Request association with other AWS accounts - Amazon DataZone
Provide account access to your customer-managed KMS key

Request association with other AWS accounts

Note

By sending an association request to another AWS account, you are sharing your domain with the other AWS account with AWS Resource Access Manager (RAM). Be sure to check the accuracy of the account ID that you enter.

To request association with other AWS accounts in the Amazon DataZone console for an Amazon DataZone domain, you must assume an IAM role in the account with administrative permissions. Configure the IAM permissions required to use the Amazon DataZone management console to obtain the minimum permissions necessary to request an account association.

Complete the following procedure to request association with other AWS accounts.

  1. Sign in to the AWS Management Console and open the Amazon DataZone management console at https://console.aws.amazon.com/datazone.

  2. Choose View domains and choose the domain’s name from the list. The name is a hyperlink.

  3. Scroll down to the Associated accounts tab and choose Request association.

  4. Enter the IDs of the accounts that you want to request association. When you are satisfied with the list of account IDs, choose Request association.

  5. Under RAM Policy, specify the RAM policy for account association. You can either choose AWSRAMPermissionDataZonePortalReadWrite which will enable associated accounts to execute Amazon DataZone APIs and access the data portal or you can choose AWSRAMPermissionDataZoneDefault, whcih will allow associated accounts to only execute Amazon DataZone APIs and will not provide data portal access. Amazon DataZone then creates a resource share in the AWS Resource Access Manager on your account’s behalf, with the entered account ID(s) as principals.

  6. You must notify the owner of the other AWS account(s) to accept your request. Invitations expire after seven (7) days.

Provide account access to your customer-managed KMS key

Amazon DataZone domains and their metadata are encrypted, either (by default) using a key held by AWS, or (optionally) a customer-managed key from AWS Key Management Service (KMS) that you own and provide during domain creation. If your domain is encrypted with a customer-managed key, then follow the procedure below to give the associated account permission to use the KMS key.

  1. Sign in to the AWS Management Console and open the KMS console at https://console.aws.amazon.com/kms/.

  2. To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys.

  3. To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys.

  4. In the list of KMS keys, choose the alias or key ID of the KMS key that you want to examine.

  5. To allow or disallow external AWS accounts to use the KMS key, use the controls in the Other AWS accounts section of the page. IAM principals in these accounts (with proper KMS permissions themselves) can use the KMS key in cryptographic operations, such as encrypting, decrypting, re-encrypting, and generating data keys.