Amazon DataZone projects and environments
In Amazon DataZone, projects enable a group of users to collaborate on various business use cases that involve publishing, discovering, subscribing to, and consuming data assets in the Amazon DataZone catalog. Each Amazon DataZone project has a set of access controls applied to it so that only authorized individuals, groups, and roles can access the project and the data assets that this project subscribes to, and can use only those tools that are defined by the project permissions. Projects act as an identity principal that receives access grants to underlying resources, enabling Amazon DataZone to operate within an organization’s infrastructure without relying on individual user’s credentials.
In Amazon DataZone, an environment is a collection of configured resources (for example, an Amazon S3 bucket, an AWS Glue database, or an Amazon Athena workgroup), with a given set of IAM principals (with assigned contributor permissions) who can operate on those resources. Each environment may also have user principals who are authorized to access the resources and get access to data via subscription and fulfillment. Environments are designed to store actionable links into AWS services and external IDEs and consoles. Members of the project can access services such as the Amazon Athena console and more via deep links configured within an environment. SSO users and IAM users from the project can be further scoped down to use/access specific environments.
In Amazon DataZone, you create environments by using templates called environment profiles. Environment profiles, in turn, are created by using built-in and custom AWS service blueprints. With environment profiles, domain administrators can wrap blueprints with preconfigured parameters, and then data workers can quickly create any number of new environments by selecting existing environment profiles and specifying names for the new environments. This enables data workers to efficiently manage their projects and environments while ensuring that they satisfy data governance policies enforced by their domain administrators.
For more information, see Amazon DataZone terminology and concepts