本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS 托管策略:AmazonDataZoneEnvironmentRolePermissionsBoundary
注意
此策略是权限边界。权限边界设置基于身份的策略可以向实体授予的最大权限。IAM您不应自行使用和附加 Amazon DataZone 权限边界策略。亚马逊 DataZone 权限边界策略应仅附加到亚马逊 DataZone 托管角色。有关权限边界的更多信息,请参阅《IAM用户指南》中的IAM实体的权限边界。
当您通过 Amazon DataZone 数据门户创建环境时,Amazon 会将此权限边界 DataZone 应用于在创建环境期间生成的IAM角色。权限边界限制了 Amazon DataZone 创建的角色和您添加的任何角色的范围。
Amazon DataZone 使用AmazonDataZoneEnvironmentRolePermissionsBoundary托管策略来限制其所关联的预配置IAM委托人。委托人可以采用亚马逊 DataZone 可以代表交互式企业用户或分析服务(例如)担任的用户角色的形式AWS Glue,然后执行操作来处理数据,例如从 Amazon S3 读取和写入数据或运行。 AWS Glue 爬网程序
该AmazonDataZoneEnvironmentRolePermissionsBoundary政策授予亚马逊对诸如亚马逊 DataZone S3 AWS Glue、、Amazon Redshift 和亚马逊 Athena 等服务的读写权限。 AWS Lake Formation该策略还向使用这些服务所需的某些基础设施资源(例如网络接口和 AWS KMS 密钥)授予读写权限。
亚马逊 DataZone 将AmazonDataZoneEnvironmentRolePermissionsBoundary AWS 托管策略应用为所有亚马逊 DataZone 环境角色(所有者和贡献者)的权限边界。此权限边界将这些角色限制为仅允许访问环境所需的资源和必要的操作。
边界包括以下JSON语句:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateGlueConnection", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "aws-glue-service-resource" ] } } }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "PassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/datazone*" ], "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" } } }, { "Sid": "SameAccountKmsOperations", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "KmsOperationsWithResourceTag", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys", "kms:Encrypt", "kms:GenerateDataKey", "kms:Verify", "kms:Sign" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "AnalyticsOperations", "Effect": "Allow", "Action": [ "datazone:*", "sqlworkbench:*" ], "Resource": "*" }, { "Sid": "QueryOperations", "Effect": "Allow", "Action": [ "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:Describe*", "glue:BatchCreatePartition", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:SearchTables", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateDatabase", "glue:UpdatePartition", "glue:UpdateTable", "iam:GetRole", "iam:GetRolePolicy", "iam:ListGroups", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:DescribeMetricFilters", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "secretsmanager:ListSecrets", "tag:GetResources" ], "Resource": "*" }, { "Sid": "QueryOperationsWithResourceTag", "Effect": "Allow", "Action": [ "athena:GetQueryResultsStream" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "SecretsManagerOperationsWithTagKeys", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "StringLike": { "aws:ResourceTag/AmazonDataZoneDomain": "*", "aws:ResourceTag/AmazonDataZoneProject": "*" }, "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonDataZoneDomain", "AmazonDataZoneProject" ] } } }, { "Sid": "DataZoneS3Buckets", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject" ], "Resource": [ "arn:aws:s3:::*/datazone/*" ] }, { "Sid": "DataZoneS3BucketLocation", "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "ListDataZoneS3Bucket", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "*" ], "Condition": { "StringLike": { "s3:prefix": [ "*/datazone/*", "datazone/*" ] } } }, { "Sid": "NotDeniedOperations", "Effect": "Deny", "NotAction": [ "datazone:*", "sqlworkbench:*", "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:DeleteNetworkInterface", "ec2:DeleteTags", "ec2:Describe*", "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow", "iam:GetRole", "iam:GetRolePolicy", "iam:List*", "iam:PassRole", "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ListKeys", "kms:Verify", "kms:Sign", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetBucketLocation", "s3:ListBucket", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject", "secretsmanager:CreateSecret", "secretsmanager:ListSecrets", "secretsmanager:TagResource", "tag:GetResources" ], "Resource": [ "*" ] } ] }
