AWS managed policies for Amazon QLDB
Important
End of support notice: Existing customers will be able to use Amazon QLDB until end of support on 07/31/2025. For more details, see
Migrate an Amazon QLDB Ledger to Amazon Aurora PostgreSQL
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
For more information about the QLDB API operations in these AWS managed policies, see the Amazon QLDB API reference.
Topics
AWS managed policy: AmazonQLDBReadOnly
Use the AmazonQLDBReadOnly policy to grant read-only permissions to all QLDB resources. You can attach this policy to your IAM identities.
Permissions details
This policy includes the following permissions for the qldb service.
-
Allows principals to describe and list all QLDB resources and their tags. These resources include ledgers, Amazon S3 export jobs, and streams to Kinesis Data Streams.
-
Allows principals to get a block, digest, or revision from the journal in any ledger to verify the data cryptographically.
-
Doesn't allow principals to run any PartiQL commands on any tables in any ledgers.
AWS managed policy: AmazonQLDBFullAccess
Use the AmazonQLDBFullAccess policy to grant full administrative permissions to all QLDB resources through the QLDB API or the AWS CLI. You can attach this policy to your IAM identities.
Permissions details
This policy includes the following permissions.
-
qldb-
Allows principals to create, describe, list, and manage all QLDB resources and their tags. These resources include ledgers, Amazon S3 export jobs, and streams to Kinesis Data Streams.
-
Allows principals to run all PartiQL commands on all tables in any ledger by using the QLDB driver or the QLDB shell.
-
Allows principals to get a block, digest, or revision from the journal in any ledger to verify the data cryptographically.
-
-
iam– Allows principals to pass any IAM role resource in your account to the QLDB service. This is required for all journal export and stream requests.
AWS managed policy: AmazonQLDBConsoleFullAccess
Use the AmazonQLDBConsoleFullAccess policy to grant full administrative permissions to all QLDB resources through the AWS Management Console, the QLDB API, or the AWS CLI. You can attach this policy to your IAM identities.
Permissions details
This policy includes the following permissions.
-
qldb-
Allows principals to create, describe, list, and manage all QLDB resources and their tags. These resources include ledgers, Amazon S3 export jobs, and streams to Kinesis Data Streams.
-
Allows principals to run all PartiQL commands on all tables in any ledger by using the QLDB console, the QLDB driver, or the QLDB shell.
-
Allows principals to insert sample application data in any ledger by using the QLDB console.
-
Allows principals to get a block, digest, or revision from the journal in any ledger to verify the data cryptographically.
-
-
dbqms– Allows principals to use all actions in the Database Query Metadata Service. This is an internal-only service that the QLDB console requires to create, describe, and manage recent and saved queries for the PartiQL query editor. -
kinesis– Allows principals to describe and list Amazon Kinesis Data Streams resources. These resources are the target destinations that QLDB stream resources can write data to. -
iam– Allows principals to pass any IAM role resource in your account to the QLDB service. This is required for all journal export and stream requests.
QLDB updates to AWS managed policies
View details about updates to AWS managed policies for QLDB since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the QLDB Release history page.
| Change | Description | Date |
|---|---|---|
|
AmazonQLDBFullAccess, AmazonQLDBConsoleFullAccess – Update to existing policies |
QLDB added a new permission to allow principals to redact document
revisions in all ledgers in the |
November 4, 2022 |
|
AmazonQLDBFullAccess, AmazonQLDBConsoleFullAccess – Update to existing policies |
QLDB added new permissions to allow principals to pass any IAM role resource in your account to the QLDB service. This is required for all journal export and stream requests. |
September 2, 2021 |
|
AmazonQLDBReadOnly – Update to an existing policy |
QLDB removed a duplicate |
July 1, 2021 |
|
AmazonQLDBFullAccess, AmazonQLDBConsoleFullAccess – Update to existing policies |
QLDB added new permissions to allow principals to update the
permissions mode in all ledgers, and to run all PartiQL commands in all
ledgers in the new The |
May 27, 2021 |
|
QLDB started tracking changes |
QLDB started tracking changes for its AWS managed policies. |
March 1, 2021 |
