本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS 受管理的策略:AmazonDataZoneFullAccess
您可以將AmazonDataZoneFullAccess原則附加至您的IAM身分識別。
此政策提供了完全訪問 Amazon DataZone 通過 AWS Management Console.
許可詳細資訊
此政策包含以下許可:
-
datazone— 授予校長完全訪問 Amazon DataZone 通過 AWS Management Console. -
kms— 允許主參與者列出別名並描述金鑰。 -
s3— 允許主體選擇現有的或建立新的 S3 儲存貯體來存放 Amazon DataZone 資料。 -
ram— 允許校長跨共享 Amazon DataZone 域 AWS 帳戶. -
iam— 可讓主參與者列出並傳遞角色,以及取得原則。 -
sso— 允許主參與者取得其中的區域 AWS IAM Identity Center 已啟用。 -
secretsmanager— 允許主參與者使用特定前置詞建立、標記和列出密碼。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonDataZoneStatement", "Effect": "Allow", "Action": [ "datazone:*" ], "Resource": [ "*" ] }, { "Sid": "ReadOnlyStatement", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "iam:ListRoles", "sso:DescribeRegisteredRegions", "s3:ListAllMyBuckets", "redshift:DescribeClusters", "redshift-serverless:ListWorkgroups", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "secretsmanager:ListSecrets" ], "Resource": [ "*" ] }, { "Sid": "BucketReadOnlyStatement", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "CreateBucketStatement", "Effect": "Allow", "Action": "s3:CreateBucket", "Resource": "arn:aws:s3:::amazon-datazone*" }, { "Sid": "RamCreateResourceStatement", "Effect": "Allow", "Action": [ "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "ram:RequestedResourceType": "datazone:Domain" } } }, { "Sid": "RamResourceStatement", "Effect": "Allow", "Action": [ "ram:DeleteResourceShare", "ram:AssociateResourceShare", "ram:DisassociateResourceShare", "ram:RejectResourceShareInvitation" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": [ "DataZone*" ] } } }, { "Sid": "RamResourceReadOnlyStatement", "Effect": "Allow", "Action": [ "ram:GetResourceShares", "ram:GetResourceShareInvitations", "ram:GetResourceShareAssociations", "ram:ListResourceSharePermissions" ], "Resource": "*" }, { "Sid": "IAMPassRoleStatement", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/AmazonDataZone*", "arn:aws:iam::*:role/service-role/AmazonDataZone*" ], "Condition": { "StringEquals": { "iam:passedToService": "datazone.amazonaws.com" } } }, { "Sid": "IAMGetPolicyStatement", "Effect": "Allow", "Action": "iam:GetPolicy", "Resource": [ "arn:aws:iam::*:policy/service-role/AmazonDataZoneRedshiftAccessPolicy*" ] }, { "Sid": "DataZoneTagOnCreateDomainProjectTags", "Effect": "Allow", "Action": [ "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonDataZoneDomain", "AmazonDataZoneProject" ] }, "StringLike": { "aws:RequestTag/AmazonDataZoneDomain": "dzd_*", "aws:ResourceTag/AmazonDataZoneDomain": "dzd_*" } } }, { "Sid": "DataZoneTagOnCreate", "Effect": "Allow", "Action": [ "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonDataZoneDomain" ] }, "StringLike": { "aws:RequestTag/AmazonDataZoneDomain": "dzd_*", "aws:ResourceTag/AmazonDataZoneDomain": "dzd_*" } } }, { "Sid": "CreateSecretStatement", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "StringLike": { "aws:RequestTag/AmazonDataZoneDomain": "dzd_*" } } } ] }
政策考量和限制
AmazonDataZoneFullAccess政策不涵蓋某些功能。
-
如果您使用自己的 DataZone 網域建立 Amazon 網域 AWS KMS 密鑰,您必須具有權限才
kms:CreateGrant能成功創建域名,並且該密鑰才能調用其他 Amazon( DataZoneAPIs例如listDataSources和)createDataSource。kms:GenerateDataKeykms:Decrypt而且您還必須具有權限kms:CreateGrantkms:Decrypt,kms:GenerateDataKey,和kms:DescribeKey該密鑰的資源策略。如果您使用默認的服務擁有的KMS密鑰,那麼這不是必需的。
如需詳細資訊,請參閱 AWS Key Management Service.
-
如果您想要在 Amazon DataZone 主控台中使用建立和更新角色功能,則必須擁有管理員權限或擁有建立IAM角色和建立/更新政策所需的IAM權限。必要的權限包括
iam:CreateRoleiam:CreatePolicy、iam:CreatePolicyVersion、iam:DeletePolicyVersion、和iam:AttachRolePolicy權限。 -
如果您在 Amazon DataZone 中創建一個新域 AWS IAM Identity Center 用戶登錄激活,或者如果您為 Amazon 中的現有域激活它 DataZone,則必須具有以下內容的許可:
-
組織:DescribeOrganization
-
組織:ListDelegatedAdministrators
-
SSO:CreateInstance
-
SSO:ListInstances
-
SSO:GetSharedSsoConfiguration
-
SSO:PutApplicationGrant
-
SSO:PutApplicationAssignmentConfiguration
-
SSO:PutApplicationAuthenticationMethod
-
SSO:PutApplicationAccessScope
-
SSO:CreateApplication
-
SSO:DeleteApplication
-
SSO:CreateApplicationAssignment
-
SSO:DeleteApplicationAssignment
-
-
為了接受 AWS Amazon 帳戶關聯請求 DataZone,您必須
ram:AcceptResourceShareInvitation獲得許可。
