本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS 的托管策略 AWS Data Exchange
AWS 托管策略是由创建和管理的独立策略 AWS。 AWS 托管策略旨在为许多常见用例提供权限,以便您可以开始为用户、组和角色分配权限。
请记住, AWS 托管策略可能不会为您的特定用例授予最低权限权限,因为它们可供所有 AWS 客户使用。我们建议通过定义特定于您的使用场景的客户托管式策略来进一步减少权限。
您无法更改 AWS 托管策略中定义的权限。如果 AWS 更新 AWS 托管策略中定义的权限,则更新会影响该策略所关联的所有委托人身份(用户、组和角色)。 AWS 当新服务启动或现有服务 AWS 服务 有新API操作可用时,最有可能更新 AWS 托管策略。
有关更多信息,请参阅《IAM用户指南》中的AWS 托管策略。
AWS 托管策略:AWSDataExchangeFullAccess
您可以将该AWSDataExchangeFullAccess策略附加到您的IAM身份。
此策略授予管理权限,允许使用 AWS Data Exchange 和进行完全访问 AWS Management Console 和 AWS Marketplace 操作SDK。它还提供对 Amazon S3 的精选访问权限 AWS Key Management Service ,并根据需要提供充分利用的权限 AWS Data Exchange。
权限详细信息
该策略包含以下权限:
-
AWS Data Exchange— 允许委托人拥有完全访问权限。 AWS Data Exchange这包括提供数据产品和订阅这些产品。 -
AWS Marketplace— 允许委托人访问 AWS Marketplace 以提供产品、订阅产品和管理产品协议。这是提供或订阅数据产品所必需的。 -
Amazon S3— 允许委托人从 Amazon 简单存储服务获取 AWS Data Exchange 相关对象(包括数据产品文件),并将 AWS Data Exchange 相关文件上传到 Amazon S3。这是提供和订阅数据产品所必需的。 -
Amazon Redshift— 允许委托人查看 Amazon Reds AWS Data Exchange hift 的数据共享以供导入并对其进行授权。这是提供 Amazon Redshift 数据产品所必需的。 -
Amazon API Gateway— 允许委托人APIs从亚马逊API网关获取 Amazon G API ateway 并进行上传APIs。这是提供 Amazon API Gateway 数据集所必需的。 -
AWS KMS– 允许在 AWS Key Management Service中列出和描述密钥。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataExchangeActions", "Effect": "Allow", "Action": [ "dataexchange:*" ], "Resource": "*" }, { "Sid": "S3GetActionConditionalResourceAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3GetActionConditionalTagAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/AWSDataExchange": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3WriteActions", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3ReadActions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AWSMarketplaceProviderActions", "Effect": "Allow", "Action": [ "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:StartChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:UpdateAgreementApprovalRequest", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AWSMarketplaceSubscriberActions", "Effect": "Allow", "Action": [ "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:CancelAgreementRequest", "aws-marketplace:ListPrivateListings", "aws-marketplace:DescribeAgreement" ], "Resource": "*" }, { "Sid": "KMSActions", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }, { "Sid": "RedshiftConditionalActions", "Effect": "Allow", "Action": [ "redshift:AuthorizeDataShare" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "redshift:ConsumerIdentifier": "ADX" } } }, { "Sid": "RedshiftActions", "Effect": "Allow", "Action": [ "redshift:DescribeDataSharesForProducer", "redshift:DescribeDataShares" ], "Resource": "*" }, { "Sid": "APIGatewayActions", "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" } ] }
AWS 托管策略:AWSDataExchangeProviderFullAccess
您可以将该AWSDataExchangeProviderFullAccess策略附加到您的IAM身份。
此策略向贡献者授予权限,这些权限允许数据提供者访问 AWS Data Exchange 和使用 AWS Management Console 和 AWS Marketplace 执行操作SDK。它还提供对 Amazon S3 的精选访问权限 AWS Key Management Service ,并根据需要提供充分利用的权限 AWS Data Exchange。
权限详细信息
该策略包含以下权限:
-
AWS Data Exchange— 允许委托人拥有提供数据产品的完全访问权限。 AWS Data Exchange主体可以在 AWS Data Exchange上创建、更新和删除产品。 -
AWS Marketplace— 允许委托人访问以 AWS Marketplace 提供和订阅数据产品,以及管理订阅验证请求。这是提供数据产品所必需的。 -
Amazon S3— 允许委托人从 Amazon 简单存储服务获取 AWS Data Exchange 相关对象(包括数据产品文件),并将 AWS Data Exchange 相关文件上传到 Amazon S3。这是提供数据产品所必需的。 -
Amazon API Gateway— 允许委托人APIs从亚马逊API网关获取 Amazon G API ateway 并进行上传APIs。这是提供 Amazon API Gateway API 数据集所必需的。 -
Amazon Redshift— 允许委托人查看 Amazon Reds AWS Data Exchange hift 的数据共享以供导入并对其进行授权。这是提供 Amazon Redshift 数据产品所必需的。 -
AWS KMS— 允许访问, AWS Key Management Service 以便可以使用密钥加密和访问数据。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dataexchange:CreateDataSet", "dataexchange:CreateRevision", "dataexchange:CreateAsset", "dataexchange:Get*", "dataexchange:Update*", "dataexchange:List*", "dataexchange:Delete*", "dataexchange:TagResource", "dataexchange:UntagResource", "dataexchange:PublishDataSet", "dataexchange:SendApiAsset", "dataexchange:RevokeRevision", "dataexchange:SendDataSetNotification", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dataexchange:CreateJob", "dataexchange:StartJob", "dataexchange:CancelJob" ], "Resource": "*", "Condition": { "StringEquals": { "dataexchange:JobType": [ "IMPORT_ASSETS_FROM_S3", "IMPORT_ASSET_FROM_SIGNED_URL", "EXPORT_ASSETS_TO_S3", "EXPORT_ASSET_TO_SIGNED_URL", "IMPORT_ASSET_FROM_API_GATEWAY_API", "IMPORT_ASSETS_FROM_REDSHIFT_DATA_SHARES" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "s3:ExistingObjectTag/AWSDataExchange": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:StartChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:UpdateAgreementApprovalRequest", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketpalce:DescribeAgreement" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["redshift:AuthorizeDataShare"], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "redshift:ConsumerIdentifier": "ADX" } } }, { "Effect": "Allow", "Action": [ "redshift:DescribeDataSharesForProducer", "redshift:DescribeDataShares" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET", ], "Resource": "*" } ] }
AWS 托管策略:AWSDataExchangeReadOnly
您可以将该AWSDataExchangeReadOnly策略附加到您的IAM身份。
此策略授予只读权限,允许使用 AWS Data Exchange 和进行只读访问 AWS Management Console 和 AWS Marketplace 操作SDK。
权限详细信息
该策略包含以下权限:
-
AWS Data Exchange– 允许主体对 AWS Data Exchange 产品进行只读访问。这包括提供的和订阅的数据产品。 -
AWS Marketplace– 允许主体对 AWS Marketplace 进行只读访问,包括访问提供的和订阅的产品。这是查看数据产品所必需的。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataExchangeReadOnlyActions", "Effect": "Allow", "Action": [ "dataexchange:GetAsset", "dataexchange:GetDataSet", "dataexchange:GetEventAction", "dataexchange:GetJob", "dataexchange:GetRevision", "dataexchange:ListDataSetRevisions", "dataexchange:ListDataSets", "dataexchange:ListEventActions", "dataexchange:ListJobs", "dataexchange:ListRevisionAssets", "dataexchange:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AWSMarketplaceReadOnlyActions", "Effect": "Allow", "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:DescribeEntity", "aws-marketplace:ListEntities", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListChangeSets", "aws-marketplace:SearchAgreements", "aws-marketplace:GetAgreementTerms", "aws-marketplace:ListPrivateListings", "aws-marketplace:ListTagsForResource" ], "Resource": "*" } ] }
AWS
托管式策略:AWSDataExchangeSubscriberFullAccess
您可以将该AWSDataExchangeSubscriberFullAccess策略附加到您的IAM身份。
此策略向贡献者授予权限,允许数据订阅者访问 AWS Data Exchange 和使用 AWS Management Console 和 AWS Marketplace 执行操作SDK。它还提供对 Amazon S3 的精选访问权限 AWS Key Management Service ,并根据需要提供充分利用的权限 AWS Data Exchange。
权限详细信息
该策略包含以下权限:
-
AWS Data Exchange— 允许委托人完全访问的订阅者功能。 AWS Data Exchange这包括订阅和访问数据产品。 -
AWS Marketplace— 允许委托人访问 AWS Marketplace 以查看和订阅产品。这是订阅数据产品所必需的。 -
Amazon S3— 允许委托人从 Amazon 简单存储服务查看和获取 AWS Data Exchange 相关对象(包括数据产品文件)。这是访问订阅的数据产品所必需的。 -
AWS KMS— 允许 AWS Key Management Service 访问已使用密钥加密的数据。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DataExchangeReadOnlyActions", "Effect": "Allow", "Action": [ "dataexchange:Get*", "dataexchange:List*" ], "Resource": "*" }, { "Sid": "DataExchangeExportActions", "Effect": "Allow", "Action": [ "dataexchange:CreateJob", "dataexchange:StartJob", "dataexchange:CancelJob" ], "Resource": "*", "Condition": { "StringEquals": { "dataexchange:JobType": [ "EXPORT_ASSETS_TO_S3", "EXPORT_ASSET_TO_SIGNED_URL", "EXPORT_REVISIONS_TO_S3" ] } } }, { "Sid": "DataExchangeEventActionActions", "Effect": "Allow", "Action": [ "dataexchange:CreateEventAction", "dataexchange:UpdateEventAction", "dataexchange:DeleteEventAction", "dataexchange:SendApiAsset" ], "Resource": "*" }, { "Sid": "S3GetActionConditionalResourceAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } }, { "Sid": "S3ReadActions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AWSMarketplaceSubscriberActions", "Effect": "Allow", "Action": [ "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ViewSubscriptions", "aws-marketplace:GetAgreementRequest", "aws-marketplace:ListAgreementRequests", "aws-marketplace:CancelAgreementRequest", "aws-marketplace:ListPrivateListings" ], "Resource": "*" }, { "Sid": "KMSActions", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" } ] }
AWS Data ExchangeAWS 托管策略的更新
下表提供了 AWS Data Exchange 自该服务开始跟踪这些更改以来 AWS 托管策略更新的详细信息。要获得有关此页面更改(以及本用户指南的任何其他更改)的自动提醒,请订阅该的文档历史记录 AWS Data Exchange页面上的订阅RSS源。
| 更改 | 描述 | 日期 |
|---|---|---|
添加了IDs使策略更易于阅读的声明,将通配符权限扩展到只读ADX权限的完整列表,并添加了新操作:aws-marketplace:ListTagsForResource和aws-marketplace:ListPrivateListings。 |
2024 年 7 月 9 日 |
|
| AWSDataExchangeFullAccess | 已删除操作:aws-marketplace:GetPrivateListing |
2024 年 5 月 22 日 |
| AWSDataExchangeSubscriberFullAccess | 添加了IDs使政策更易于阅读的声明,并添加了新操作:aws-marketplace:ListPrivateListings. |
2024 年 4 月 30 日 |
| AWSDataExchangeFullAccess | 添加了IDs使策略更易于阅读的语句并添加了新操作:aws-marketplace:TagResourceaws-marketplace:UntagResource、aws-marketplace:ListTagsForResource、aws-marketplace:ListPrivateListings、aws-marketplace:GetPrivateListing、和aws-marketplace:DescribeAgreement。 |
2024 年 4 月 30 日 |
新增了dataexchange:SendDataSetNotification发送数据集通知的权限。 |
2024 年 3 月 5 日 | |
|
AWSDataExchangeSubscriberFullAccess、 AWSDataExchangeReadOnly AWSDataExchangeProviderFullAccess、和 AWSDataExchangeFullAccess— 更新现有政策 |
在所有托管策略中添加了精细操作。新增的操作有 |
2023 年 7 月 31 日 |
|
AWSDataExchangeProviderFullAccess - 对现有策略的更新 |
添加了用于撤销修订的新权限 |
2022 年 3 月 15 日 |
|
AWSDataExchangeProviderFullAccess以及 AWSDataExchangeFullAccess— 更新现有政策 |
新增了 |
2021 年 12 月 3 日 |
| AWSDataExchangeProviderFullAccess以及 AWSDataExchangeSubscriberFullAccess— 更新现有政策 |
添加 |
2021 年 11 月 29 日 |
|
AWSDataExchangeProviderFullAccess以及 AWSDataExchangeFullAccess— 更新现有政策 |
添加了用于授权访问和创建 Amazon Redshift 数据集的新权限 |
2021 年 11 月 1 日 |
|
AWSDataExchangeSubscriberFullAccess – 更新到现有策略 |
添加了用于控制自动导出数据集新修订的访问权限的新权限 |
2021 年 9 月 30 日 |
|
AWSDataExchangeProviderFullAccess以及 AWSDataExchangeFullAccess— 更新现有政策 |
添加了用于控制发布数据集新版本的访问权限的新权限 |
2021 年 5 月 25 日 |
|
AWSDataExchangeReadOnly AWSDataExchangeProviderFullAccess、和 AWSDataExchangeFullAccess— 更新现有政策 |
添加了用于查看产品和优惠订阅的 |
2021 年 5 月 12 日 |
|
AWS Data Exchange 开始跟踪更改 |
AWS Data Exchange 开始跟踪其 AWS 托管策略的更改。 |
2021 年 4 月 20 日 |
