Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Security Best Practices for Amazon DataZone

PDF
RSS
Focus mode
Security Best Practices for Amazon DataZone - Amazon DataZone
Implement least privilege accessUse IAM rolesImplement Server-Side Encryption in Dependent ResourcesUse CloudTrail to Monitor API Calls

Amazon DataZone provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Implement least privilege access

When granting permissions, you decide who is getting what permissions to which Amazon DataZone resources. You enable specific actions that you want to allow on those resources. Therefore you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.

Use IAM roles

Producer and client applications must have valid credentials to access Amazon DataZone resources. You should not store AWS credentials directly in a client application or in an Amazon S3 bucket. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised.

Instead, you should use an IAM role to manage temporary credentials for your producer and client applications to access Amazon DataZone resources. When you use a role, you don't have to use long-term credentials (such as a user name and password or access keys) to access other resources.

For more information, see the following topics in the IAM User Guide:

Implement Server-Side Encryption in Dependent Resources

Data at rest and data in transit can be encrypted in Amazon DataZone.

Use CloudTrail to Monitor API Calls

Amazon DataZone is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon DataZone.

Using the information collected by CloudTrail, you can determine the request that was made to Amazon DataZone, the IP address from which the request was made, who made the request, when it was made, and additional details.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.