AWS managed policies for AWS Data Exchange
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy:
AWSDataExchangeFullAccess
You can attach the AWSDataExchangeFullAccess policy to your IAM
identities.
This policy grants administrative permissions that allow full access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
Permissions details
This policy includes the following permissions:
-
AWS Data Exchange– Allows principals full access to AWS Data Exchange. This includes both providing data products and subscribing to them. -
AWS Marketplace– Allows principals access to AWS Marketplace for providing products, subscribing to products, and managing product agreements. This is required to provide or subscribe to data products. -
Amazon S3– Allows principals to get AWS Data Exchange related objects (including data product files) from Amazon Simple Storage Service, and to upload AWS Data Exchange related files to Amazon S3. This is required for providing and subscribing to data products. -
Amazon Redshift– Allows principals to view AWS Data Exchange datashares for Amazon Redshift for import and to authorize them. This is required for providing Amazon Redshift data products. -
Amazon API Gateway– Allows principals to get Amazon API Gateway APIs from Amazon API Gateway, and to upload APIs. This is required for providing Amazon API Gateway data sets. -
AWS KMS– Allows access to list and describe keys in AWS Key Management Service.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dataexchange:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/AWSDataExchange": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:StartChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:UpdateAgreementApprovalRequest", "aws-marketplace:SearchAgreements", "aws-marketpalce:GetAgreementTerms" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:CancelAgreementRequest", "aws-marketplace:CreateAgreementRequest", "aws-marketplace:AcceptAgreementRequest", "aws-marketplace:ListEntitlementDetails", "aws-marketplace:ListPrivateListings", "aws-marketplace:DescribeAgreement", "aws-marketplace:GetPrivateListing" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["redshift:AuthorizeDataShare"], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "redshift:ConsumerIdentifier": "ADX" } } }, { "Effect": "Allow", "Action": [ "redshift:DescribeDataSharesForProducer", "redshift:DescribeDataShares" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET", ], "Resource": "*" } ] }
AWS managed
policy: AWSDataExchangeProviderFullAccess
You can attach the AWSDataExchangeProviderFullAccess policy to your IAM
identities.
This policy grants contributor permissions that provide data provider access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
Permissions details
This policy includes the following permissions:
-
AWS Data Exchange– Allows principals full access to provide data products on AWS Data Exchange. Principals can create, update, and remove products on AWS Data Exchange. -
AWS Marketplace– Allows principals access to AWS Marketplace for providing and subscribing to data products, and managing subscription verification requests. This is required to provide data products. -
Amazon S3– Allows principals to get AWS Data Exchange related objects (including data product files) from Amazon Simple Storage Service, and to upload AWS Data Exchange related files to Amazon S3. This is required for providing data products. -
Amazon API Gateway– Allows principals to get Amazon API Gateway APIs from Amazon API Gateway, and to upload APIs. This is required for providing Amazon API Gateway API data sets. -
Amazon Redshift– Allows principals to view AWS Data Exchange datashares for Amazon Redshift for import and to authorize them. This is required for providing Amazon Redshift data products. -
AWS KMS– Allows access to AWS Key Management Service so that data can be encrypted and accessed using keys.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dataexchange:CreateDataSet", "dataexchange:CreateRevision", "dataexchange:CreateAsset", "dataexchange:Get*", "dataexchange:Update*", "dataexchange:List*", "dataexchange:Delete*", "dataexchange:TagResource", "dataexchange:UntagResource", "dataexchange:PublishDataSet", "dataexchange:SendApiAsset", "dataexchange:RevokeRevision", "dataexchange:SendDataSetNotification", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dataexchange:CreateJob", "dataexchange:StartJob", "dataexchange:CancelJob" ], "Resource": "*", "Condition": { "StringEquals": { "dataexchange:JobType": [ "IMPORT_ASSETS_FROM_S3", "IMPORT_ASSET_FROM_SIGNED_URL", "EXPORT_ASSETS_TO_S3", "EXPORT_ASSET_TO_SIGNED_URL", "IMPORT_ASSET_FROM_API_GATEWAY_API", "IMPORT_ASSETS_FROM_REDSHIFT_DATA_SHARES" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/AWSDataExchange": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:StartChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:UpdateAgreementApprovalRequest", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketpalce:DescribeAgreement", "aws-marketpalce:GetPrivateListing" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["redshift:AuthorizeDataShare"], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "redshift:ConsumerIdentifier": "ADX" } } }, { "Effect": "Allow", "Action": [ "redshift:DescribeDataSharesForProducer", "redshift:DescribeDataShares" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET", ], "Resource": "*" } ] }
AWS managed policy:
AWSDataExchangeReadOnly
You can attach the AWSDataExchangeReadOnly policy to your IAM
identities.
This policy grants read-only permissions that allow read-only access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK.
Permissions details
This policy includes the following permissions:
-
AWS Data Exchange– Allows principals read-only access to AWS Data Exchange products. This includes both provided and subscribed data products. -
AWS Marketplace– Allows principals read-only access to AWS Marketplace for provided and subscribed products. This is required to view data products.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dataexchange:Get*", "dataexchange:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketplace:DescribeAgreement", "aws-marketplace:ListEntitlementDetails", "aws-marketplace:ListPrivateListings", "aws-marketplace:GetPrivateListing" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:ListTagsForResource" ], "Resource": "*" }, ] }
AWS
managed policy: AWSDataExchangeSubscriberFullAccess
You can attach the AWSDataExchangeSubscriberFullAccess policy to your
IAM identities.
This policy grants contributor permissions that allow data subscriber access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to Amazon S3 and AWS Key Management Service as needed to take full advantage of AWS Data Exchange.
Permissions details
This policy includes the following permissions:
-
AWS Data Exchange– Allows principals full access to the subscriber features of AWS Data Exchange. This includes subscribing to and accessing data products. -
AWS Marketplace– Allows principals access to AWS Marketplace for view and subscribing to products. This is required to subscribe to data products. -
Amazon S3– Allows principals to view and get AWS Data Exchange related objects (including data product files) from Amazon Simple Storage Service. This is required for accessing subscribed data products. -
AWS KMS– Allows access to AWS Key Management Service to access data that has been encrypted using keys.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dataexchange:Get*", "dataexchange:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dataexchange:CreateEventAction", "dataexchange:UpdateEventAction", "dataexchange:DeleteEventAction", "dataexchange:SendApiAsset" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dataexchange:CreateJob", "dataexchange:StartJob", "dataexchange:CancelJob" ], "Resource": "*", "Condition": { "StringEquals": { "dataexchange:JobType": [ "EXPORT_ASSETS_TO_S3", "EXPORT_ASSET_TO_SIGNED_URL", "EXPORT_REVISIONS_TO_S3" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:CancelAgreementRequest", "aws-marketplace:CreateAgreementRequest", "aws-marketplace:AcceptAgreementRequest", "aws-marketplace:ListEntitlementDetails", "aws-marketplace:ListPrivateListings", "aws-marketplace:GetPrivateListing", "aws-marketplace:DescribeAgreement", "aws-marketplace:GetAgreementTerms" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" } ] }
AWS Data Exchange updates to AWS managed policies
The following table provides details about updates to AWS managed policies for AWS Data Exchange since this service began tracking these changes. For automatic alerts about changes to this page (and any other changes to this user guide), subscribe to the RSS feed on the Document history for AWS Data Exchange page.
| Change | Description | Date |
|---|---|---|
|
AWSDataExchangeProviderFullAccess – Update to existing policy |
Added dataexchange:SendDataSetNotification, a new
permission to send data set notifications. |
March 5, 2024 |
|
AWSDataExchangeSubscriberFullAccess, AWSDataExchangeReadOnly, AWSDataExchangeProviderFullAccess, and AWSDataExchangeFullAccess – Update to existing policies |
Added granular actions across all managed policies. New actions
added are |
July 31, 2023 |
|
AWSDataExchangeProviderFullAccess – Update to existing policy |
Added |
March 15, 2022 |
|
AWSDataExchangeProviderFullAccess and AWSDataExchangeFullAccess – Update to existing policies |
Added |
December 3, 2021 |
| AWSDataExchangeProviderFullAccess and AWSDataExchangeSubscriberFullAccess – Update to existing policies |
Added |
November 29, 2021 |
|
AWSDataExchangeProviderFullAccess and AWSDataExchangeFullAccess – Update to existing policies |
Added |
November 1, 2021 |
|
AWSDataExchangeSubscriberFullAccess – Update to an existing policy |
Added |
September 30, 2021 |
|
AWSDataExchangeProviderFullAccess and AWSDataExchangeFullAccess – Update to existing policies |
Added |
May 25, 2021 |
|
AWSDataExchangeReadOnly, AWSDataExchangeProviderFullAccess, and AWSDataExchangeFullAccess – Update to existing policies |
Added |
May 12, 2021 |
|
AWS Data Exchange started tracking changes |
AWS Data Exchange started tracking changes for its AWS managed policies. |
April 20, 2021 |
