翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。
AWS マネージドポリシー:AmazonDataZoneEnvironmentRolePermissionsBoundary
注記
このポリシーはアクセス許可の境界です。アクセス許可の境界は、アイデンティティベースのポリシーがIAMエンティティに付与できるアクセス許可の上限を設定します。Amazon アクセス DataZone 許可の境界ポリシーを自分で使用してアタッチしないでください。Amazon DataZone アクセス許可の境界ポリシーは、Amazon DataZone マネージドロールにのみアタッチする必要があります。アクセス許可の境界の詳細については、「 IAMユーザーガイド」の「 IAMエンティティのアクセス許可の境界」を参照してください。
Amazon DataZone データポータルを介して環境を作成すると、Amazon はこのアクセス許可の境界をIAM環境の作成時に生成されるロール DataZone に適用します。アクセス許可の境界は、Amazon が DataZone 作成するロールの範囲と、追加するロールを制限します。
Amazon DataZone は AmazonDataZoneEnvironmentRolePermissionsBoundaryマネージドポリシーを使用して、アタッチされているプロビジョニングされたIAMプリンシパルを制限します。プリンシパルは、Amazon が DataZone インタラクティブなエンタープライズユーザーまたは分析サービス (AWS Glueなど) の後に、Amazon S3 からの読み取りと書き込みや実行などのデータを処理するためのアクションを実行します。 AWS Glue クローラー.
このAmazonDataZoneEnvironmentRolePermissionsBoundaryポリシーは、Amazon の読み取りおよび書き込みアクセス DataZone を などのサービスに付与します。 AWS Glue、Amazon S3、 AWS Lake Formation、Amazon Redshift、および Amazon Athena 。このポリシーは、ネットワークインターフェイスや などのこれらのサービスを使用するために必要な一部のインフラストラクチャリソースに対する読み取りおよび書き込みアクセス許可も付与します。 AWS KMS キー。
Amazon が DataZone を適用 AmazonDataZoneEnvironmentRolePermissionsBoundary AWS すべての Amazon DataZone 環境ロール (所有者と寄稿者) のアクセス許可の境界としての マネージドポリシー。このアクセス許可の境界により、環境に必要なリソースとアクションへのアクセスのみを許可するように、これらのロールが制限されます。
境界には、次のJSONステートメントが含まれます。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateGlueConnection", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "aws-glue-service-resource" ] } } }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "PassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/datazone*" ], "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" } } }, { "Sid": "SameAccountKmsOperations", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "KmsOperationsWithResourceTag", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys", "kms:Encrypt", "kms:GenerateDataKey", "kms:Verify", "kms:Sign" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "AnalyticsOperations", "Effect": "Allow", "Action": [ "datazone:*", "sqlworkbench:*" ], "Resource": "*" }, { "Sid": "QueryOperations", "Effect": "Allow", "Action": [ "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:Describe*", "glue:BatchCreatePartition", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:SearchTables", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateDatabase", "glue:UpdatePartition", "glue:UpdateTable", "iam:GetRole", "iam:GetRolePolicy", "iam:ListGroups", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:DescribeMetricFilters", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "secretsmanager:ListSecrets", "tag:GetResources" ], "Resource": "*" }, { "Sid": "QueryOperationsWithResourceTag", "Effect": "Allow", "Action": [ "athena:GetQueryResultsStream" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "SecretsManagerOperationsWithTagKeys", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "StringLike": { "aws:ResourceTag/AmazonDataZoneDomain": "*", "aws:ResourceTag/AmazonDataZoneProject": "*" }, "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonDataZoneDomain", "AmazonDataZoneProject" ] } } }, { "Sid": "DataZoneS3Buckets", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject" ], "Resource": [ "arn:aws:s3:::*/datazone/*" ] }, { "Sid": "DataZoneS3BucketLocation", "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "ListDataZoneS3Bucket", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "*" ], "Condition": { "StringLike": { "s3:prefix": [ "*/datazone/*", "datazone/*" ] } } }, { "Sid": "NotDeniedOperations", "Effect": "Deny", "NotAction": [ "datazone:*", "sqlworkbench:*", "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:DeleteNetworkInterface", "ec2:DeleteTags", "ec2:Describe*", "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow", "iam:GetRole", "iam:GetRolePolicy", "iam:List*", "iam:PassRole", "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ListKeys", "kms:Verify", "kms:Sign", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetBucketLocation", "s3:ListBucket", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject", "secretsmanager:CreateSecret", "secretsmanager:ListSecrets", "secretsmanager:TagResource", "tag:GetResources" ], "Resource": [ "*" ] } ] }
