AWS managed (predefined) policies for AWS Glue Policy updates

AWS managed policies for AWS Glue

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed (predefined) policies for AWS Glue

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see AWS managed policies in the IAM User Guide.

The following AWS managed policies, which you can attach to identities in your account, are specific to AWS Glue and are grouped by use case scenario:

AWSGlueConsoleFullAccess – Grants full access to AWS Glue resources when an identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console.
AWSGlueServiceRole – Grants access to resources that various AWS Glue processes require to run on your behalf. These resources include AWS Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, AWS Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints.
AwsGlueSessionUserRestrictedServiceRole – Provides full access to all AWS Glue resources except for sessions. It allows users to create and use only the interactive sessions that are associated with the user. This policy includes other permissions needed by AWS Glue to manage AWS Glue resources in other AWS services. The policy also allows adding tags to AWS Glue resources in other AWS services.

Note
To achieve the full security benefits, do not grant this policy to a user that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.
AwsGlueSessionUserRestrictedPolicy – Provides access to create AWS Glue interactive sessions using the CreateSession API operation only if a tag key “owner” and value that match the assignee's AWS user ID are provided. This identity policy is attached to the IAM user that invokes the CreateSession API operation. This policy also permits the assignee to interact with the AWS Glue interactive session resources that were created with an “owner” tag and value that match their AWS user ID. This policy denies permission to change or remove "owner" tags from an AWS Glue session resource after the session is created.

Note
To achieve the full security benefits, do not grant this policy to a user that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.
AwsGlueSessionUserRestrictedNotebookServiceRole – Provides sufficient access to the AWS Glue Studio notebook session to interact with specific AWS Glue interactive session resources. These are resources that are created with the “owner” tag value that matches the AWS user ID of the principal (IAM user or role) that creates the notebook. For more information about these tags, see the Principal key values chart in the IAM User Guide.

This service-role policy is attached to the role that is specified with a magic command within the notebook or is passed as a role to the CreateSession API operation. This policy also permits the principal to create an AWS Glue interactive session from the AWS Glue Studio notebook interface only if a tag key “owner” and value match the AWS user ID of the principal. This policy denies permission to change or remove "owner" tags from an AWS Glue session resource after the session is created. This policy also includes permissions for writing and reading from Amazon S3 buckets, writing CloudWatch logs, and creating and deleting tags for Amazon EC2 resources used by AWS Glue.

Note
To achieve the full security benefits, do not grant this policy to a role that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.
AwsGlueSessionUserRestrictedNotebookPolicy – Provides access to create an AWS Glue interactive session from the AWS Glue Studio notebook interface only if there is a tag key “owner” and value that match the AWS user IDof the principal (IAM user or role) that creates the notebook. For more information about these tags, see the Principal key values chart in the IAM User Guide.

This policy is attached to the principal (IAM user or role) that creates sessions from the AWS Glue Studio notebook interface. This policy also permits sufficient access to the AWS Glue Studio notebook to interact with specific AWS Glue interactive session resources. These are resources that are created with the “owner” tag value that matches the AWS user ID of the principal. This policy denies permission to change or remove "owner" tags from an AWS Glue session resource after the session is created.
AWSGlueServiceNotebookRole – Grants access to AWS Glue sessions started in an AWS Glue Studio notebook. This policy allows listing and getting session information for all sessions, but only permits users to create and use the sessions tagged with their AWS user ID. This policy denies permission to change or remove “owner” tags from AWS Glue session resources tagged with their AWS ID.

Assign this policy to the AWS user who creates jobs using the notebook interface in AWS Glue Studio.
AWSGlueConsoleSageMakerNotebookFullAccess – Grants full access to AWS Glue and SageMaker resources when the identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console who manage SageMaker notebooks.
AWSGlueSchemaRegistryFullAccess – Grants full access to AWS Glue Schema Registry resources when the identity that the policy is attached to uses the AWS Management Console or AWS CLI. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console or AWS CLI who manage the AWS Glue Schema Registry.
AWSGlueSchemaRegistryReadonlyAccess – Grants read-only access to AWS Glue Schema Registry resources when an identity that the policy is attached to uses the AWS Management Console or AWS CLI. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console or AWS CLI who use the AWS Glue Schema Registry.

Note

You can review these permissions policies by signing in to the IAM console and searching for specific policies there.

You can also create your own custom IAM policies to allow permissions for AWS Glue actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

AWS Glue updates to AWS managed policies

View details about updates to AWS managed policies for AWS Glue since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Glue Document history page.

Change	Description	Date
AWSGlueServiceNotebookRole – Minor update to an existing policy.	Add `glue:StartCompletion` and `glue:GetCompletion` to policy. Required for Amazon Q data integration in AWS Glue.	TBD
AwsGlueSessionUserRestrictedNotebookPolicy – Minor update to an existing policy.	Add `glue:StartCompletion` and `glue:GetCompletion` to policy. Required for Amazon Q data integration in AWS Glue.	Nov 29, 2023
AWSGlueServiceNotebookRole – Minor update to an existing policy.	Add `codewhisperer:GenerateRecommendations` to policy. Required for a new feature where AWS Glue generates CodeWhisperer recommendations.	Oct 9, 2023
AWSGlueServiceRole – Minor update to an existing policy.	Tighten scope of CloudWatch permissions to better reflect AWS Glue logging.	Aug 4, 2023
AWSGlueConsoleFullAccess – Minor update to an existing policy.	Add `databrew` recipe List and Describe permissions to policy. Required to provide full administrative access for new features where AWS Glue can access recipes.	May 9, 2023
AWSGlueConsoleFullAccess – Minor update to an existing policy.	Add `cloudformation:ListStacks` to policy. Preserves existing capabilities after changes to AWS CloudFormation authorization requirements.	March 28, 2023
New managed policies added for the interactive sessions feature: AwsGlueSessionUserRestrictedServiceRole AwsGlueSessionUserRestrictedPolicy AwsGlueSessionUserRestrictedNotebookServiceRole AwsGlueSessionUserRestrictedNotebookPolicy	These policies were designed to provide additional security for interactive sessions and notebooks in AWS Glue Studio. The policies restrict access to the `CreateSession` API operation so that only the owner has access.	November 30, 2021
AWSGlueConsoleSageMakerNotebookFullAccess – Update to an existing policy.	Removed a redundant resource ARN (`arn:aws:s3:::aws-glue-/`) for the action that grants read/write permissions on Amazon S3 buckets that AWS Glue uses to store scripts and temporary files. Fixed a syntax issue by changing `"StringEquals"` to `"ForAnyValue:StringLike"`, and moved the`"Effect": "Allow"` lines to precede the `"Action":` line in each place where they were out of order.	July 15, 2021
AWSGlueConsoleFullAccess – Update to an existing policy.	Removed a redundant resource ARN (`arn:aws:s3:::aws-glue-/`) for the action that grants read/write permissions on Amazon S3 buckets that AWS Glue uses to store scripts and temporary files.	July 15, 2021
AWS Glue started tracking changes.	AWS Glue started tracking changes for its AWS managed policies.	June 10, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Resource-based policy examples

Resource ARNs