AWS managed policy: AmazonDataZoneFullAccess - Amazon DataZone
Considerations

AWS managed policy: AmazonDataZoneFullAccess

You can attach the AmazonDataZoneFullAccess policy to your IAM identities.

This policy provides full access to Amazon DataZone via the AWS Management Console. This policy also has permissions to AWS KMS for encrypted SSM parameters. The KMS key must be tagged with EnableKeyForAmazonDataZone to allow decrypting the SSM parameters.

Permissions details

This policy includes the following permissions:

  • datazone – grants principals full access to Amazon DataZone via the AWS Management Console.

  • kms – Allows principals to list aliases, describe keys, and decrypt keys.

  • s3 – Allows principals to choose existing or create new S3 buckets to store Amazon DataZone data.

  • ram – Allows principals to share Amazon DataZone domains across AWS accounts.

  • iam – Allows principals to list and pass roles and get policies.

  • sso – Allows principals to obtain the regions where AWS IAM Identity Center is enabled.

  • secretsmanager – Allows principals to create, tag, and list secrets with a specific prefix.

  • aoss – Allows principals to create and retrieve information for OpenSearch Serverless security policies.

  • bedrock – Allows principals to create, list, and retrieve information for inference profiles and foundation models.

  • codeconnections – Allows principals to delete, retrieve information, list connections, and manage tags for connections.

  • codewhisperer – Allows principals to list CodeWhisperer profiles.

  • ssm – Allows principals to put, delete, and retrieve information for parameters.

  • redshift – Allows principals to describe clusters and list serverless workgroups

  • glue – Allows principals to get databases.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AmazonDataZoneStatement",
			"Effect": "Allow",
			"Action": [
				"datazone:*"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "ReadOnlyStatement",
			"Effect": "Allow",
			"Action": [
				"kms:DescribeKey",
				"kms:ListAliases",
				"iam:ListRoles",
				"sso:DescribeRegisteredRegions",
				"s3:ListAllMyBuckets",
				"redshift:DescribeClusters",
				"redshift-serverless:ListWorkgroups",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSubnets",
				"ec2:DescribeVpcs",
				"secretsmanager:ListSecrets",
				"iam:ListUsers",
				"glue:GetDatabases",
				"codeconnections:ListConnections",
				"codeconnections:ListTagsForResource",
				"codewhisperer:ListProfiles",
				"bedrock:ListInferenceProfiles",
				"bedrock:ListFoundationModels",
				"bedrock:ListTagsForResource",
				"aoss:ListSecurityPolicies"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "BucketReadOnlyStatement",
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket",
				"s3:GetBucketLocation"
			],
			"Resource": "arn:aws:s3:::*"
		},
		{
			"Sid": "CreateBucketStatement",
			"Effect": "Allow",
			"Action": [
				"s3:CreateBucket"
			],
			"Resource": [
				"arn:aws:s3:::amazon-datazone*",
				"arn:aws:s3:::amazon-sagemaker*"
			]
		},
		{
			"Sid": "ConfigureBucketStatement",
			"Effect": "Allow",
			"Action": [
				"s3:PutBucketCORS",
				"s3:PutBucketPolicy",
				"s3:PutBucketVersioning"
			],
			"Resource": [
				"arn:aws:s3:::amazon-sagemaker*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "RamCreateResourceStatement",
			"Effect": "Allow",
			"Action": [
				"ram:CreateResourceShare"
			],
			"Resource": "*",
			"Condition": {
				"StringEqualsIfExists": {
					"ram:RequestedResourceType": "datazone:Domain"
				}
			}
		},
		{
			"Sid": "RamResourceStatement",
			"Effect": "Allow",
			"Action": [
				"ram:DeleteResourceShare",
				"ram:AssociateResourceShare",
				"ram:DisassociateResourceShare",
				"ram:RejectResourceShareInvitation"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"ram:ResourceShareName": [
						"DataZone*"
					]
				}
			}
		},
		{
			"Sid": "RamResourceReadOnlyStatement",
			"Effect": "Allow",
			"Action": [
				"ram:GetResourceShares",
				"ram:GetResourceShareInvitations",
				"ram:GetResourceShareAssociations",
				"ram:ListResourceSharePermissions"
			],
			"Resource": "*"
		},
		{
			"Sid": "IAMPassRoleStatement",
			"Effect": "Allow",
			"Action": "iam:PassRole",
			"Resource": [
				"arn:aws:iam::*:role/AmazonDataZone*",
				"arn:aws:iam::*:role/service-role/AmazonDataZone*",
				"arn:aws:iam::*:role/service-role/AmazonSageMaker*"
			],
			"Condition": {
				"StringEquals": {
					"iam:passedToService": "datazone.amazonaws.com"
				}
			}
		},
		{
			"Sid": "IAMGetPolicyStatement",
			"Effect": "Allow",
			"Action": "iam:GetPolicy",
			"Resource": [
				"arn:aws:iam::*:policy/service-role/AmazonDataZoneRedshiftAccessPolicy*"
			]
		},
		{
			"Sid": "DataZoneTagOnCreateDomainProjectTags",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:TagResource"
			],
			"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*",
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": [
						"AmazonDataZoneDomain",
						"AmazonDataZoneProject"
					]
				},
				"StringLike": {
					"aws:RequestTag/AmazonDataZoneDomain": "dzd_*",
					"aws:ResourceTag/AmazonDataZoneDomain": "dzd_*"
				}
			}
		},
		{
			"Sid": "DataZoneTagOnCreate",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:TagResource"
			],
			"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*",
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": [
						"AmazonDataZoneDomain"
					]
				},
				"StringLike": {
					"aws:RequestTag/AmazonDataZoneDomain": "dzd_*",
					"aws:ResourceTag/AmazonDataZoneDomain": "dzd_*"
				}
			}
		},
		{
			"Sid": "CreateSecretStatement",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:CreateSecret"
			],
			"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*",
			"Condition": {
				"StringLike": {
					"aws:RequestTag/AmazonDataZoneDomain": "dzd_*"
				}
			}
		},
		{
			"Sid": "ConnectionStatement",
			"Effect": "Allow",
			"Action": [
				"codeconnections:GetConnection"
			],
			"Resource": [
				"arn:aws:codeconnections:*:*:connection/*"
			]
		},
		{
			"Sid": "TagCodeConnectionsStatement",
			"Effect": "Allow",
			"Action": [
				"codeconnections:TagResource"
			],
			"Resource": [
				"arn:aws:codeconnections:*:*:connection/*"
			],
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": [
						"for-use-with-all-datazone-projects"
					]
				},
				"StringEquals": {
					"aws:RequestTag/for-use-with-all-datazone-projects": "true"
				}
			}
		},
		{
			"Sid": "UntagCodeConnectionsStatement",
			"Effect": "Allow",
			"Action": [
				"codeconnections:UntagResource"
			],
			"Resource": [
				"arn:aws:codeconnections:*:*:connection/*"
			],
			"Condition": {
				"ForAllValues:StringEquals": {
					"aws:TagKeys": "for-use-with-all-datazone-projects"
				}
			}
		},
		{
			"Sid": "SSMParameterStatement",
			"Effect": "Allow",
			"Action": [
				"ssm:GetParameter",
				"ssm:GetParametersByPath",
				"ssm:PutParameter",
				"ssm:DeleteParameter"
			],
			"Resource": [
				"arn:aws:ssm:*:*:parameter/amazon/datazone/q*",
				"arn:aws:ssm:*:*:parameter/amazon/datazone/genAI*",
				"arn:aws:ssm:*:*:parameter/amazon/datazone/profiles*"
			]
		},
		{
			"Sid": "UseKMSKeyPermissionsStatement",
			"Effect": "Allow",
			"Action": [
				"kms:Decrypt"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/EnableKeyForAmazonDataZone": "true"
				},
				"Null": {
					"aws:ResourceTag/EnableKeyForAmazonDataZone": "false"
				},
				"StringLike": {
					"kms:ViaService": "ssm.*.amazonaws.com"
				}
			}
		},
		{
			"Sid": "SecurityPolicyStatement",
			"Effect": "Allow",
			"Action": [
				"aoss:GetSecurityPolicy",
				"aoss:CreateSecurityPolicy"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringLike": {
					"aoss:collection": "genai-studio-*"
				}
			}
		},
		{
			"Sid": "GetFoundationModelStatement",
			"Effect": "Allow",
			"Action": [
				"bedrock:GetFoundationModel",
				"bedrock:GetFoundationModelAvailability"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/*"
			]
		},
		{
			"Sid": "GetInferenceProfileStatement",
			"Effect": "Allow",
			"Action": [
				"bedrock:GetInferenceProfile"
			],
			"Resource": [
				"arn:aws:bedrock:*:*:inference-profile/*",
				"arn:aws:bedrock:*:*:application-inference-profile/*"
			]
		},
		{
			"Sid": "ApplicationInferenceProfileStatement",
			"Effect": "Allow",
			"Action": [
				"bedrock:CreateInferenceProfile"
			],
			"Resource": [
				"arn:aws:bedrock:*:*:application-inference-profile/*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/AmazonDataZoneProject": "true",
					"aws:RequestTag/AmazonDataZoneDomain": "false"
				}
			}
		},
		{
			"Sid": "TagApplicationInferenceProfileStatement",
			"Effect": "Allow",
			"Action": [
				"bedrock:TagResource"
			],
			"Resource": [
				"arn:aws:bedrock:*:*:application-inference-profile/*"
			],
			"Condition": {
				"Null": {
					"aws:ResourceTag/AmazonDataZoneProject": "true",
					"aws:RequestTag/AmazonDataZoneProject": "true",
					"aws:ResourceTag/AmazonDataZoneDomain": "false",
					"aws:RequestTag/AmazonDataZoneDomain": "false"
				}
			}
		},
		{
			"Sid": "DeleteApplicationInferenceProfileStatement",
			"Effect": "Allow",
			"Action": [
				"bedrock:DeleteInferenceProfile"
			],
			"Resource": [
				"arn:aws:bedrock:*:*:application-inference-profile/*"
			],
			"Condition": {
				"Null": {
					"aws:ResourceTag/AmazonDataZoneProject": "true",
					"aws:ResourceTag/AmazonDataZoneDomain": "false"
				}
			}
		}
	]
}

Policy considerations and limitations

There are certain functionalities that the AmazonDataZoneFullAccess policy doesn't cover.

  • If you create an Amazon DataZone domain with your own AWS KMS key, you must have the permissions to kms:CreateGrant for domain creation to succeed, and to kms:GenerateDataKey, kms:Decrypt for that key to invoke other Amazon DataZone APIs such as listDataSources and createDataSource. And you must also have the permissions to kms:CreateGrant, kms:Decrypt, kms:GenerateDataKey, and kms:DescribeKey in the resource policy of that key.

    If you use the default service-owned KMS key, then this isn't required.

    For more information, see AWS Key Management Service.

  • If you want to use create and update role functionalities within the Amazon DataZone console, you must have administrator privileges or have the required IAM permissions to create IAM roles and create/update policies. The required permissions include iam:CreateRole, iam:CreatePolicy, iam:CreatePolicyVersion, iam:DeletePolicyVersion, and iam:AttachRolePolicy permissions.

  • If you create a new domain in Amazon DataZone with AWS IAM Identity Center users login activated, or if you activate it for an existing domain in Amazon DataZone, you must have permissions to the following:

    • organizations:DescribeOrganization

    • organizations:ListDelegatedAdministrators

    • sso:CreateInstance

    • sso:ListInstances

    • sso:GetSharedSsoConfiguration

    • sso:PutApplicationGrant

    • sso:PutApplicationAssignmentConfiguration

    • sso:PutApplicationAuthenticationMethod

    • sso:PutApplicationAccessScope

    • sso:CreateApplication

    • sso:DeleteApplication

    • sso:CreateApplicationAssignment

    • sso:DeleteApplicationAssignment

    • sso-directory:CreateUser

    • sso-directory:SearchUsers

    • sso:ListApplications

  • In order to accept an AWS account association request in Amazon DataZone, you must have the ram:AcceptResourceShareInvitation permission.

  • If you want to create required resource for SageMaker Unified Studio network setup, you must have permissions to the following and attach AmazonVpcFullAccess policy:

    • iam:PassRole

    • cloudformation:CreateStack