AWS managed policies for AWS Data Exchange - AWS Data Exchange User Guide

AWS managed policies for AWS Data Exchange

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: AWSDataExchangeFullAccess

You can attach the AWSDataExchangeFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow full access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.

Permissions details

This policy includes the following permissions:

  • AWS Data Exchange – Allows principals full access to AWS Data Exchange. This includes both providing data products and subscribing to them.

  • AWS Marketplace – Allows principals access to AWS Marketplace for providing products, subscribing to products, and managing product agreements. This is required to provide or subscribe to data products.

  • Amazon S3 – Allows principals to get AWS Data Exchange related objects (including data product files) from Amazon Simple Storage Service, and to upload AWS Data Exchange related files to Amazon S3. This is required for providing and subscribing to data products.

  • Amazon Redshift – Allows principals to view AWS Data Exchange datashares for Amazon Redshift for import and to authorize them. This is required for providing Amazon Redshift data products.

  • Amazon API Gateway – Allows principals to get Amazon API Gateway APIs from Amazon API Gateway, and to upload APIs. This is required for providing Amazon API Gateway data sets.

  • AWS KMS – Allows access to list and describe keys in AWS Key Management Service.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataExchangeActions", "Effect": "Allow", "Action": [ "dataexchange:*" ], "Resource": "*" }, { "Sid": "S3GetActionConditionalResourceAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3GetActionConditionalTagAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/AWSDataExchange": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3WriteActions", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3ReadActions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AWSMarketplaceProviderActions", "Effect": "Allow", "Action": [ "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:StartChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:UpdateAgreementApprovalRequest", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AWSMarketplaceSubscriberActions", "Effect": "Allow", "Action": [ "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:CancelAgreementRequest", "aws-marketplace:ListPrivateListings", "aws-marketplace:DescribeAgreement" ], "Resource": "*" }, { "Sid": "KMSActions", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }, { "Sid": "RedshiftConditionalActions", "Effect": "Allow", "Action": [ "redshift:AuthorizeDataShare" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "redshift:ConsumerIdentifier": "ADX" } } }, { "Sid": "RedshiftActions", "Effect": "Allow", "Action": [ "redshift:DescribeDataSharesForProducer", "redshift:DescribeDataShares" ], "Resource": "*" }, { "Sid": "APIGatewayActions", "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" } ] }

AWS managed policy: AWSDataExchangeProviderFullAccess

You can attach the AWSDataExchangeProviderFullAccess policy to your IAM identities.

This policy grants contributor permissions that provide data provider access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.

Permissions details

This policy includes the following permissions:

  • AWS Data Exchange – Allows principals full access to provide data products on AWS Data Exchange. Principals can create, update, and remove products on AWS Data Exchange.

  • AWS Marketplace – Allows principals access to AWS Marketplace for providing and subscribing to data products, and managing subscription verification requests. This is required to provide data products.

  • Amazon S3 – Allows principals to get AWS Data Exchange related objects (including data product files) from Amazon Simple Storage Service, and to upload AWS Data Exchange related files to Amazon S3. This is required for providing data products.

  • Amazon API Gateway – Allows principals to get Amazon API Gateway APIs from Amazon API Gateway, and to upload APIs. This is required for providing Amazon API Gateway API data sets.

  • Amazon Redshift – Allows principals to view AWS Data Exchange datashares for Amazon Redshift for import and to authorize them. This is required for providing Amazon Redshift data products.

  • AWS KMS – Allows access to AWS Key Management Service so that data can be encrypted and accessed using keys.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dataexchange:CreateDataSet", "dataexchange:CreateRevision", "dataexchange:CreateAsset", "dataexchange:Get*", "dataexchange:Update*", "dataexchange:List*", "dataexchange:Delete*", "dataexchange:TagResource", "dataexchange:UntagResource", "dataexchange:PublishDataSet", "dataexchange:SendApiAsset", "dataexchange:RevokeRevision", "dataexchange:SendDataSetNotification", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dataexchange:CreateJob", "dataexchange:StartJob", "dataexchange:CancelJob" ], "Resource": "*", "Condition": { "StringEquals": { "dataexchange:JobType": [ "IMPORT_ASSETS_FROM_S3", "IMPORT_ASSET_FROM_SIGNED_URL", "EXPORT_ASSETS_TO_S3", "EXPORT_ASSET_TO_SIGNED_URL", "IMPORT_ASSET_FROM_API_GATEWAY_API", "IMPORT_ASSETS_FROM_REDSHIFT_DATA_SHARES" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/AWSDataExchange": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:StartChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:UpdateAgreementApprovalRequest", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketpalce:DescribeAgreement" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["redshift:AuthorizeDataShare"], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "redshift:ConsumerIdentifier": "ADX" } } }, { "Effect": "Allow", "Action": [ "redshift:DescribeDataSharesForProducer", "redshift:DescribeDataShares" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET", ], "Resource": "*" } ] }

AWS managed policy: AWSDataExchangeReadOnly

You can attach the AWSDataExchangeReadOnly policy to your IAM identities.

This policy grants read-only permissions that allow read-only access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK.

Permissions details

This policy includes the following permissions:

  • AWS Data Exchange – Allows principals read-only access to AWS Data Exchange products. This includes both provided and subscribed data products.

  • AWS Marketplace – Allows principals read-only access to AWS Marketplace for provided and subscribed products. This is required to view data products.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataExchangeReadOnlyActions", "Effect": "Allow", "Action": [ "dataexchange:GetAsset", "dataexchange:GetDataSet", "dataexchange:GetEventAction", "dataexchange:GetJob", "dataexchange:GetRevision", "dataexchange:ListDataSetRevisions", "dataexchange:ListDataSets", "dataexchange:ListEventActions", "dataexchange:ListJobs", "dataexchange:ListRevisionAssets", "dataexchange:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AWSMarketplaceReadOnlyActions", "Effect": "Allow", "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketplace:ListPrivateListings", "aws-marketplace:ListTagsForResource" ], "Resource": "*" } ] }

AWS managed policy: AWSDataExchangeSubscriberFullAccess

You can attach the AWSDataExchangeSubscriberFullAccess policy to your IAM identities.

This policy grants contributor permissions that allow data subscriber access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.

Permissions details

This policy includes the following permissions:

  • AWS Data Exchange – Allows principals full access to the subscriber features of AWS Data Exchange. This includes subscribing to and accessing data products.

  • AWS Marketplace – Allows principals access to AWS Marketplace for view and subscribing to products. This is required to subscribe to data products.

  • Amazon S3 – Allows principals to view and get AWS Data Exchange related objects (including data product files) from Amazon Simple Storage Service. This is required for accessing subscribed data products.

  • AWS KMS – Allows access to AWS Key Management Service to access data that has been encrypted using keys.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataExchangeReadOnlyActions", "Effect": "Allow", "Action": [ "dataexchange:Get*", "dataexchange:List*" ], "Resource": "*" }, { "Sid": "DataExchangeExportActions", "Effect": "Allow", "Action": [ "dataexchange:CreateJob", "dataexchange:StartJob", "dataexchange:CancelJob" ], "Resource": "*", "Condition": { "StringEquals": { "dataexchange:JobType": [ "EXPORT_ASSETS_TO_S3", "EXPORT_ASSET_TO_SIGNED_URL", "EXPORT_REVISIONS_TO_S3" ] } } }, { "Sid": "DataExchangeEventActionActions", "Effect": "Allow", "Action": [ "dataexchange:CreateEventAction", "dataexchange:UpdateEventAction", "dataexchange:DeleteEventAction", "dataexchange:SendApiAsset" ], "Resource": "*" }, { "Sid": "S3GetActionConditionalResourceAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3ReadActions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AWSMarketplaceSubscriberActions", "Effect": "Allow", "Action": [ "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:CancelAgreementRequest", "aws-marketplace:ListPrivateListings" ], "Resource": "*" }, { "Sid": "KMSActions", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" } ] }

AWS Data Exchange updates to AWS managed policies

The following table provides details about updates to AWS managed policies for AWS Data Exchange since this service began tracking these changes. For automatic alerts about changes to this page (and any other changes to this user guide), subscribe to the RSS feed on the Document history for AWS Data Exchange page.

Change Description Date

AWSDataExchangeReadOnly

Added statement IDs to make the policy easier to read, expanded the wild carded permissions to the full list of read only ADX permissions, and added new actions: aws-marketplace:ListTagsForResource and aws-marketplace:ListPrivateListings.

July 9, 2024

AWSDataExchangeFullAccess Removed action: aws-marketplace:GetPrivateListing May 22, 2024
AWSDataExchangeSubscriberFullAccess Added statement IDs to make the policy easier to read and added new action: aws-marketplace:ListPrivateListings. April 30, 2024
AWSDataExchangeFullAccess Added statement IDs to make the policy easier to read and added new actions: aws-marketplace:TagResource, aws-marketplace:UntagResource, aws-marketplace:ListTagsForResource, aws-marketplace:ListPrivateListings, aws-marketplace:GetPrivateListing, and aws-marketplace:DescribeAgreement. April 30, 2024

AWSDataExchangeProviderFullAccess

Added dataexchange:SendDataSetNotification, a new permission to send data set notifications. March 5, 2024

AWSDataExchangeSubscriberFullAccess, AWSDataExchangeReadOnly, AWSDataExchangeProviderFullAccess, and AWSDataExchangeFullAccess – Update to existing policies

Added granular actions across all managed policies. New actions added are aws-marketplace:CreateAgreementRequest, aws-marketplace:AcceptAgreementRequest, aws-marketplace:ListEntitlementDetails, aws-marketplace:ListPrivateListings, aws-marketplace:GetPrivateListing, license-manager:ListReceivedGrants aws-marketplace:TagResource, aws-marketplace:UntagResource, aws-marketplace:ListTagsForResource, aws-marketplace:DescribeAgreement, aws-marketplace:GetAgreementTerms aws-marketplace:GetLicense.

July 31, 2023

AWSDataExchangeProviderFullAccess – Update to existing policy

Added dataexchange:RevokeRevision, a new permission to revoke a revision.

March 15, 2022

AWSDataExchangeProviderFullAccess and AWSDataExchangeFullAccess – Update to existing policies

Added apigateway:GET, a new permission to retrieve an API asset from Amazon API Gateway.

December 3, 2021
AWSDataExchangeProviderFullAccess and AWSDataExchangeSubscriberFullAccess – Update to existing policies

Added dataexchange:SendApiAsset, a new permission to send a request to an API asset.

November 29, 2021

AWSDataExchangeProviderFullAccess and AWSDataExchangeFullAccess – Update to existing policies

Added redshift:AuthorizeDataShare, redshift:DescribeDataSharesForProducer, and redshift:DescribeDataShares, new permissions to authorize access to and create Amazon Redshift data sets.

November 1, 2021

AWSDataExchangeSubscriberFullAccess – Update to an existing policy

Added dataexchange:CreateEventAction, dataexchange:UpdateEventAction, and dataexchange:DeleteEventAction, new permissions to control access to automatically export new revisions of data sets.

September 30, 2021

AWSDataExchangeProviderFullAccess and AWSDataExchangeFullAccess – Update to existing policies

Added dataexchange:PublishDataSet, a new permission to control access to publishing new versions of data sets.

May 25, 2021

AWSDataExchangeReadOnly, AWSDataExchangeProviderFullAccess, and AWSDataExchangeFullAccess – Update to existing policies

Added aws-marketplace:SearchAgreements and aws-marketplace:GetAgreementTerms to enable viewing subscriptions for products and offers.

May 12, 2021

AWS Data Exchange started tracking changes

AWS Data Exchange started tracking changes for its AWS managed policies.

April 20, 2021