本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
您可將 AmazonDataZoneFullAccess 政策連接到 IAM 身分。
此政策透過 提供 Amazon DataZone 的完整存取權 AWS Management Console。此政策也具有加密 SSM 參數的 AWS KMS 許可。KMS 金鑰必須使用 EnableKeyForAmazonDataZone 標記,以允許解密 SSM 參數。
許可詳細資訊
此政策包含以下許可:
-
datazone– 透過 授予委託人對 Amazon DataZone 的完整存取權 AWS Management Console。 -
kms– 允許主體列出別名、描述金鑰和解密金鑰。 -
s3– 允許主體選擇現有或建立新的 S3 儲存貯體來存放 Amazon DataZone 資料。 -
ram– 允許主體跨 共用 Amazon DataZone 網域 AWS 帳戶。 -
iam– 允許主體列出和傳遞角色並取得政策。 -
sso– 允許主體取得 AWS IAM Identity Center 已啟用 的區域。 -
secretsmanager– 允許主體建立、標記和列出具有特定字首的秘密。 -
aoss– 允許主體建立和擷取 OpenSearch Serverless 安全政策的資訊。 -
bedrock– 允許主體建立、列出和擷取推論設定檔和基礎模型的資訊。 -
codeconnections– 允許主體刪除、擷取資訊、列出連線和管理連線的標籤。 -
codewhisperer– 允許主體列出 CodeWhisperer 設定檔。 -
ssm– 允許主體放置、刪除和擷取參數的資訊。 -
redshift– 允許主體描述叢集並列出無伺服器工作群組 -
glue– 允許主體取得資料庫。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonDataZoneStatement",
"Effect": "Allow",
"Action": [
"datazone:*"
],
"Resource": [
"*"
]
},
{
"Sid": "ReadOnlyStatement",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"iam:ListRoles",
"sso:DescribeRegisteredRegions",
"s3:ListAllMyBuckets",
"redshift:DescribeClusters",
"redshift-serverless:ListWorkgroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"secretsmanager:ListSecrets",
"iam:ListUsers",
"glue:GetDatabases",
"codeconnections:ListConnections",
"codeconnections:ListTagsForResource",
"codewhisperer:ListProfiles",
"bedrock:ListInferenceProfiles",
"bedrock:ListFoundationModels",
"bedrock:ListTagsForResource",
"aoss:ListSecurityPolicies"
],
"Resource": [
"*"
]
},
{
"Sid": "BucketReadOnlyStatement",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "CreateBucketStatement",
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::amazon-datazone*",
"arn:aws:s3:::amazon-sagemaker*"
]
},
{
"Sid": "ConfigureBucketStatement",
"Effect": "Allow",
"Action": [
"s3:PutBucketCORS",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning"
],
"Resource": [
"arn:aws:s3:::amazon-sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "RamCreateResourceStatement",
"Effect": "Allow",
"Action": [
"ram:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"ram:RequestedResourceType": "datazone:Domain"
}
}
},
{
"Sid": "RamResourceStatement",
"Effect": "Allow",
"Action": [
"ram:DeleteResourceShare",
"ram:AssociateResourceShare",
"ram:DisassociateResourceShare",
"ram:RejectResourceShareInvitation"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ram:ResourceShareName": [
"DataZone*"
]
}
}
},
{
"Sid": "RamResourceReadOnlyStatement",
"Effect": "Allow",
"Action": [
"ram:GetResourceShares",
"ram:GetResourceShareInvitations",
"ram:GetResourceShareAssociations",
"ram:ListResourceSharePermissions"
],
"Resource": "*"
},
{
"Sid": "IAMPassRoleStatement",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/AmazonDataZone*",
"arn:aws:iam::*:role/service-role/AmazonDataZone*",
"arn:aws:iam::*:role/service-role/AmazonSageMaker*"
],
"Condition": {
"StringEquals": {
"iam:passedToService": "datazone.amazonaws.com"
}
}
},
{
"Sid": "IAMGetPolicyStatement",
"Effect": "Allow",
"Action": "iam:GetPolicy",
"Resource": [
"arn:aws:iam::*:policy/service-role/AmazonDataZoneRedshiftAccessPolicy*"
]
},
{
"Sid": "DataZoneTagOnCreateDomainProjectTags",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AmazonDataZoneDomain",
"AmazonDataZoneProject"
]
},
"StringLike": {
"aws:RequestTag/AmazonDataZoneDomain": "dzd_*",
"aws:ResourceTag/AmazonDataZoneDomain": "dzd_*"
}
}
},
{
"Sid": "DataZoneTagOnCreate",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AmazonDataZoneDomain"
]
},
"StringLike": {
"aws:RequestTag/AmazonDataZoneDomain": "dzd_*",
"aws:ResourceTag/AmazonDataZoneDomain": "dzd_*"
}
}
},
{
"Sid": "CreateSecretStatement",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*",
"Condition": {
"StringLike": {
"aws:RequestTag/AmazonDataZoneDomain": "dzd_*"
}
}
},
{
"Sid": "ConnectionStatement",
"Effect": "Allow",
"Action": [
"codeconnections:GetConnection"
],
"Resource": [
"arn:aws:codeconnections:*:*:connection/*"
]
},
{
"Sid": "TagCodeConnectionsStatement",
"Effect": "Allow",
"Action": [
"codeconnections:TagResource"
],
"Resource": [
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"for-use-with-all-datazone-projects"
]
},
"StringEquals": {
"aws:RequestTag/for-use-with-all-datazone-projects": "true"
}
}
},
{
"Sid": "UntagCodeConnectionsStatement",
"Effect": "Allow",
"Action": [
"codeconnections:UntagResource"
],
"Resource": [
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "for-use-with-all-datazone-projects"
}
}
},
{
"Sid": "SSMParameterStatement",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParametersByPath",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/amazon/datazone/q*",
"arn:aws:ssm:*:*:parameter/amazon/datazone/genAI*",
"arn:aws:ssm:*:*:parameter/amazon/datazone/profiles*"
]
},
{
"Sid": "UseKMSKeyPermissionsStatement",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/EnableKeyForAmazonDataZone": "true"
},
"Null": {
"aws:ResourceTag/EnableKeyForAmazonDataZone": "false"
},
"StringLike": {
"kms:ViaService": "ssm.*.amazonaws.com"
}
}
},
{
"Sid": "SecurityPolicyStatement",
"Effect": "Allow",
"Action": [
"aoss:GetSecurityPolicy",
"aoss:CreateSecurityPolicy"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aoss:collection": "genai-studio-*"
}
}
},
{
"Sid": "GetFoundationModelStatement",
"Effect": "Allow",
"Action": [
"bedrock:GetFoundationModel",
"bedrock:GetFoundationModelAvailability"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/*"
]
},
{
"Sid": "GetInferenceProfileStatement",
"Effect": "Allow",
"Action": [
"bedrock:GetInferenceProfile"
],
"Resource": [
"arn:aws:bedrock:*:*:inference-profile/*",
"arn:aws:bedrock:*:*:application-inference-profile/*"
]
},
{
"Sid": "ApplicationInferenceProfileStatement",
"Effect": "Allow",
"Action": [
"bedrock:CreateInferenceProfile"
],
"Resource": [
"arn:aws:bedrock:*:*:application-inference-profile/*"
],
"Condition": {
"Null": {
"aws:RequestTag/AmazonDataZoneProject": "true",
"aws:RequestTag/AmazonDataZoneDomain": "false"
}
}
},
{
"Sid": "TagApplicationInferenceProfileStatement",
"Effect": "Allow",
"Action": [
"bedrock:TagResource"
],
"Resource": [
"arn:aws:bedrock:*:*:application-inference-profile/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/AmazonDataZoneProject": "true",
"aws:RequestTag/AmazonDataZoneProject": "true",
"aws:ResourceTag/AmazonDataZoneDomain": "false",
"aws:RequestTag/AmazonDataZoneDomain": "false"
}
}
},
{
"Sid": "DeleteApplicationInferenceProfileStatement",
"Effect": "Allow",
"Action": [
"bedrock:DeleteInferenceProfile"
],
"Resource": [
"arn:aws:bedrock:*:*:application-inference-profile/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/AmazonDataZoneProject": "true",
"aws:ResourceTag/AmazonDataZoneDomain": "false"
}
}
}
]
}
政策考量和限制
AmazonDataZoneFullAccess 政策未涵蓋某些功能。
-
如果您使用自己的 AWS KMS 金鑰建立 Amazon DataZone 網域,您必須擁有 的許可,才能成功建立
kms:CreateGrant網域,以及擁有 的許可kms:GenerateDataKey,kms:Decrypt才能叫用其他 Amazon DataZone APIs,例如listDataSources和createDataSource。此外,您還必須在該金鑰的資源政策kms:DescribeKey中擁有kms:CreateGrant、kms:GenerateDataKey、kms:Decrypt和 的許可。如果您使用預設服務擁有的 KMS 金鑰,則不需要。
如需詳細資訊,請參閱AWS Key Management Service。
-
如果您想要在 Amazon DataZone 主控台中使用建立和更新角色功能,您必須擁有管理員權限或必要的 IAM 許可,才能建立 IAM 角色和建立/更新政策。所需的許可包括
iam:CreateRole、iam:CreatePolicy、iam:DeletePolicyVersion、iam:CreatePolicyVersion和iam:AttachRolePolicy許可。 -
如果您在啟用 AWS IAM Identity Center 使用者登入的 Amazon DataZone 中建立新的網域,或者如果您為 Amazon DataZone 中的現有網域啟用該網域,則必須具有下列許可:
-
organizations:DescribeOrganization
-
organizations:ListDelegatedAdministrators
-
sso:CreateInstance
-
sso:ListInstances
-
sso:GetSharedSsoConfiguration
-
sso:PutApplicationGrant
-
sso:PutApplicationAssignmentConfiguration
-
sso:PutApplicationAuthenticationMethod
-
sso:PutApplicationAccessScope
-
sso:CreateApplication
-
sso:DeleteApplication
-
sso:CreateApplicationAssignment
-
sso:DeleteApplicationAssignment
-
sso-directory:CreateUser
-
sso-directory:SearchUsers
-
sso:ListApplications
-
-
若要在 Amazon DataZone 中接受 AWS 帳戶關聯請求,您必須擁有
ram:AcceptResourceShareInvitation許可。 -
如果您想要為 SageMaker Unified Studio 網路設定建立必要的資源,您必須具有下列項目的許可,並連接 AmazonVpcFullAccess 政策:
-
iam:PassRole
-
cloudformation:CreateStack
-
