIGNED\$1URL | dataexchange:GetAsset |
| EXPORT\$1REVISIONS\$1TO\$1S3 | dataexchange:GetRevision dataexchange:GetDataSet The IAM permission `dataexchange:GetDataSet` is only needed if you are using `DataSet.Name` as the dynamic reference for the `EXPORT_REVISIONS_TO_S3` job type. |
You can scope data set actions to the revision or asset level through the use of wildcards, as in the following example.
```
arn:aws:dataexchange:us-east-1:123456789012:data-sets/99EXAMPLE23c7c272897cf1EXAMPLE7a/revisions/*/assets/*
```
Some AWS Data Exchange actions can only be performed on the AWS Data Exchange console. These actions are integrated with AWS Marketplace functionality. The actions require the AWS Marketplace permissions shown in the following table.
**AWS Data Exchange console-only actions for subscribers**
| Console action | IAM permission |
| --- | --- |
| Subscribe to a product | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| Send subscription verification request | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| Enable subscription auto-renew | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| View auto-renew status on a subscription | `aws-marketplace:ListEntitlementDetails` `aws-marketplace:ViewSubscriptions` `aws-marketplace:GetAgreementTerms` |
| Disable subscription auto-renew | `aws-marketplace:Subscribe` `aws-marketplace:CreateAgreementRequest` `aws-marketplace:AcceptAgreementRequest` |
| List active subscriptions | `aws-marketplace:ViewSubscriptions` `aws-marketplace:SearchAgreements` `aws-marketplace:GetAgreementTerms` |
| View subscription | `aws-marketplace:ViewSubscriptions` `aws-marketplace:SearchAgreements` `aws-marketplace:GetAgreementTerms` `aws-marketplace:DescribeAgreement` |
| List subscription verification requests | `aws-marketplace:ListAgreementRequests` |
| View subscription verification request | `aws-marketplace:GetAgreementRequest` |
| Cancel subscription verification request | `aws-marketplace:CancelAgreementRequest` |
| View all offers targeted to the account | `aws-marketplace:ListPrivateListings` |
| View details of a specific offer | `aws-marketplace:GetPrivateListing` |
**AWS Data Exchange console-only actions for providers**
| Console action | IAM permission |
| --- | --- |
| Tag product | `aws-marketplace:TagResource` `aws-marketplace:UntagResource` `aws-marketplace:ListTagsForResource` |
| Tag offer | `aws-marketplace:TagResource` `aws-marketplace:UntagResource` `aws-marketplace:ListTagsForResource` |
| Publish product | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` `dataexchange:PublishDataSet` |
| Unpublish product | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| Edit product | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| Create custom offer | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| Edit custom offer | `aws-marketplace:StartChangeSet` `aws-marketplace:DescribeChangeSet` |
| View product details | `aws-marketplace:DescribeEntity` `aws-marketplace:ListEntities` |
| View product's custom offer | aws-marketplace:DescribeEntity |
| View product dashboard | `aws-marketplace:ListEntities` `aws-marketplace:DescribeEntity` |
| List products to which a data set or revision has been published | `aws-marketplace:ListEntities` `aws-marketplace:DescribeEntity` |
| List subscription verification requests | `aws-marketplace:ListAgreementApprovalRequests` `aws-marketplace:GetAgreementApprovalRequest` |
| Approve subscription verification requests | `aws-marketplace:AcceptAgreementApprovalRequest` |
| Decline subscription verification requests | `aws-marketplace:RejectAgreementApprovalRequest` |
| Delete information from subscription verification requests | `aws-marketplace:UpdateAgreementApprovalRequest` |
| View subscription details | `aws-marketplace:SearchAgreements` `aws-marketplace:GetAgreementTerms` |
# AWS managed policies for AWS Data Exchange
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Topics**
+ [AWS managed policy: AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess)
+ [AWS managed policy: AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess)
+ [AWS managed policy: AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly)
+ [AWS managed policy: AWSDataExchangeServiceRolePolicyForLicenseManagement](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyforlicensemanagement)
+ [AWS managed policy: AWSDataExchangeServiceRolePolicyForOrganizationDiscovery](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyfororganizationdiscovery)
+ [AWS managed policy: AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess)
+ [AWS managed policy: AWSDataExchangeDataGrantOwnerFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantownerfullaccess)
+ [AWS managed policy: AWSDataExchangeDataGrantReceiverFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantreceiverfullaccess)
+ [AWS Data Exchange updates to AWS managed policies](#security-iam-awsmanpol-updates)
## AWS managed policy: AWSDataExchangeFullAccess
You can attach the `AWSDataExchangeFullAccess` policy to your IAM identities.
This policy grants administrative permissions that allow full access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeProviderFullAccess
You can attach the `AWSDataExchangeProviderFullAccess` policy to your IAM identities.
This policy grants contributor permissions that provide data provider access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeProviderFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeProviderFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeReadOnly
You can attach the `AWSDataExchangeReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow read-only access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeReadOnly.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeReadOnly.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeServiceRolePolicyForLicenseManagement
You can't attach the `AWSDataExchangeServiceRolePolicyForLicenseManagement` to your IAM entities. This policy is attached to a service-linked role that allows AWS Data Exchange to perform actions on your behalf. It grants role permissions that allow AWS Data Exchange to retrieve information about your AWS organization and manage AWS Data Exchange data grants licenses. For more information, see [Service-linked role for AWS Data Exchange license management](using-service-linked-roles-license-management.md) later in this section.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForLicenseManagement.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForLicenseManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeServiceRolePolicyForOrganizationDiscovery
You can't attach the `AWSDataExchangeServiceRolePolicyForOrganizationDiscovery` to your IAM entities. This policy is attached to a service-linked role that allows AWS Data Exchange to perform actions on your behalf. It grants role permissions that allow AWS Data Exchange to retrieve information about your AWS organization to determine eligibility for AWS Data Exchange data grants license distribution. For more information, see [Service-linked roles for AWS Organization discovery in AWS Data Exchange](using-service-linked-roles-aws-org-discovery.md).
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeSubscriberFullAccess
You can attach the `AWSDataExchangeSubscriberFullAccess` policy to your IAM identities.
This policy grants contributor permissions that allow data subscriber access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeSubscriberFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeSubscriberFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeDataGrantOwnerFullAccess
You can attach the `AWSDataExchangeDataGrantOwnerFullAccess` policy to your IAM identities.
This policy gives a Data Grant owner access to AWS Data Exchange actions using the AWS Management Console and SDKs.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantOwnerFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantOwnerFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSDataExchangeDataGrantReceiverFullAccess
You can attach the `AWSDataExchangeDataGrantReceiverFullAccess` policy to your IAM identities.
This policy gives a Data Grant receiver access to AWS Data Exchange actions using the AWS Management Console and SDKs.
To view permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantReceiverFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataExchangeDataGrantReceiverFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS Data Exchange updates to AWS managed policies
The following table provides details about updates to AWS managed policies for AWS Data Exchange since this service began tracking these changes. For automatic alerts about changes to this page (and any other changes to this user guide), subscribe to the RSS feed on the [Document history for AWS Data Exchange](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSDataExchangeDataGrantOwnerFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantownerfullaccess) – New policy | AWS Data Exchange added a new policy to grant Data Grant owners access to AWS Data Exchange actions. | October 24, 2024 |
| [AWSDataExchangeDataGrantReceiverFullAccess](#security-iam-awsmanpol-awsdataexchangedatagrantreceiverfullaccess) – New policy | AWS Data Exchange added a new policy to grant Data Grant receivers access to AWS Data Exchange actions. | October 24, 2024 |
| [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly) – Update to an existing policy | Added necessary permissions to the `AWSDataExchangeReadOnly` AWS managed policy for the new data grants feature. | October 24, 2024 |
| [AWSDataExchangeServiceRolePolicyForLicenseManagement](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyforlicensemanagement) – New policy | Added a new policy to support service-linked roles to manage license grants in customer accounts. | October 17, 2024 |
| [AWSDataExchangeServiceRolePolicyForOrganizationDiscovery](#security-iam-awsmanpol-awsdataexchangeservicerolepolicyfororganizationdiscovery) – New policy | Added a new policy to support service-linked roles to provide read access to account information in your AWS Organization. | October 17, 2024 |
| [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly) | Added statement IDs to make the policy easier to read, expanded the wild carded permissions to the full list of read only ADX permissions, and added new actions: aws-marketplace:ListTagsForResource and aws-marketplace:ListPrivateListings. | July 9, 2024 |
| [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) | Removed action: aws-marketplace:GetPrivateListing | May 22, 2024 |
| [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess) | Added statement IDs to make the policy easier to read and added new action: aws-marketplace:ListPrivateListings. | April 30, 2024 |
| [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) | Added statement IDs to make the policy easier to read and added new actions: aws-marketplace:TagResource, aws-marketplace:UntagResource, aws-marketplace:ListTagsForResource, aws-marketplace:ListPrivateListings, aws-marketplace:GetPrivateListing, and aws-marketplace:DescribeAgreement. | April 30, 2024 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) | Added statement IDs to make the policy easier to read. | August 9, 2024 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) | Added dataexchange:SendDataSetNotification, a new permission to send data set notifications. | March 5, 2024 |
| [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess), [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly),[AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess), and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added granular actions across all managed policies. New actions added are `aws-marketplace:CreateAgreementRequest`, `aws-marketplace:AcceptAgreementRequest`, `aws-marketplace:ListEntitlementDetails`, `aws-marketplace:ListPrivateListings`, `aws-marketplace:GetPrivateListing`, `license-manager:ListReceivedGrants` `aws-marketplace:TagResource`, `aws-marketplace:UntagResource`, `aws-marketplace:ListTagsForResource`, `aws-marketplace:DescribeAgreement`, `aws-marketplace:GetAgreementTerms` `aws-marketplace:GetLicense`. | July 31, 2023 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) – Update to existing policy | Added `dataexchange:RevokeRevision`, a new permission to revoke a revision. | March 15, 2022 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `apigateway:GET`, a new permission to retrieve an API asset from Amazon API Gateway. | December 3, 2021 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess) – Update to existing policies | Added `dataexchange:SendApiAsset`, a new permission to send a request to an API asset. | November 29, 2021 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `redshift:AuthorizeDataShare`, `redshift:DescribeDataSharesForProducer`, and` redshift:DescribeDataShares`, new permissions to authorize access to and create Amazon Redshift data sets. | November 1, 2021 |
| [AWSDataExchangeSubscriberFullAccess](#security-iam-awsmanpol-awsdataexchangesubscriberfullaccess) – Update to an existing policy | Added `dataexchange:CreateEventAction`, `dataexchange:UpdateEventAction`, and `dataexchange:DeleteEventAction`, new permissions to control access to automatically export new revisions of data sets. | September 30, 2021 |
| [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess) and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `dataexchange:PublishDataSet`, a new permission to control access to publishing new versions of data sets. | May 25, 2021 |
| [AWSDataExchangeReadOnly](#security-iam-awsmanpol-awsdataexchangereadonly), [AWSDataExchangeProviderFullAccess](#security-iam-awsmanpol-awsdataexchangeproviderfullaccess), and [AWSDataExchangeFullAccess](#security-iam-awsmanpol-awsdataexchangefullaccess) – Update to existing policies | Added `aws-marketplace:SearchAgreements` and `aws-marketplace:GetAgreementTerms` to enable viewing subscriptions for products and offers. | May 12, 2021 |
| AWS Data Exchange started tracking changes | AWS Data Exchange started tracking changes for its AWS managed policies. | April 20, 2021 |
# Using service-linked roles for AWS Data Exchange
AWS Data Exchange uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS Data Exchange. Service-linked roles are predefined by AWS Data Exchange and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AWS Data Exchange easier because you don’t have to manually add the necessary permissions. AWS Data Exchange defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Data Exchange can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your AWS Data Exchange resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Creating a service-linked role for AWS Data Exchange
You don't need to manually create a service-linked role. When you distribute a data grant using license manager, it creates the service-linked role for you.
**To create a service-linked role**
1. In the [AWS Data Exchange console](https://console.aws.amazon.com/adx/), sign in and choose **Data Grant settings**.
1. On the **Data Grant settings** page, choose **Configure integration**.
1. In the **Create AWS Organizations integration** section, select **Configure integration**.
1. On the **Create AWS Organizations integration** page, choose the appropriate trust level preference, and then choose **Create integration**.
You can also use the IAM console to create a service-linked role with a use case. In the AWS CLI or the AWS API, create a service-linked role with the `appropriate-service-name.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for AWS Data Exchange
AWS Data Exchange does not allow you to edit the service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for AWS Data Exchange
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the AWS Data Exchange service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
Before you can delete the service-linked role, you must:
+ For the `AWSServiceRoleForAWSDataExchangeLicenseManagement` role, remove all AWS License Manager distributed grants for AWS Data Exchange data grants you received.
+ For the `AWSServiceRoleForAWSDataExchangeOrganizationDiscovery` role, remove all AWS License Manager distributed grants for AWS Data Exchange data grants received by accounts in your AWS organization.
**Manually deleting the service-linked role**
Use the IAM console, the AWS CLI, or the AWS API to delete the service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for AWS Data Exchange service-linked roles
AWS Data Exchange supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see [AWS Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
# Service-linked role for AWS Data Exchange license management
AWS Data Exchange uses the service-linked role named `AWSServiceRoleForAWSDataExchangeLicenseManagement` – this role allows AWS Data Exchange to retrieve information about your AWS organization and manage AWS Data Exchange data grants licenses.
The `AWSServiceRoleForAWSDataExchangeLicenseManagement` service-linked role trusts the following services to assume the role:
+ `license-management.dataexchange.amazonaws.com`
The role permissions policy named `AWSDataExchangeServiceRolePolicyForLicenseManagement` allows AWS Data Exchange to complete the following actions on the specified resources:
+ Actions:
+ `organizations:DescribeOrganization`
+ `license-manager:ListDistributedGrants`
+ `license-manager:GetGrant`
+ `license-manager:CreateGrantVersion`
+ `license-manager:DeleteGrant`
+ Resources:
+ All resources (`*`)
For more information about the `AWSDataExchangeServiceRolePolicyForLicenseManagement` role, see [AWS managed policy: AWSDataExchangeServiceRolePolicyForLicenseManagement](security-iam-awsmanpol.md#security-iam-awsmanpol-awsdataexchangeservicerolepolicyforlicensemanagement).
For more information about using the `AWSServiceRoleForAWSDataExchangeLicenseManagement` service-linked role, see [Using service-linked roles for AWS Data Exchange](using-service-linked-roles-adx.md).
You must configure permissions to allow your users, groups, or roles to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
# Service-linked roles for AWS Organization discovery in AWS Data Exchange
AWS Data Exchange uses the service-linked role named `AWSServiceRoleForAWSDataExchangeOrganizationDiscovery` – this role allows AWS Data Exchange to retrieve information about your AWS organization to determine eligibility for AWS Data Exchange data grants license distribution.
**Note**
This role is only needed in the AWS Organization's management account.
The `AWSServiceRoleForAWSDataExchangeOrganizationDiscovery` service-linked role trusts the following services to assume the role:
+ `organization-discovery.dataexchange.amazonaws.com`
The role permissions policy named `AWSDataExchangeServiceRolePolicyForOrganizationDiscovery` allows AWS Data Exchange to complete the following actions on the specified resources:
+ Actions:
+ `organizations:DescribeOrganization`
+ `organizations:DescribeAccount`
+ `organizations:ListAccounts`
+ Resources:
+ All resources (`*`)
For more information about the `AWSDataExchangeServiceRolePolicyForOrganizationDiscovery` role, see [AWS managed policy: AWSDataExchangeServiceRolePolicyForOrganizationDiscovery](security-iam-awsmanpol.md#security-iam-awsmanpol-awsdataexchangeservicerolepolicyfororganizationdiscovery).
For more information about using the `AWSServiceRoleForAWSDataExchangeOrganizationDiscovery` service-linked role, see [Using service-linked roles for AWS Data Exchange](using-service-linked-roles-adx.md) earlier in this section.
You must configure permissions to allow your users, groups, or roles to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
# Compliance validation for AWS Data Exchange
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
## PCI DSS compliance
AWS Data Exchange supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see [PCI DSS Level 1](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/).
# Resilience in AWS Data Exchange
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
AWS Data Exchange has a single, globally available product catalog offered by providers. Subscribers can see the same catalog, regardless of which Region they are using. The resources underlying the product (data sets, revisions, assets) are regional resources that you manage programmatically or through the AWS Data Exchange console in supported Regions. AWS Data Exchange replicates your data across multiple Availability Zones within the Regions where the service operates. For information about supported Regions, see [Global Infrastructure Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in AWS Data Exchange
As a managed service, AWS Data Exchange is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access AWS Data Exchange through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# AWS Data Exchange and interface VPC endpoints (AWS PrivateLink)
You can establish a private connection between your virtual private cloud (VPC) and AWS Data Exchange by creating an *interface VPC endpoint*. Interface endpoints are powered by [AWS PrivateLink](https://aws.amazon.com/privatelink), a technology that enables you to privately access AWS Data Exchange API operations without an internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with AWS Data Exchange API operations. Traffic between your VPC and AWS Data Exchange does not leave the Amazon network.
Each interface endpoint is represented by one or more [Elastic Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) in your subnets.
**Note**
Every AWS Data Exchange action, except for `SendAPIAsset`, is supported for VPC.
For more information, see [Interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html) in the *Amazon VPC User Guide*.
## Considerations for AWS Data Exchange VPC endpoints
Before you set up an interface VPC endpoint for AWS Data Exchange, ensure that you review [Interface endpoint properties and limitations](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations) in the *Amazon VPC User Guide*.
AWS Data Exchange supports making calls to all of its API operations from your VPC.
## Creating an interface VPC endpoint for AWS Data Exchange
You can create a VPC endpoint for the AWS Data Exchange service using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Creating an interface endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) in the *Amazon VPC User Guide*.
Create a VPC endpoint for AWS Data Exchange using the following service name:
+ `com.amazonaws.region.dataexchange`
If you enable private DNS for the endpoint, you can make API requests to AWS Data Exchange using its default DNS name for the AWS Region, for example, `com.amazonaws.us-east-1.dataexchange`.
For more information, see [Accessing a service through an interface endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#access-service-though-endpoint) in the *Amazon VPC User Guide*.
## Creating a VPC endpoint policy for AWS Data Exchange
You can attach an endpoint policy to your VPC endpoint that controls access to AWS Data Exchange. The policy specifies the following information:
+ The principal that can perform actions
+ The actions that can be performed
+ The resources on which actions can be performed
For more information, see [Controlling access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*.
**Example: VPC endpoint policy for AWS Data Exchange actions**
The following is an example of an endpoint policy for AWS Data Exchange. When attached to an endpoint, this policy grants access to the listed AWS Data Exchange actions for all principals on all resources.
This example VPC endpoint policy allows full access only to the user `bts` in AWS account `123456789012` from `vpc-12345678`. The user `readUser` is allowed to read the resources, but all other IAM principals are denied access to the endpoint.
------
#### [ JSON ]
****
```
{
"Id": "example-policy",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow administrative actions from vpc-12345678",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/bts"
]
},
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-12345678"
}
}
},
{
"Sid": "Allow ReadOnly actions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/readUser"
]
},
"Action": [
"dataexchange:list*",
"dataexchange:get*"
],
"Resource": "*"
}
]
}
```
------