# Setting up Amazon DataZone
To set up the Amazon DataZone, you must have an AWS account and set up the required IAM policies and permissions for Amazon DataZone.
Once you've set up your Amazon DataZone permissions, it is recommended that you complete the steps in the [Getting started](getting-started.md) section that takes you through creating the Amazon DataZone domain, obtaining the data portal URL, and the basic Amazon DataZone workflows for data producers and data consumers.
**Topics**
+ [Sign up for an AWS account](setting-up-aws-sign-up.md)
+ [Configure the IAM permissions required to use the Amazon DataZone management console](create-iam-roles.md)
+ [Configure the IAM permissions required to use the Amazon DataZone data portal](data-portal-permissions.md)
+ [Setting up AWS IAM Identity Center for Amazon DataZone](sso-setup.md)
# Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**If you have an AWS organization, create an account:**
1. Sign in to the AWS Management Console and open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. In the navigation pane, choose **AWS accounts**.
1. Choose **Add an AWS account**.
1. Choose **Create an AWS account** and provide the requested details. Choose **Create AWS account**.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup)
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, [assign administrative access to an administrative user](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html), and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html).
# Configure the IAM permissions required to use the Amazon DataZone management console
In order to access and configure your Amazon DataZone domains, blueprints, and users, and to create the Amazon DataZone data portal, you must use the Amazon DataZone management console.
You must complete the following procedures in order to configure the required and/or optional permissions for any user, group or role that wants to use the Amazon DataZone management console.
**Topics**
+ [Attach required and optional policies to a user, group, or role for Amazon DataZone console access](#attach-managed)
+ [Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation](#create-custom-to-manage-EZCRZ)
+ [Create a custom policy for permissions to manage an account associated with an Amazon DataZone domain](#create-custom-to-manage-associated-account)
+ [(Optional) Create a custom policy for AWS Identity Center permissions to add and remove SSO user and SSO group access to Amazon DataZone domains](#create-custom-to-manage-add-remove-sso)
+ [(Optional) Add your IAM principal as a key user to create your Amazon DataZone domain with a customer-managed key from AWS Key Management Service (KMS)](#create-custom-to-manage-kms)
## Attach required and optional policies to a user, group, or role for Amazon DataZone console access
Complete the following procedure to attach the required and optional custom policies to a user, group, or a role. For more information, see [AWS managed policies for Amazon DataZone](security-iam-awsmanpol.md).
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose the following policies to attach to your user, group, or a role.
+ In the list of policies, select the check box next to the **AmazonDataZoneFullAccess**. You can use the **Filter** menu and the search box to filter the list of policies. For more information, see [AWS managed policy: AmazonDataZoneFullAccess](security-iam-awsmanpol-AmazonDataZoneFullAccess.md).
+ [(Optional) Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation.](#create-custom-to-manage-EZCRZ)
+ [(Optional) Create a custom policy for AWS Identity Center permissions to add and remove SSO user and SSO group access to your Amazon DataZone domain.](#create-custom-to-manage-add-remove-sso)
1. Choose **Actions**, and then choose **Attach**.
1. Choose the user, group, or role to which you want to attach the policy. You can use the **Filter** menu and the search box to filter the list of principal entities. After choosing the user, group, or role, choose **Attach policy**.
## Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation
Complete the following procedure to create a custom inline policy to have the necessary permissions to enable Amazon DataZone to create the necessary roles in the AWS management console on your behalf.
**Note**
For best practices information on configuring permissions to allow creation of service roles, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/id\$1roles\$1create\$1for-service.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users** or **User groups**.
1. In the list, choose the name of the user or group to embed a policy in.
1. Choose the **Permissions** tab and, if necessary, expand the **Permissions policies** section.
1. Choose **Add permissions** and **Create inline policy** link.
1. On the **Create Policy** screen, in the **Policy editor** section, choose **JSON**.
Create a policy document with the following JSON statements, and then choose **Next**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::*:policy/service-role/AmazonDataZone*",
"arn:aws:iam::*:role/service-role/AmazonDataZone*"
]
},
{
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": "arn:aws:iam::*:role/service-role/AmazonDataZone*",
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonDataZone*",
"arn:aws:iam::*:policy/service-role/AmazonDataZone*"
]
}
}
}
]
}
```
------
1. On the **Review policy** screen, enter a name for the policy. When you're satisfied with the policy, choose **Create policy**. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
## Create a custom policy for permissions to manage an account associated with an Amazon DataZone domain
Complete the following procedure to create a custom inline policy to have the necessary permissions in an associated AWS account to list, accept, and reject resource shares of a domain, and then enable, configure, and disable environment blueprints in the associated account. To enable the optional Amazon DataZone service console simplified role creation available during blueprint configuration, you must also [Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation](#create-custom-to-manage-EZCRZ).
**Note**
For best practices information on configuring permissions to allow creation of service roles, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/id\$1roles\$1create\$1for-service.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users** or **User groups**.
1. In the list, choose the name of the user or group to embed a policy in.
1. Choose the **Permissions** tab and, if necessary, expand the P**ermissions policies** section.
1. Choose **Add permissions** and **Create inline policy** link.
1. On the **Create Policy** screen, in the **Policy editor** section, choose **JSON**. Create a policy document with the following JSON statements, and then choose **Next**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"datazone:ListEnvironmentBlueprintConfigurations",
"datazone:PutEnvironmentBlueprintConfiguration",
"datazone:GetDomain",
"datazone:ListDomains",
"datazone:GetEnvironmentBlueprintConfiguration",
"datazone:ListEnvironmentBlueprints",
"datazone:GetEnvironmentBlueprint",
"datazone:ListAccountEnvironments",
"datazone:DeleteEnvironmentBlueprintConfiguration"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/AmazonDataZone",
"arn:aws:iam::*:role/service-role/AmazonDataZone*"
],
"Condition": {
"StringEquals": {
"iam:passedToService": "datazone.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": "arn:aws:iam::*:role/service-role/AmazonDataZone*",
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonDataZone*",
"arn:aws:iam::*:policy/service-role/AmazonDataZone*"
]
}
}
},
{
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::*:policy/service-role/AmazonDataZone*",
"arn:aws:iam::*:role/service-role/AmazonDataZone*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:AcceptResourceShareInvitation",
"ram:RejectResourceShareInvitation",
"ram:GetResourceShareInvitations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:CreateBucket",
"Resource": "arn:aws:s3:::amazon-datazone*"
}
]
}
```
------
1. On the **Review policy** screen, enter a name for the policy. When you're satisfied with the policy, choose **Create policy**. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
## (Optional) Create a custom policy for AWS Identity Center permissions to add and remove SSO user and SSO group access to Amazon DataZone domains
Complete the following procedure to create a custom inline policy to have the necessary permissions to add and remove SSO user and SSO group access to your Amazon DataZone domain.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users** or **User groups**.
1. In the list, choose the name of the user or group to embed a policy in.
1. Choose the **Permissions** tab and, if necessary, expand the **Permissions policies** section.
1. Choose **Add permissions** and **Create inline policy**.
1. On the **Create Policy** screen, in the **Policy editor** section, choose **JSON**.
Create a policy document with the following JSON statements, and then choose **Next**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:GetManagedApplicationInstance",
"sso:ListProfiles",
"sso:AssociateProfile",
"sso:DisassociateProfile",
"sso:GetProfile"
],
"Resource": "*"
}
]
}
```
------
1. On the **Review policy** screen, enter a name for the policy. When you're satisfied with the policy, choose **Create policy**. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
## (Optional) Add your IAM principal as a key user to create your Amazon DataZone domain with a customer-managed key from AWS Key Management Service (KMS)
Before you can optionally create your Amazon DataZone domain with a customer-managed key (CMK) from the AWS Key Management Service (KMS), complete the following procedure to make your IAM principal a user of your KMS key.
1. Sign in to the AWS Management Console and open the KMS console at [https://console.aws.amazon.com/kms/](https://console.aws.amazon.com/kms/).
1. To view the keys in your account that you create and manage, in the navigation pane choose **Customer managed keys**.
1. In the list of KMS keys, choose the alias or key ID of the KMS key that you want to examine.
1. To add or remove key users, and to allow or disallow external AWS accounts to use the KMS key, use the controls in the **Key users** section of the page. Key users can use the KMS key in cryptographic operations, such as encrypting, decrypting, re-encrypting, and generating data keys.
# Configure the IAM permissions required to use the Amazon DataZone data portal
Amazon DataZone data portal (outside the AWS Management Console) is a browser-based web application where users can go to catalog, discover, govern, share, and analyze data in a self-service fashion. The data portal authenticates users with IAM credentials or existing credentials from your identity provider through AWS IAM Identity Center.
You must complete the following procedures in order to configure the required permissions for any user, group or role that wants to use the Amazon DataZone data portal or catalog:
**Topics**
+ [Attach required policy to a user, group, or role for Amazon DataZone data portal access](#data-portal-permissions-portal)
+ [Attach required policy to a user, group, or role for Amazon DataZone catalog access](#data-portal-permissions-catalog)
+ [Attach optional policy to a user, group, or role for Amazon DataZone data portal or catalog access if your domain is encrypted with a customer-managed key from AWS Key Management Service (KMS)](#data-portal-permissions-kms)
## Attach required policy to a user, group, or role for Amazon DataZone data portal access
You can access the Amazon DataZone data portal by using either your AWS credentials or your single sign-on (SSO) credentials. Follow the instructions in the section below to set up the permissions required to access the data portal with your AWS credentials. For more information about using Amazon DataZone with SSO, see [Setting up AWS IAM Identity Center for Amazon DataZone](sso-setup.md).
**Note**
Only IAM principals in your domain's AWS account can access the domain's data portal. IAM principals from other AWS accounts cannot access the domain's data portal.
Complete the following procedure to attach the required policy to a user, group, or a role. For more information, see [AWS managed policies for Amazon DataZone](security-iam-awsmanpol.md).
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users, User groups, or Roles**.
1. In the list, choose the name of the user, group, or role in which to embed a policy.
1. Choose the **Permissions** tab and, if necessary, expand the **Permissions policies** section.
1. Choose **Add permissions** and **Create inline policy** link.
1. On the **Create Policy** screen, in the [Policy editor]() section, choose **JSON**. Create a policy document with the following JSON statements, and then choose **Next**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"datazone:GetIamPortalLoginUrl"
],
"Resource": [
"*"
]
}
]
}
```
------
1. On the **Review policy** screen, enter a name for the policy. When you're satisfied with the policy, choose **Create policy**. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
## Attach required policy to a user, group, or role for Amazon DataZone catalog access
**Note**
Only IAM principals in your domain's AWS account can access the domain's catalog. IAM principals from other AWS accounts cannot access the domain's catalog.
You can grant your IAM identities access to your Amazon DataZone domain’s catalog via API and the SDK with the following procedure. If you want these IAM identities to also have access to the Amazon DataZone data portal, then additionally follow the procedure above to [Attach required policy to a user, group, or role for Amazon DataZone data portal access](#data-portal-permissions-portal). For more information, see [AWS managed policies for Amazon DataZone](security-iam-awsmanpol.md).
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, select the radio button next to the **AmazonDataZoneFullUserAccess** policy. You can use the **Filter** menu and the search box to filter the list of policies. For more information, see [AWS managed policy: AmazonDataZoneFullUserAccess](security-iam-awsmanpol-AmazonDataZoneFullUserAccess.md)
1. Choose **Actions**, and then choose **Attach**.
1. Choose the user, group, or role to which you want to attach the policy by selecting the checkbox next to each principal. You can use the **Filter** menu and the search box to filter the list of principal entities. After choosing the user, group, or role, choose **Attach policy**.
## Attach optional policy to a user, group, or role for Amazon DataZone data portal or catalog access if your domain is encrypted with a customer-managed key from AWS Key Management Service (KMS)
If you create your Amazon DataZone domain with your own KMS key for data encryption, you must also create an inline policy with the following permissions and attach it to your IAM principals so they can access the Amazon DataZone data portal or catalog.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users, User groups, or Roles**.
1. In the list, choose the name of the user, group, or role in which to embed a policy.
1. Choose the **Permissions** tab and, if necessary, expand the **Permissions policies** section.
1. Choose **Add permissions** and **Create inline policy** link.
1. On the **Create Policy** screen, in the **Policy editor** section, choose **JSON**. Create a policy document with the following JSON statements, and then choose **Next**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
]
}
]
}
```
------
1. On the **Review policy** screen, enter a name for the policy. When you're satisfied with the policy, choose **Create policy**. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
# Setting up AWS IAM Identity Center for Amazon DataZone
**Note**
AWS Identity Center must be enabled in the same AWS Region as your Amazon DataZone domain. Currently, AWS Identity Center can only be enabled in a single AWS Region.
You can access the Amazon DataZone data portal by using either your single sign-on (SSO) credentials or AWS credentials. Follow the instructions in this section to set up AWS IAM Identity Center for Amazon DataZone. For more information about using Amazon DataZone with your AWS credentials, see [Configure the IAM permissions required to use the Amazon DataZone management console](create-iam-roles.md).
You can skip the procedures in this section if you already have AWS IAM Identity Center (successor to AWS Single Sign-On) enabled and configured in the same AWS region where you want to create your Amazon DataZone domain.
Complete the following procedure to enable AWS IAM Identity Center (successor to AWS Single Sign-On).
1. To enable AWS IAM Identity Center, you must sign in to the AWS Management Console by using the credentials of your AWS Organizations management account. You can't enable IAM Identity Center while signed in with credentials from an AWS Organizations member account. For more information, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the AWS Organizations User Guide.
1. Open the [AWS IAM Identity Center (successor to AWS Single Sign-On) console](https://console.aws.amazon.com/singlesignon) and use the region selector in the top navigation bar to choose the AWS region in which you want create your Amazon DataZone domain.
1. Choose **Enable**.
1. Choose your identity source.
By default, you get an IAM Identity Center store for quick and easy user management. Optionally, you can connect an external identity provider instead. In this procedure, we use the default IAM Identity Center store.
For more information, see [Choose your identity source](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-choose-identity-source.html).
1. In the IAM Identity Center navigation pane, choose **Groups**, and choose **Create group**. Enter the group name and choose **Create**.
1. In the IAM Identity Center navigation pane, choose **Users**.
1. On the **Add user** screen, enter the required information and choose **Send an email to the user with password setup instructions**. The user should get an email about the next setup steps.
1. Choose **Next: Groups**, choose the group that you want, and choose **Add user**. Users should receive an email inviting them to use SSO. In this email, they need to choose Accept invitation and set the password.
After you create your Amazon DataZone domain, you can enable AWS Identity Center for Amazon DataZone and provide access to your SSO users and SSO groups. For more information, see [Enable IAM Identity Center for Amazon DataZone](enable-IAM-identity-center-for-datazone.md).