AWS managed policies for Amazon QLDB - Amazon Quantum Ledger Database (Amazon QLDB)

AWS managed policies for Amazon QLDB

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AmazonQLDBReadOnly

Use the AmazonQLDBReadOnly policy to grant read-only permissions to all QLDB resources. You can attach this policy to your IAM identities.

Permissions details

This policy includes the following permissions for the qldb service.

  • Allows principals to describe and list all QLDB resources and their tags. These resources include ledgers, Amazon S3 export jobs, and streams to Kinesis Data Streams.

  • Allows principals to get a block, digest, or revision from the journal in any ledger to verify the data cryptographically.

  • Doesn't allow principals to run any PartiQL commands on any tables in any ledgers.

For more information about these API operations, see the Amazon QLDB API reference.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "qldb:ListLedgers", "qldb:DescribeLedger", "qldb:ListJournalS3Exports", "qldb:ListJournalS3ExportsForLedger", "qldb:DescribeJournalS3Export", "qldb:DescribeJournalKinesisStream", "qldb:ListJournalKinesisStreamsForLedger", "qldb:GetBlock", "qldb:GetDigest", "qldb:GetRevision", "qldb:ListTagsForResource" ], "Resource": "*" } ] }

AWS managed policy: AmazonQLDBFullAccess

Use the AmazonQLDBFullAccess policy to grant full administrative permissions to all QLDB resources through the QLDB API or the AWS CLI. You can attach this policy to your IAM identities.

Permissions details

This policy includes the following permissions.

  • qldb

    • Allows principals to create, describe, list, and manage all QLDB resources and their tags. These resources include ledgers, Amazon S3 export jobs, and streams to Kinesis Data Streams.

    • Allows principals to run all PartiQL commands on all tables in any ledger by using the QLDB driver or the QLDB shell.

    • Allows principals to get a block, digest, or revision from the journal in any ledger to verify the data cryptographically.

  • iam – Allows principals to pass any IAM role resource in your account to the QLDB service. This is required for all journal export and stream requests.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "qldb:CreateLedger", "qldb:UpdateLedger", "qldb:UpdateLedgerPermissionsMode", "qldb:DeleteLedger", "qldb:ListLedgers", "qldb:DescribeLedger", "qldb:ExportJournalToS3", "qldb:ListJournalS3Exports", "qldb:ListJournalS3ExportsForLedger", "qldb:DescribeJournalS3Export", "qldb:CancelJournalKinesisStream", "qldb:DescribeJournalKinesisStream", "qldb:ListJournalKinesisStreamsForLedger", "qldb:StreamJournalToKinesis", "qldb:GetBlock", "qldb:GetDigest", "qldb:GetRevision", "qldb:TagResource", "qldb:UntagResource", "qldb:ListTagsForResource", "qldb:SendCommand", "qldb:PartiQLCreateIndex", "qldb:PartiQLDropIndex", "qldb:PartiQLCreateTable", "qldb:PartiQLDropTable", "qldb:PartiQLUndropTable", "qldb:PartiQLDelete", "qldb:PartiQLInsert", "qldb:PartiQLUpdate", "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "qldb.amazonaws.com" } } } ] }

AWS managed policy: AmazonQLDBConsoleFullAccess

Use the AmazonQLDBConsoleFullAccess policy to grant full administrative permissions to all QLDB resources through the AWS Management Console, the QLDB API, or the AWS CLI. You can attach this policy to your IAM identities.

Permissions details

This policy includes the following permissions.

  • qldb

    • Allows principals to create, describe, list, and manage all QLDB resources and their tags. These resources include ledgers, Amazon S3 export jobs, and streams to Kinesis Data Streams.

    • Allows principals to run all PartiQL commands on all tables in any ledger by using the QLDB console, the QLDB driver, or the QLDB shell.

    • Allows principals to insert sample application data in any ledger by using the QLDB console.

    • Allows principals to get a block, digest, or revision from the journal in any ledger to verify the data cryptographically.

  • dbqms – Allows principals to use all actions in the internal-only Database Query Metadata Service. The QLDB console requires this service to create, describe, and manage recent and saved queries for the Query editor.

  • kinesis – Allows principals to describe and list Amazon Kinesis Data Streams resources. These resources are the target destinations that QLDB stream resources can write data to.

  • iam – Allows principals to pass any IAM role resource in your account to the QLDB service. This is required for all journal export and stream requests.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "qldb:CreateLedger", "qldb:UpdateLedger", "qldb:UpdateLedgerPermissionsMode", "qldb:DeleteLedger", "qldb:ListLedgers", "qldb:DescribeLedger", "qldb:ExportJournalToS3", "qldb:ListJournalS3Exports", "qldb:ListJournalS3ExportsForLedger", "qldb:DescribeJournalS3Export", "qldb:CancelJournalKinesisStream", "qldb:DescribeJournalKinesisStream", "qldb:ListJournalKinesisStreamsForLedger", "qldb:StreamJournalToKinesis", "qldb:GetBlock", "qldb:GetDigest", "qldb:GetRevision", "qldb:TagResource", "qldb:UntagResource", "qldb:ListTagsForResource", "qldb:SendCommand", "qldb:ExecuteStatement", "qldb:ShowCatalog", "qldb:InsertSampleData", "qldb:PartiQLCreateIndex", "qldb:PartiQLDropIndex", "qldb:PartiQLCreateTable", "qldb:PartiQLDropTable", "qldb:PartiQLUndropTable", "qldb:PartiQLDelete", "qldb:PartiQLInsert", "qldb:PartiQLUpdate", "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dbqms:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kinesis:ListStreams", "kinesis:DescribeStream" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "qldb.amazonaws.com" } } } ] }

QLDB updates to AWS managed policies

View details about updates to AWS managed policies for QLDB since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the QLDB Release history page.

Change Description Date

AmazonQLDBFullAccess, AmazonQLDBConsoleFullAccess – Update to existing policies

QLDB added new permissions to allow principals to pass any IAM role resource in your account to the QLDB service. This is required for all journal export and stream requests.

September 2, 2021

AmazonQLDBReadOnly – Update to an existing policy

QLDB removed a duplicate qldb:GetBlock action that was previously listed twice, and reordered the "Effect" field so that it appears before the "Action" field.

July 1, 2021

AmazonQLDBFullAccess, AmazonQLDBConsoleFullAccess – Update to existing policies

QLDB added new permissions to allow principals to update the permissions mode in all ledgers, and to run all PartiQL commands in all ledgers in the new STANDARD permissions mode.

The STANDARD permissions mode supports table-level access control and granularity for PartiQL commands. To facilitate the new permissions mode, QLDB introduced a set of IAM actions for PartiQL command types, and Amazon Resource Names (ARNs) for QLDB table resources. These two policies are updated to include the new PartiQL actions to grant full access to STANDARD ledgers.

May 27, 2021

QLDB started tracking changes

QLDB started tracking changes for its AWS managed policies.

March 1, 2021