本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AmazonDataZoneProjectDeploymentPermissionsBoundary
說明:Amazon DataZone 建立用於部署資料分析專案的 IAM 角色。 DataZone 建立這些角色時,會使用此原則來定義其權限的界限。
AmazonDataZoneProjectDeploymentPermissionsBoundary是AWS 受管理的策略。
使用此政策
您可以附加AmazonDataZoneProjectDeploymentPermissionsBoundary至您的使用者、群組和角色。
政策詳情
-
類型: AWS 受管理的策略
-
創建時間:世界標準時間 3 月 21 日,下午 2 時 54 分
-
編輯時間:世界標準時間 2023 年 4 月 4 日,02:48
-
ARN:
arn:aws:iam::aws:policy/AmazonDataZoneProjectDeploymentPermissionsBoundary
政策版本
策略版本:v2(預設值)
原則的預設版本是定義原則權限的版本。當具有策略的使用者或角色發出要求以存取 AWS 資源時,請 AWS 檢查原則的預設版本,以決定是否允許該要求。
政策文件
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"iam:CreateRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource" : "arn:aws:iam::*:role/*datazone*",
"Condition" : {
"StringEquals" : {
"iam:PermissionsBoundary" : "arn:aws:iam::aws:policy/AmazonDataZoneProjectRolePermissionsBoundary"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:DeleteRole"
],
"Resource" : [
"arn:aws:iam::*:role/*datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"kms:CreateKey",
"kms:TagResource",
"athena:CreateWorkGroup",
"athena:TagResource",
"iam:TagRole",
"iam:TagPolicy",
"logs:CreateLogGroup",
"logs:TagLogGroup",
"ssm:AddTagsToResource"
],
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringLike" : {
"aws:TagKeys" : "datazone:*"
},
"StringLike" : {
"aws:ResourceTag/datazone:projectId" : "proj-*"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"athena:DeleteWorkGroup",
"kms:ScheduleKeyDeletion",
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:DisableKeyRotation",
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:Decrypt",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource" : "*",
"Condition" : {
"StringLike" : {
"aws:ResourceTag/datazone:projectId" : "proj-*"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringLike" : {
"aws:TagKeys" : "datazone:projectId"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:DeletePolicy",
"s3:DeleteBucket"
],
"Resource" : [
"arn:aws:iam::*:policy/datazone*",
"arn:aws:s3:::datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"ssm:GetParameter*",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource" : [
"arn:aws:ssm:*:*:parameter/*datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:GetRole",
"iam:GetPolicy",
"iam:GetRolePolicy",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"lakeformation:RegisterResource",
"lakeformation:DeregisterResource",
"lakeformation:GrantPermissions",
"lakeformation:PutDataLakeSettings",
"lakeformation:GetDataLakeSettings",
"lakeformation:RevokePermissions",
"lakeformation:ListPermissions",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabases",
"glue:GetDatabase",
"sts:GetCallerIdentity"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:aws:iam::*:role/*datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"s3:PutEncryptionConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucketPolicy",
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:PutBucketAcl",
"s3:PutBucketVersioning",
"s3:PutBucketTagging",
"s3:PutBucketLogging",
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:GetEncryptionConfiguration",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Resource" : "arn:aws:s3:::*datazone*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"athena:Get*",
"athena:List*",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:Describe*",
"ec2:Get*",
"ec2:List*",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:DeleteLogGroup",
"logs:DeleteRetentionPolicy"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"kms:PutKeyPolicy"
],
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
}
},
{
"Effect" : "Allow",
"Action" : "ec2:CreateVpcEndpoint",
"NotResource" : "arn:aws:ec2:*:*:vpc-endpoint/*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint"
],
"Resource" : "arn:aws:ec2:*:*:vpc-endpoint/*",
"Condition" : {
"StringLike" : {
"ec2:VpceServiceName" : [
"com.amazonaws.*.logs",
"com.amazonaws.*.s3",
"com.amazonaws.*.glue",
"com.amazonaws.*.athena"
]
}
}
},
{
"Action" : [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:TagResource",
"cloudformation:GetTemplateSummary"
],
"Effect" : "Allow",
"Resource" : [
"arn:aws:cloudformation:*:*:stack/DataZone*"
]
},
{
"Effect" : "Deny",
"Action" : [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:GetEncryptionConfiguration",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*",
"s3:DeleteBucket"
],
"NotResource" : [
"arn:aws:s3:::*datazone*"
]
},
{
"Effect" : "Deny",
"Action" : [
"kms:*"
],
"Resource" : "*",
"Condition" : {
"StringNotEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Effect" : "Deny",
"NotAction" : [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:AddTagsToResource",
"ssm:GetParameters",
"ssm:GetParameter",
"s3:PutEncryptionConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucketPolicy",
"s3:CreateBucket",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning",
"s3:PutBucketTagging",
"s3:ListBucket",
"s3:PutBucketLogging",
"s3:DeleteBucket",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:TagResource",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:GetTemplateSummary",
"athena:*",
"kms:*",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabases",
"glue:GetDatabase",
"lambda:*",
"ec2:*",
"logs:*",
"servicecatalog:CreateApplication",
"servicecatalog:DeleteApplication",
"servicecatalog:GetApplication",
"lakeformation:RegisterResource",
"lakeformation:DeregisterResource",
"lakeformation:GrantPermissions",
"lakeformation:PutDataLakeSettings",
"lakeformation:RevokePermissions",
"lakeformation:GetDataLakeSettings",
"lakeformation:ListPermissions",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:UntagRole",
"iam:PassRole",
"iam:TagRole",
"s3:GetBucket*",
"s3:GetObject*",
"s3:Abort*",
"s3:GetEncryptionConfiguration",
"s3:PutObject*"
],
"Resource" : [
"*"
]
}
]
}進一步了解
