本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS 托管策略:AmazonDataZoneFullAccess
您可以将该AmazonDataZoneFullAccess策略附加到您的IAM身份。
本政策允许 DataZone 通过以下方式访问亚马逊 AWS Management Console.
权限详细信息
该策略包含以下权限:
-
datazone— 授予委托人 DataZone通过 Amazon 的完全访问权限 AWS Management Console. -
kms— 允许委托人列出别名和描述密钥。 -
s3— 允许委托人选择现有或创建新的 S3 存储桶来存储 Ama DataZone zon 数据。 -
ram— 允许委托人跨域共享 Amazon DataZone 域名 AWS 账户. -
iam— 允许委托人列出和传递角色并获取策略。 -
sso— 允许委托人获取区域 AWS IAM Identity Center 已启用。 -
secretsmanager— 允许委托人创建、标记和列出带有特定前缀的密钥。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonDataZoneStatement", "Effect": "Allow", "Action": [ "datazone:*" ], "Resource": [ "*" ] }, { "Sid": "ReadOnlyStatement", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "iam:ListRoles", "sso:DescribeRegisteredRegions", "s3:ListAllMyBuckets", "redshift:DescribeClusters", "redshift-serverless:ListWorkgroups", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "secretsmanager:ListSecrets" ], "Resource": [ "*" ] }, { "Sid": "BucketReadOnlyStatement", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "CreateBucketStatement", "Effect": "Allow", "Action": "s3:CreateBucket", "Resource": "arn:aws:s3:::amazon-datazone*" }, { "Sid": "RamCreateResourceStatement", "Effect": "Allow", "Action": [ "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "ram:RequestedResourceType": "datazone:Domain" } } }, { "Sid": "RamResourceStatement", "Effect": "Allow", "Action": [ "ram:DeleteResourceShare", "ram:AssociateResourceShare", "ram:DisassociateResourceShare", "ram:RejectResourceShareInvitation" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": [ "DataZone*" ] } } }, { "Sid": "RamResourceReadOnlyStatement", "Effect": "Allow", "Action": [ "ram:GetResourceShares", "ram:GetResourceShareInvitations", "ram:GetResourceShareAssociations", "ram:ListResourceSharePermissions" ], "Resource": "*" }, { "Sid": "IAMPassRoleStatement", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/AmazonDataZone*", "arn:aws:iam::*:role/service-role/AmazonDataZone*" ], "Condition": { "StringEquals": { "iam:passedToService": "datazone.amazonaws.com" } } }, { "Sid": "IAMGetPolicyStatement", "Effect": "Allow", "Action": "iam:GetPolicy", "Resource": [ "arn:aws:iam::*:policy/service-role/AmazonDataZoneRedshiftAccessPolicy*" ] }, { "Sid": "DataZoneTagOnCreateDomainProjectTags", "Effect": "Allow", "Action": [ "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonDataZoneDomain", "AmazonDataZoneProject" ] }, "StringLike": { "aws:RequestTag/AmazonDataZoneDomain": "dzd_*", "aws:ResourceTag/AmazonDataZoneDomain": "dzd_*" } } }, { "Sid": "DataZoneTagOnCreate", "Effect": "Allow", "Action": [ "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonDataZoneDomain" ] }, "StringLike": { "aws:RequestTag/AmazonDataZoneDomain": "dzd_*", "aws:ResourceTag/AmazonDataZoneDomain": "dzd_*" } } }, { "Sid": "CreateSecretStatement", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "StringLike": { "aws:RequestTag/AmazonDataZoneDomain": "dzd_*" } } } ] }
政策注意事项和限制
该AmazonDataZoneFullAccess政策未涵盖某些功能。
-
如果您使用自己的域名创建 Amazon DataZone 域名 AWS KMS 密钥,您必须拥有成功创建域
kms:CreateGrant名的权限,并且必须拥有该密钥才能调用其他 Amazon DataZoneAPIs(例如listDataSources和)的权限createDataSource。kms:GenerateDataKeykms:Decrypt而且您还必须在该密钥的资源策略kms:DescribeKey中拥有kms:CreateGrantkms:Decryptkms:GenerateDataKey、、和权限。如果您使用默认的服务拥有的KMS密钥,则不需要这样做。
有关更多信息,请参阅 AWS Key Management Service.
-
如果您想在 Amazon DataZone 控制台中使用创建和更新角色功能,则必须具有管理员权限或拥有创建IAM角色和创建/更新IAM策略所需的权限。所需的权限包括
iam:CreateRole、iam:CreatePolicy、iam:CreatePolicyVersioniam:DeletePolicyVersion、和iam:AttachRolePolicy权限。 -
如果您在 Amazon DataZone 上创建了一个新域名 AWS IAM Identity Center 用户登录已激活,或者如果您为亚马逊的现有域名激活登录 DataZone,则必须具有以下权限:
-
组织:DescribeOrganization
-
组织:ListDelegatedAdministrators
-
sso:CreateInstance
-
sso:ListInstances
-
sso:GetSharedSsoConfiguration
-
sso:PutApplicationGrant
-
sso:PutApplicationAssignmentConfiguration
-
sso:PutApplicationAuthenticationMethod
-
sso:PutApplicationAccessScope
-
sso:CreateApplication
-
sso:DeleteApplication
-
sso:CreateApplicationAssignment
-
sso:DeleteApplicationAssignment
-
-
为了接受 AWS 在 Amazon 上申请账户关联时 DataZone,您必须拥有
ram:AcceptResourceShareInvitation权限。
