# Controlling access to Amazon DataZone resources using IAM
You need AWS Identity and Access Management (IAM) to complete the following security-related tasks:
+ Create users and groups under your AWS account.
+ Assign unique security credentials to each user under your AWS account.
+ Control each user's permissions to perform tasks with AWS resources.
+ Allow the users in another AWS account to share your AWS resources.
+ Create roles for your AWS account and define the users or services that can assume them.
+ Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources
For more information about IAM, see the following:
+ [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/)
+ [Getting started with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started.html)
+ [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)
The following sections describe the policies and permissions that are required to set up Amazon DataZone and its components, such as domains (including the domain), associated accounts, projects, and data sources. For more information, see [Amazon DataZone terminology and concepts](datazone-concepts.md).
**Topics**
+ [AWS managed policies for Amazon DataZone](security-iam-awsmanpol.md)
+ [IAM roles for Amazon DataZone](iam-roles-datazone.md)
+ [Temporary Credentials](temporarycredentials.md)
+ [Principal permissions](Principalpermissions.md)
# AWS managed policies for Amazon DataZone
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Topics**
+ [AWS managed policy: AmazonDataZoneFullAccess](security-iam-awsmanpol-AmazonDataZoneFullAccess.md)
+ [AWS managed policy: AmazonDataZoneFullUserAccess](security-iam-awsmanpol-AmazonDataZoneFullUserAccess.md)
+ [AWS managed policy: AmazonDataZoneEnvironmentRolePermissionsBoundary](security-iam-awsmanpol-AmazonDataZoneEnvironmentRolePermissionsBoundary.md)
+ [AWS managed policy: AmazonDataZoneRedshiftGlueProvisioningPolicy](security-iam-awsmanpol-AmazonDataZoneRedshiftGlueProvisioningPolicy.md)
+ [AWS managed policy: AmazonDataZoneGlueManageAccessRolePolicy](security-iam-awsmanpol-AmazonDataZoneGlueManageAccessRolePolicy.md)
+ [AWS managed policy: AmazonDataZoneRedshiftManageAccessRolePolicy](security-iam-awsmanpol-AmazonDataZoneRedshiftManageAccessRolePolicy.md)
+ [AWS managed policy: AmazonDataZoneDomainExecutionRolePolicy](security-iam-awsmanpol-AmazonDataZoneDomainExecutionRolePolicy.md)
+ [AWS managed policy: AmazonDataZoneSageMakerProvisioningRolePolicy](security-iam-awsmanpol-AmazonDataZoneSageMakerProvisioningRolePolicy.md)
+ [AWS managed policy: AmazonDataZoneSageMakerManageAccessRolePolicy](security-iam-awsmanpol-AmazonDataZoneSageMakerManageAccessRolePolicy.md)
+ [AWS managed policy: AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary](security-iam-awsmanpol-AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary.md)
+ [Amazon DataZone updates to AWS managed policies](security-iam-awsmanpol-updates.md)
# AWS managed policy: AmazonDataZoneFullAccess
You can attach the `AmazonDataZoneFullAccess` policy to your IAM identities.
This policy provides full access to Amazon DataZone via the AWS Management Console. This policy also has permissions to AWS KMS for encrypted SSM parameters. The KMS key must be tagged with EnableKeyForAmazonDataZone to allow decrypting the SSM parameters.
**Permissions details**
This policy includes the following permissions:
+ `datazone` – grants principals full access to Amazon DataZone via the AWS Management Console.
+ `kms` – Allows principals to list aliases, describe keys, and decrypt keys.
+ `s3` – Allows principals to choose existing or create new S3 buckets to store Amazon DataZone data.
+ `ram` – Allows principals to share Amazon DataZone domains across AWS accounts.
+ `iam` – Allows principals to list and pass roles and get policies.
+ `sso` – Allows principals to obtain the regions where AWS IAM Identity Center is enabled.
+ `secretsmanager` – Allows principals to create, tag, and list secrets with a specific prefix.
+ `aoss` – Allows principals to create and retrieve information for OpenSearch Serverless security policies.
+ `bedrock` – Allows principals to create, list, and retrieve information for inference profiles and foundation models.
+ `codeconnections` – Allows principals to delete, retrieve information, list connections, and manage tags for connections.
+ `codewhisperer` – Allows principals to list CodeWhisperer profiles.
+ `ssm` – Allows principals to put, delete, and retrieve information for parameters.
+ `redshift` – Allows principals to describe clusters and list serverless workgroups
+ `glue` – Allows principals to get databases.
To view the permissions for this policy, see [AmazonDataZoneFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneFullAccess.html) in the *AWS Managed Policy Reference*.
## Policy considerations and limitations
There are certain functionalities that the `AmazonDataZoneFullAccess` policy doesn't cover.
+ If you create an Amazon DataZone domain with your own AWS KMS key, you must have the permissions to `kms:CreateGrant` for domain creation to succeed, and to `kms:GenerateDataKey`, `kms:Decrypt` for that key to invoke other Amazon DataZone APIs such as `listDataSources` and `createDataSource`. And you must also have the permissions to `kms:CreateGrant`, `kms:Decrypt`, `kms:GenerateDataKey`, and `kms:DescribeKey` in the resource policy of that key.
If you use the default service-owned KMS key, then this isn't required.
For more information, see [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html).
+ If you want to use *create* and *update* role functionalities within the Amazon DataZone console, you must have administrator privileges or have the required IAM permissions to create IAM roles and create/update policies. The required permissions include `iam:CreateRole`, `iam:CreatePolicy`, `iam:CreatePolicyVersion`, `iam:DeletePolicyVersion`, and `iam:AttachRolePolicy` permissions.
+ If you create a new domain in Amazon DataZone with AWS IAM Identity Center users login activated, or if you activate it for an existing domain in Amazon DataZone, you must have permissions to the following:
+ organizations:DescribeOrganization
+ organizations:ListDelegatedAdministrators
+ sso:CreateInstance
+ sso:ListInstances
+ sso:GetSharedSsoConfiguration
+ sso:PutApplicationGrant
+ sso:PutApplicationAssignmentConfiguration
+ sso:PutApplicationAuthenticationMethod
+ sso:PutApplicationAccessScope
+ sso:CreateApplication
+ sso:DeleteApplication
+ sso:CreateApplicationAssignment
+ sso:DeleteApplicationAssignment
+ sso-directory:CreateUser
+ sso-directory:SearchUsers
+ sso:ListApplications
+ In order to accept an AWS account association request in Amazon DataZone, you must have the `ram:AcceptResourceShareInvitation` permission.
+ If you want to create required resource for SageMaker Unified Studio network setup, you must have permissions to the following and attach AmazonVpcFullAccess policy:
+ iam:PassRole
+ cloudformation:CreateStack
# AWS managed policy: AmazonDataZoneFullUserAccess
This policy grants full access to Amazon DataZone, but it doesn't allow the management of domains, users, or associated accounts.
**Permissions details**
To view the permissions for this policy, see [AmazonDataZoneFullUserAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneFullUserAccess.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneEnvironmentRolePermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Amazon DataZone permissions boundary policies on your own. Amazon DataZone permissions boundary policies should only be attached to Amazon DataZone managed roles. For more information on permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the IAM User Guide.
When you create an environment via the Amazon DataZone data portal, Amazon DataZone applies this permissions boundary to the [IAM roles that are produced during environment creation](https://docs.aws.amazon.com//datazone/latest/userguide/roles-for-projects.html). The permissions boundary limits the scope of the roles that Amazon DataZone creates and any roles that you add.
Amazon DataZone uses the `AmazonDataZoneEnvironmentRolePermissionsBoundary` managed policy to limit the provisioned IAM principal to which it is attached. The principals might take the form of the [user roles](https://docs.aws.amazon.com//datazone/latest/userguide/Identitybasedroles.html) that Amazon DataZone can assume on behalf of interactive enterprise users or analytic services (AWS Glue, for example), and then conduct actions to process data such as reading and writing from Amazon S3 or running AWS Glue crawler.
The `AmazonDataZoneEnvironmentRolePermissionsBoundary` policy grants read and write access for Amazon DataZone to services such as AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, and Amazon Athena. The policy also gives read and write permissions to some infrastructure resources that are required to use these services such as network interfaces and AWS KMS keys.
Amazon DataZone applies the `AmazonDataZoneEnvironmentRolePermissionsBoundary` AWS managed policy as a permissions boundary for all Amazon DataZone environment roles (owner and contributor). This permissions boundary restricts these roles to only allow access to the required resources and actions necessary for an environment.
To view the permissions for this policy, see [AmazonDataZoneEnvironmentRolePermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneEnvironmentRolePermissionsBoundary.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneRedshiftGlueProvisioningPolicy
The AmazonDataZoneRedshiftGlueProvisioningPolicy policy grants Amazon DataZone the permissions required to interoperate with AWS Glue and Amazon Redshift.
To view the permissions for this policy, see [AmazonDataZoneRedshiftGlueProvisioningPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneRedshiftGlueProvisioningPolicy.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneGlueManageAccessRolePolicy
This policy gives Amazon DataZone permissions to publish AWS Glue data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to AWS Glue published assets in the catalog.
To view the permissions for this policy, see [AmazonDataZoneGlueManageAccessRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneGlueManageAccessRolePolicy.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneRedshiftManageAccessRolePolicy
This policy gives Amazon DataZone permissions to publish Amazon Redshift data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to Amazon Redshift or Amazon Redshift Serverless published assets in the catalog.
To view the permissions for this policy, see [AmazonDataZoneRedshiftManageAccessRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneRedshiftManageAccessRolePolicy.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneDomainExecutionRolePolicy
This is the default policy for the Amazon DataZone `DomainExecutionRole` service role. This role is used by Amazon DataZone to catalog, discover, govern, share, and analyze data in the Amazon DataZone domain. This role provides access to all Amazon DataZone APIs that are required for data portal use, as well as RAM permissions to support usage of associated accounts in a Amazon DataZone domain.
You can attach the AmazonDataZoneDomainExecutionRolePolicy policy to your `AmazonDataZoneDomainExecutionRole`.
To view the permissions for this policy, see [AmazonDataZoneDomainExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneDomainExecutionRolePolicy.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneSageMakerProvisioningRolePolicy
The AmazonDataZoneSageMakerProvisioningRolePolicy policy grants Amazon DataZone the permissions required to interoperate with Amazon SageMaker.
To view the permissions for this policy, see [AmazonDataZoneSageMakerProvisioningRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneSageMakerProvisioningRolePolicy.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneSageMakerManageAccessRolePolicy
This policy gives Amazon DataZone permissions to publish Amazon SageMaker assets to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to the Amazon SageMaker published assets in the catalog.
This policy includes permissions to do the following:
+ cloudtrail – retrieve information about CloudTrail trails.
+ cloudwatch – retrieve the current CloudWatch alarms.
+ logs – retrieve the metric filters for CloudWatch logs.
+ sns – retrieve the list of subscriptions to an SNS topic.
+ config – retrieve information about configuration recorders, resources, and AWS Config rules. Also allows the service-linked role to create and delete AWS Config rules, and to run evaluations against the rules.
+ iam – get and generate credential reports for accounts.
+ organizations – retrieve account and organizational unit (OU) information for an organization.
+ securityhub – retrieve information about how the Security Hub service, standards, and controls are configured.
+ tag – retrieve information about resource tags.
To view the permissions for this policy, see [AmazonDataZoneSageMakerManageAccessRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneSageMakerManageAccessRolePolicy.html) in the *AWS Managed Policy Reference*.
# AWS managed policy: AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Amazon DataZone permissions boundary policies on your own. Amazon DataZone permissions boundary policies should only be attached to Amazon DataZone managed roles. For more information on permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the IAM User Guide.
When you create an Amazon SageMaker environment via the Amazon DataZone data portal, Amazon DataZone applies this permissions boundary to the IAM roles that are produced during environment creation. The permissions boundary limits the scope of the roles that Amazon DataZone creates and any roles that you add.
Amazon DataZone uses the `AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary` managed policy to limit the provisioned IAM principal to which it is attached. The principals might take the form of the user roles that Amazon DataZone can assume on behalf of interactive enterprise users or analytic services (AWS SageMaker, for example), and then conduct actions to process data such as reading and writing from Amazon S3 or Amazon Redshift or running AWS Glue crawler.
The `AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary` policy grants read and write access for Amazon DataZone to services such as Amazon SageMaker, AWS Glue, Amazon S3, AWS Lake Formation, Amazon Redshift, and Amazon Athena. The policy also gives read and write permissions to some infrastructure resources that are required to use these services such as network interfaces, Amazon ECR repositories and AWS KMS keys. It also give access to Amazon SageMaker applications like Amazon SageMaker Canvas.
Amazon DataZone applies the `AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary` managed policy as a permissions boundary for all Amazon DataZone environment roles (owner and contributor). This permissions boundary restricts these roles to only allow access to the required resources and actions necessary for an environment.
To view the permissions for this policy, see [AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary.html) in the *AWS Managed Policy Reference*.
# Amazon DataZone updates to AWS managed policies
View details about updates to AWS managed policies for Amazon DataZone since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon DataZone [Document history](https://docs.aws.amazon.com//datazone/latest/userguide/doc-history.html) page.
| Change | Description | Date |
| --- | --- | --- |
| AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary - policy updates | Policy updates to the **AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary**. Added a Deny statement for the `sagemaker:UpdateNotebookInstanceLifecycleConfig` action to restrict this high-privilege operation. | March 11th, 2026 |
| AmazonDataZoneDomainExecutionRolePolicy - policy updates | Policy updates to the **AmazonDataZoneDomainExecutionRolePolicy** - adding permissions for the `QueryGraph` action to support graph-based entity search capabilities. | February 25th, 2026 |
| AmazonDataZoneGlueManageAccessRolePolicy - policy updates | Policy updates to the **AmazonDataZoneGlueManageAccessRolePolicy** - adding permissions to the `GetConnection` action to support data lineage capture for connection based data sources of AWS Glue. | July 30th, 2025 |
| AmazonDataZoneFullAccess - policy updates | Policy updates to the **AmazonDataZoneFullAccess** - generalizing the scope for SecretsManager `create` and `tag` permissions for new domains that will have the format of `dzd-` instead of `dzd_..`. | July 23rd, 2025 |
| AmazonDataZoneFullAccess - policy updates | Policy updates to the **AmazonDataZoneFullAccess** - enabling the console to attach or update AWS managed permissions in AWS RAM resource shares. | May 22nd, 2025 |
| AmazonDataZoneGlueManageAccessRolePolicy - policy updates | Policy updates to the **AmazonDataZoneGlueManageAccessRolePolicy** - the Amazon DataZone project user role is used as the data transfer role for federated tables. This update adds `datazone_usr_role*` to the `iam:PassRole` statement, enabling the project user role to be used for this purpose. | May 21st, 2025 |
| AmazonDataZoneSageMakerProvisioningRolePolicy - policy updates | Policy updates to the **AmazonDataZoneSageMakerProvisioningRolePolicy** - adding support for the `glue:GetConnection` action. | January 2nd, 2025 |
| AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary - policy updates | Policy updates to the **AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary** - this change adds the `sagemaker:AddTags` to the permission boundary to enable Amazon DataZone to succesfully call `CreateUserProfile` with neccessary tags. | December 3rd, 2024 |
| AmazonDataZoneSageMakerAccess, and AmazonDataZoneGlueManageAccessRolePolicy - policy updates | Policy updates to the **AmazonDataZoneFullAccess**, **AmazonDataZoneSageMakerAccess**, and **AmazonDataZoneGlueManageAccessRolePolicy** - to enable support for the Amazon SageMaker Unified Studio experience. | December 3rd, 2024 |
| AmazonDataZoneDomainExecutionRolePolicy and AmazonDataZoneFullUserAccess - policy updates | Policy updates to the **AmazonDataZoneDomainExecutionRolePolicy** and **AmazonDataZoneFullUserAccess** - to enable support for metadata enforcement rules for subscription requests. | November 19th, 2024 |
| AmazonDataZoneRedshiftGlueProvisioningPolicy - policy updates | Policy updates to the **AmazonDataZoneRedshiftGlueProvisioningPolicy** - to Adding `iam:DeletePolicyVersion` to allow users to delete policy versions for policies created with `datazone*`. This helps unblock users who need to update their environment user role policy. | October 22nd, 2024 |
| AmazonDataZoneDomainExecutionRolePolicy and AmazonDataZoneFullUserAccess - policy updates | Policy updates to the **AmazonDataZoneDomainExecutionRolePolicy** and **AmazonDataZoneFullUserAccess**- to enable support for the new APIs that are used to create and manage Amazon DataZone domain units and data products. | July 31st, 2024 |
| AmazonDataZoneGlueManageAccessRolePolicy - policy update | Policy update to the **AmazonDataZoneGlueManageAccessRolePolicy** - Amazon DataZone is adding IAM permissions that are used for fine grained access control functionality in order to scope down the permission granting in Lake Formation. | July 2nd, 2024 |
| AmazonDataZoneExecutionRolePolicy and AmazonDataZoneFullUserAccess - policy update | Policy update to the **AmazonDataZoneExecutionRolePolicy ** and **AmazonDataZoneFullUserAccess** to enable support for the data lineage and fine grained access control APIs. | June 27th, 2024 |
| AmazonDataZoneGlueManageAccessRolePolicy - policy update | Policy update to the **AmazonDataZoneGlueManageAccessRolePolicy ** that adds IAM permissions required for the self-subscribe functionality in Amazon DataZone in order to scope down the permissions granting in lake formation. With the self-subscribe functionality, the lake formation permissions can only be granted to tagged resourcese. | June 14th, 2024 |
| AmazonDataZoneDomainExecutionRolePolicy - policy update | Policy update to the **AmazonDataZoneDomainExecutionRolePolicy ** that adds new APIs to Amazon DataZone that enable users to configure actions for their Amazon DataZone environments. | June 14th, 2024 |
| AmazonDataZoneFullAccess - policy update | Policy update to the **AmazonDataZoneFullAccess** that enables the Amazon DataZone management console to create secrets on user's behalf with both domain and project tags. Also including the `ram:ListResourceSharePermissions` action to enable administrations from the domain owner account to view the account association status of the associated accounts. | June 14th, 2024 |
| AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary - new permissions boundary | New permissions boundary called **AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary **. When you create an Amazon SageMaker environment via the Amazon DataZone data portal, Amazon DataZone applies this permissions boundary to the IAM roles that are produced during environment creation. The permissions boundary limits the scope of the roles that Amazon DataZone creates and any roles that you add. | April 30th, 2024 |
| AmazonDataZoneSageMakerAccess - new policy | New policy called **AmazonDataZoneSageMakerAccess ** gives Amazon DataZone permissions to publish Amazon SageMaker assets to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to the Amazon SageMaker published assets in the catalog. | April 30th, 2024 |
| AmazonDataZoneFullAccess - policy update | An update to the **AmazonDataZoneFullAccess** policy that adds access to `DescribeSecurityGroups` action to improve the usability for account administrators configuring blueprints in the console and `GetPolicy` action to help retrieve information about the specified managed policy. | April 30th, 2024 |
| AmazonDataZoneSageMakerProvisioningRolePolicy - new policy | New policy called **AmazonDataZoneSageMakerProvisioningRolePolicy** grants Amazon DataZone the permissions required to interoperate with Amazon SageMaker. | April 30th, 2024 |
| AmazonDataZoneS3Manage-- - new role | New role called **AmazonDataZoneS3Manage--** that is used when Amazon DataZone calls AWS Lake Formation to register an Amazon Simple Storage Service (Amazon S3) location. AWS Lake Formation assumes this role when accessing the data in that location. | April 1st, 2024 |
| AmazonDataZoneGlueManageAccessRolePolicy - Policy update | Updated the **AmazonDataZoneGlueManageAccessRolePolicy** to enable support for permissions that allow Amazon DataZone to enable publishing and access grants to data. | April 1st, 2024 |
| AmazonDataZoneDomainExecutionRolePolicy and AmazonDataZoneFullUserAccess - Policy update | Updated the **AmazonDataZoneDomainExecutionRolePolicy** and **AmazonDataZoneFullUserAccess** to enable support for the `CancelMetadataGenerationRun` API. | March 29, 2024 |
| AmazonDataZoneFullAccess - Policy update | Updated the `AmazonDataZoneFullAccess` to enable users to choose their secrets, clusters, vpc's, and subnets in the Amazon DataZone management console rather than type them in a text box. | March 13, 2024 |
| AmazonDataZoneDomainExecutionRolePolicy - Policy update | Updated the **AmazonDataZoneDomainExecutionRolePolicy** to enable support for the `ListEnvironmentBlueprintConfigurationSummaries` API that is required for creating environment profiles by identifying which blueprints are enabled in which account and region. | February 01, 2024 |
| AmazonDataZoneGlueManageAccessRolePolicy - Policy update | Updated the **AmazonDataZoneGlueManageAccessRolePolicy** to enable support for the AWS Lake Formation hybrid mode. | December 14, 2023 |
| AmazonDataZoneFullUserAccess and AmazonDataZoneDomainExecutionRolePolicy - Policy updates | Updated the **AmazonDataZoneFullUserAccess** and the **AmazonDataZoneDomainExecutionRolePolicy** policies to support the generative AI-powered data descriptions functionality in Amazon DataZone. | November 28, 2023 |
| AmazonDataZoneEnvironmentRolePermissionsBoundary - Policy update | Amazon DataZone made an update to the **AmazonDataZoneEnvironmentRolePermissionsBoundary** managed policy that consists of an additional `athena:GetQueryResultsStream` permission scoped down with the `ResourceTag` condition. | November 17, 2023 |
| AmazonDataZoneRedshiftManageAccessRolePolicy - Policy update | Amazon DataZone updated the **AmazonDataZoneRedshiftManageAccessRolePolicy** by removing the check on organization ID for the `redshift:AssociateDataShareConsumer` action. This enables you to share resource across AWS organizations. | November 16, 2023 |
| AmazonDataZoneFullUserAccess - Policy update | Amazon DataZone updated the **AmazonDataZoneFullUserAccess** policy that grants full access to Amazon DataZone, but it does not allow the management of domains, users, or associated accounts. | October 02, 2023 |
| AmazonDataZonePortalFullAccessPolicy - policy deprecated | Amazon DataZone deprecated the **AmazonDataZonePortalFullAccessPolicy**. | September 29, 2023 |
| AmazonDataZonePreviewConsoleFullAccess - policy deprecated | Amazon DataZone deprecated the **AmazonDataZonePreviewConsoleFullAccess**. | September 29, 2023 |
| AmazonDataZoneDomainExecutionRolePolicy - New policy | Amazon DataZone added a new policy called **AmazonDataZoneDomainExecutionRolePolicy**. This is the default policy for the Amazon DataZone `AmazonDataZoneDomainExecutionRole` service role. This role is used by Amazon DataZone to catalog, discover, govern, share, and analyze data in the Amazon DataZone domain. You can attach the `AmazonDataZoneDomainExecutionRolePolicy` policy to your `AmazonDataZoneDomainExecutionRole`. | September 25, 2023 |
| AmazonDataZoneCrossAccountAdmin - New policy | Amazon DataZone added a new policy called **AmazonDataZoneCrossAccountAdmin** that enables users to work with Amazon DataZone and its associated accounts. | September 19, 2023 |
| AmazonDataZoneFullUserAccess - New policy | Amazon DataZone added a new policy called **AmazonDataZoneFullUserAccess** that grants full access to Amazon DataZone, but it does not allow the management of domains, users, or associated accounts. | September 12, 2023 |
| AmazonDataZoneRedshiftManageAccessRolePolicy - New policy | Amazon DataZone added a new policy called **AmazonDataZoneRedshiftManageAccessRolePolicy** that grants permissions to allow Amazon DataZone to enable publishing and access grants to data. | September 12, 2023 |
| AmazonDataZoneGlueManageAccessRolePolicy - New policy | Amazon DataZone added a new policy called **AmazonDataZoneGlueManageAccessRolePolicy** that grants Amazon DataZone permissions to publish AWS Glue data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to AWS Glue published assets in the catalog. | September 12, 2023 |
| AmazonDataZoneRedshiftGlueProvisioningPolicy - New policy | Amazon DataZone added a new policy called **AmazonDataZoneRedshiftGlueProvisioningPolicy** that grants Amazon DataZone the permissions required to interoperate with the supported data sources. | September 12, 2023 |
| AmazonDataZoneEnvironmentRolePermissionsBoundary - New policy | Amazon DataZone added a new policy called **AmazonDataZoneEnvironmentRolePermissionsBoundary** that limits the provisioned IAM principal to which it is attached. | September 12, 2023 |
| AmazonDataZoneFullAccess - New policy | Amazon DataZone added a new policy called **AmazonDataZoneFullAccess** that provides full access to Amazon DataZone via the AWS Management Console. | September 12, 2023 |
| Managed policy update | Updates to the **AmazonDataZonePreviewConsoleFullAccess** managed policy that consists of an additional `iam:GetPolicy` permissions. | June 13, 2023 |
| Amazon DataZone started tracking changes | Amazon DataZone started tracking changes for its AWS managed policies. | March 20, 2023 |
# IAM roles for Amazon DataZone
**Topics**
+ [AmazonDataZoneProvisioningRole-](bootstraprole.md)
+ [AmazonDataZoneDomainExecutionRole](AmazonDataZoneDomainExecutionRole.md)
+ [AmazonDataZoneGlueAccess--](glue-manage-access-role.md)
+ [AmazonDataZoneRedshiftAccess--](redshift-manage-access-role.md)
+ [AmazonDataZoneS3Manage--](AmazonDataZoneS3Manage.md)
+ [AmazonDataZoneSageMakerManageAccessRole--](AmazonDataZoneSageMakerManageAccessRole.md)
+ [AmazonDataZoneSageMakerProvisioningRolePolicyRole-](AmazonDataZoneSageMakerProvisioningRolePolicyRole.md)
# AmazonDataZoneProvisioningRole-
The `AmazonDataZoneProvisioningRole-` has the `AmazonDataZoneRedshiftGlueProvisioningPolicy` attached. This role grants Amazon DataZone the permissions required to interoperate with AWS Glue and Amazon Redshift.
The default `AmazonDataZoneProvisioningRole-` has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------
# AmazonDataZoneDomainExecutionRole
The **AmazonDataZoneDomainExecutionRole** has the AWS managed policy **AmazonDataZoneDomainExecutionRolePolicy** attached. Amazon DataZone creates this role for you on your behalf. For certain actions in the data portal, Amazon DataZone assumes this role in the account in which the role is created and checks that this role is authorized to perform the action.
The **AmazonDataZoneDomainExecutionRole** role is required in the AWS account that hosts your Amazon DataZone domain. This role is automatically created for you when you create your Amazon DataZone domain.
The default **AmazonDataZoneDomainExecutionRole** role has the following trust policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account_id}}"
},
"ForAllValues:StringLike": {
"aws:TagKeys": [
"datazone*"
]
}
}
}
]
}
```
------
# AmazonDataZoneGlueAccess--
The `AmazonDataZoneGlueAccess--` role has the `AmazonDataZoneGlueManageAccessRolePolicy` attached. This role grants Amazon DataZone permissions to publish AWS Glue data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to AWS Glue published assets in the catalog.
The default `AmazonDataZoneGlueAccess--` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneRedshiftAccess--
The `AmazonDataZoneRedshiftAccess--` role has the `AmazonDataZoneRedshiftManageAccessRolePolicy` attached. This role grants Amazon DataZone permissions to publish Amazon Redshift data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to Amazon Redshift or Amazon Redshift Serverless published assets in the catalog.
The default `AmazonDataZoneRedshiftAccess--` role has the following inline permissions policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "RedshiftSecretStatement",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"*",
"Condition":{
"StringEquals":{
"secretsmanager:ResourceTag/AmazonDataZoneDomain":"{{domainId}}"
}
}
}
]
}
```
------
The default `AmazonDataZoneRedshiftManageAccessRole` has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneS3Manage--
The AmazonDataZoneS3Manage-- is used when Amazon DataZone calls AWS Lake Formation to register an Amazon Simple Storage Service (Amazon S3) location. AWS Lake Formation assumes this role when accessing the data in that location. For more information, see [Requirements for roles used to register locations](https://docs.aws.amazon.com/lake-formation/latest/dg/registration-role.html).
This role has the following inline permissions policy attached.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LakeFormationDataAccessPermissionsForS3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3ListAllMyBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationExplicitDenyPermissionsForS3",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::[[BucketNames]]/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationExplicitDenyPermissionsForS3ListBucket",
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[[BucketNames]]"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
}
]
}
```
------
The AmazonDataZoneS3Manage-- has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TrustLakeFormationForDataLocationRegistration",
"Effect": "Allow",
"Principal": {
"Service": "lakeformation.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account_id}}"
}
}
}
]
}
```
------
# AmazonDataZoneSageMakerManageAccessRole--
The `AmazonDataZoneSageMakerManageAccessRole` role has the `AmazonDataZoneSageMakerAccess`, the `AmazonDataZoneRedshiftManageAccessRolePolicy`, and the `AmazonDataZoneGlueManageAccessRolePolicy` attached. This role grants Amazon DataZone permissions to publish and manage subscriptions for data lake, data warehouse, and Amazon Sagemaker assets.
The `AmazonDataZoneSageMakerManageAccessRole` role has the following inline policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "RedshiftSecretStatement",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"*",
"Condition":{
"StringEquals":{
"secretsmanager:ResourceTag/AmazonDataZoneDomain":"{{domainId}}"
}
}
}
]
}
```
------
The `AmazonDataZoneSageMakerManageAccessRole` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DatazoneTrustPolicyStatement",
"Effect": "Allow",
"Principal": {
"Service": ["datazone.amazonaws.com",
"sagemaker.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneSageMakerProvisioningRolePolicyRole-
The `AmazonDataZoneSageMakerProvisioningRolePolicyRole` role has the `AmazonDataZoneSageMakerProvisioningRolePolicy` and the `AmazonDataZoneRedshiftGlueProvisioningPolicy` attached. This role grants Amazon DataZone permissions required to interoperate with AWS Glue, Amazon Redshift, and Amazon Sagemaker.
The `AmazonDataZoneSageMakerProvisioningRolePolicyRole` role has the following inline policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerStudioTagOnCreate",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:111122223333:*/*",
"Condition": {
"Null": {
"sagemaker:TaggingAction": "false"
}
}
}
]
}
```
------
The `AmazonDataZoneSageMakerProvisioningRolePolicyRole` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DataZoneTrustPolicyStatement",
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------
# Temporary Credentials
Some AWS services don't work when you sign in using temporary credentials. For additional information, including which AWS services work with temporary credentials, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
You are using temporary credentials if you sign in to the AWS Management Console using any method except a user name and password. For example, when you access AWS using your company's single sign-on (SSO) link, that process automatically creates temporary credentials. You also automatically create temporary credentials when you sign in to the console as a user and then switch roles. For more information about switching roles, see [Switching to a role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) in the *IAM User Guide*.
You can manually create temporary credentials using the AWS CLI or AWS API. You can then use those temporary credentials to access AWS. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_credentials_temp.html).
## Amazon DataZone portal temporary credentials
When you sign into the Amazon DataZone portal, you receive temporary credentials for the AmazonDataZoneDomainExecutionRole. While you are using the AmazonDataZoneDomainExecutionRole, these credentials are automatically refreshed when used. When unused for a period of time, they expire automatically.
# Principal permissions
When you use an IAM user or role to perform actions in AWS, you are considered a principal. Policies grant permissions to a principal. When you use some services, you might perform an action that then triggers another action in a different service. In this case, you must have permissions to perform both actions. To see whether an action requires additional dependent actions in a policy, see [Actions, Resources, and Condition Keys for AWS Documentation Essentials](https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html) in the *Service Authorization Reference*.