AmazonDataZoneRedshiftGlueProvisioningPolicy - AWS 托管策略

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AmazonDataZoneRedshiftGlueProvisioningPolicy

描述:Amazon DataZone 是一项数据管理服务,可让您对数据进行分类、发现、管理、共享和分析。借助 Amazon DataZone,您可以跨账户和支持的地区共享和访问您的数据。亚马逊 DataZone 简化了您的跨 AWS 服务体验,包括但不限于亚马逊 Redshift、Amazon Athena、Glue 和 Lake Formation。 AWS AWS

AmazonDataZoneRedshiftGlueProvisioningPolicy 是一项 AWS 托管式策略

使用此策略

您可以将 AmazonDataZoneRedshiftGlueProvisioningPolicy 附加到您的用户、组和角色。

策略详细信息

  • 类型: AWS 托管策略

  • 创建时间:2023 年 9 月 22 日 20:19 UTC

  • 编辑时间:2024 年 10 月 23 日 18:29 UTC

  • ARN: arn:aws:iam::aws:policy/AmazonDataZoneRedshiftGlueProvisioningPolicy

策略版本

策略版本:v4 (默认值)

此策略的默认版本是定义策略权限的版本。当使用该策略的用户或角色请求访问 AWS 资源时, AWS 会检查策略的默认版本以确定是否允许该请求。

JSON 策略文档

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AmazonDataZonePermissionsToCreateEnvironmentRole", "Effect" : "Allow", "Action" : [ "iam:CreateRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource" : "arn:aws:iam::*:role/datazone*", "Condition" : { "StringEquals" : { "iam:PermissionsBoundary" : "arn:aws:iam::aws:policy/AmazonDataZoneEnvironmentRolePermissionsBoundary", "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "IamPassRolePermissions", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : [ "arn:aws:iam::*:role/datazone*" ], "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "glue.amazonaws.com", "lakeformation.amazonaws.com" ], "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZonePermissionsToManageCreatedEnvironmentRole", "Effect" : "Allow", "Action" : [ "iam:DeleteRole", "iam:GetRole" ], "Resource" : "arn:aws:iam::*:role/datazone*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneCFStackCreationForEnvironments", "Effect" : "Allow", "Action" : [ "cloudformation:CreateStack", "cloudformation:TagResource" ], "Resource" : [ "arn:aws:cloudformation:*:*:stack/DataZone*" ], "Condition" : { "ForAnyValue:StringLike" : { "aws:TagKeys" : "AmazonDataZoneEnvironment" }, "Null" : { "aws:ResourceTag/AmazonDataZoneEnvironment" : "false" } } }, { "Sid" : "AmazonDataZoneCFStackManagementForEnvironments", "Effect" : "Allow", "Action" : [ "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents" ], "Resource" : [ "arn:aws:cloudformation:*:*:stack/DataZone*" ] }, { "Sid" : "AmazonDataZoneEnvironmentParameterValidation", "Effect" : "Allow", "Action" : [ "lakeformation:GetDataLakeSettings", "lakeformation:PutDataLakeSettings", "lakeformation:RevokePermissions", "lakeformation:ListPermissions", "glue:CreateDatabase", "glue:GetDatabase", "athena:GetWorkGroup", "logs:DescribeLogGroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift:DescribeClusters", "secretsmanager:ListSecrets" ], "Resource" : "*" }, { "Sid" : "AmazonDataZoneEnvironmentLakeFormationPermissions", "Effect" : "Allow", "Action" : [ "lakeformation:RegisterResource", "lakeformation:DeregisterResource", "lakeformation:GrantPermissions", "lakeformation:ListResources" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneEnvironmentGlueDeletePermissions", "Effect" : "Allow", "Action" : [ "glue:DeleteDatabase" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneEnvironmentAthenaDeletePermissions", "Effect" : "Allow", "Action" : [ "athena:DeleteWorkGroup" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneEnvironmentAthenaResourceCreation", "Effect" : "Allow", "Action" : [ "athena:CreateWorkGroup", "athena:TagResource", "iam:TagRole", "iam:TagPolicy", "logs:TagLogGroup" ], "Resource" : "*", "Condition" : { "ForAnyValue:StringLike" : { "aws:TagKeys" : "AmazonDataZoneEnvironment" }, "Null" : { "aws:ResourceTag/AmazonDataZoneEnvironment" : "false" }, "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneEnvironmentLogGroupCreation", "Effect" : "Allow", "Action" : [ "logs:CreateLogGroup", "logs:DeleteLogGroup" ], "Resource" : "arn:aws:logs:*:*:log-group:datazone-*", "Condition" : { "ForAnyValue:StringLike" : { "aws:TagKeys" : "AmazonDataZoneEnvironment" }, "Null" : { "aws:ResourceTag/AmazonDataZoneEnvironment" : "false" }, "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneEnvironmentLogGroupManagement", "Action" : [ "logs:PutRetentionPolicy" ], "Resource" : "arn:aws:logs:*:*:log-group:datazone-*", "Effect" : "Allow", "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneEnvironmentIAMPolicyManagement", "Effect" : "Allow", "Action" : [ "iam:DeletePolicy", "iam:CreatePolicy", "iam:GetPolicy", "iam:ListPolicyVersions", "iam:DeletePolicyVersion" ], "Resource" : [ "arn:aws:iam::*:policy/datazone*" ], "Condition" : { "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AmazonDataZoneEnvironmentS3ValidationPermissions", "Effect" : "Allow", "Action" : [ "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource" : "arn:aws:s3:::*" }, { "Sid" : "AmazonDataZoneEnvironmentKMSDecryptPermissions", "Effect" : "Allow", "Action" : [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource" : "*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonDataZoneEnvironment" : "false" } } }, { "Sid" : "PermissionsToTagAmazonDataZoneEnvironmentGlueResources", "Effect" : "Allow", "Action" : [ "glue:TagResource" ], "Resource" : "*", "Condition" : { "ForAnyValue:StringLike" : { "aws:TagKeys" : "AmazonDataZoneEnvironment" }, "Null" : { "aws:RequestTag/AmazonDataZoneEnvironment" : "false" } } }, { "Sid" : "PermissionsToGetAmazonDataZoneEnvironmentBlueprintTemplates", "Effect" : "Allow", "Action" : "s3:GetObject", "Resource" : "*", "Condition" : { "StringNotEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" }, "StringEquals" : { "aws:CalledViaFirst" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "RedshiftDataPermissions", "Effect" : "Allow", "Action" : [ "redshift-data:ListSchemas", "redshift-data:ExecuteStatement" ], "Resource" : [ "arn:aws:redshift-serverless:*:*:workgroup/*", "arn:aws:redshift:*:*:cluster:*" ] }, { "Sid" : "DescribeStatementPermissions", "Effect" : "Allow", "Action" : [ "redshift-data:DescribeStatement" ], "Resource" : "*" }, { "Sid" : "GetSecretValuePermissions", "Effect" : "Allow", "Action" : [ "secretsmanager:GetSecretValue" ], "Resource" : "*", "Condition" : { "StringLike" : { "secretsmanager:ResourceTag/AmazonDataZoneDomain" : "dzd*" } } } ] }

了解更多信息