AWS 受管理的策略：AmazonDataZoneRedshiftGlueProvisioningPolicy

該AmazonDataZoneRedshiftGlueProvisioningPolicy政策授予 Amazon DataZone 與 AWS Glue 和亞 Amazon Redshift 互操作所需的許可。




{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AmazonDataZonePermissionsToCreateEnvironmentRole",
			"Effect": "Allow",
			"Action": [
				"iam:CreateRole",
				"iam:DetachRolePolicy",
				"iam:DeleteRolePolicy",
				"iam:AttachRolePolicy",
				"iam:PutRolePolicy"
			],
			"Resource": "arn:aws:iam::*:role/datazone*",
			"Condition": {
				"StringEquals": {
					"iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AmazonDataZoneEnvironmentRolePermissionsBoundary",
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "IamPassRolePermissions",
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": [
				"arn:aws:iam::*:role/datazone*"
			],
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": [
						"glue.amazonaws.com",
						"lakeformation.amazonaws.com"
					],
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZonePermissionsToManageCreatedEnvironmentRole",
			"Effect": "Allow",
			"Action": [
				"iam:DeleteRole",
				"iam:GetRole"
			],
			"Resource": "arn:aws:iam::*:role/datazone*",
			"Condition": {
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneCFStackCreationForEnvironments",
			"Effect": "Allow",
			"Action": [
				"cloudformation:CreateStack",
				"cloudformation:TagResource"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stack/DataZone*"
			],
			"Condition": {
				"ForAnyValue:StringLike": {
					"aws:TagKeys": "AmazonDataZoneEnvironment"
				},
				"Null": {
					"aws:ResourceTag/AmazonDataZoneEnvironment": "false"
				}
			}
		},
		{
			"Sid": "AmazonDataZoneCFStackManagementForEnvironments",
			"Effect": "Allow",
			"Action": [
				"cloudformation:DeleteStack",
				"cloudformation:DescribeStacks",
				"cloudformation:DescribeStackEvents"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stack/DataZone*"
			]
		},
		{
			"Sid": "AmazonDataZoneEnvironmentParameterValidation",
			"Effect": "Allow",
			"Action": [
				"lakeformation:GetDataLakeSettings",
				"lakeformation:PutDataLakeSettings",
				"lakeformation:RevokePermissions",
				"lakeformation:ListPermissions",
				"glue:CreateDatabase",
				"glue:GetDatabase",
				"athena:GetWorkGroup",
				"logs:DescribeLogGroups",
				"redshift-serverless:GetNamespace",
				"redshift-serverless:GetWorkgroup",
				"redshift:DescribeClusters",
				"secretsmanager:ListSecrets"
			],
			"Resource": "*"
		},
		{
			"Sid": "AmazonDataZoneEnvironmentLakeFormationPermissions",
			"Effect": "Allow",
			"Action": [
				"lakeformation:RegisterResource",
				"lakeformation:DeregisterResource",
				"lakeformation:GrantPermissions",
				"lakeformation:ListResources"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneEnvironmentGlueDeletePermissions",
			"Effect": "Allow",
			"Action": [
				"glue:DeleteDatabase"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneEnvironmentAthenaDeletePermissions",
			"Effect": "Allow",
			"Action": [
				"athena:DeleteWorkGroup"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneEnvironmentAthenaResourceCreation",
			"Effect": "Allow",
			"Action": [
				"athena:CreateWorkGroup",
				"athena:TagResource",
				"iam:TagRole",
				"iam:TagPolicy",
				"logs:TagLogGroup"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringLike": {
					"aws:TagKeys": "AmazonDataZoneEnvironment"
				},
				"Null": {
					"aws:ResourceTag/AmazonDataZoneEnvironment": "false"
				},
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneEnvironmentLogGroupCreation",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup",
				"logs:DeleteLogGroup"
			],
			"Resource": "arn:aws:logs:*:*:log-group:datazone-*",
			"Condition": {
				"ForAnyValue:StringLike": {
					"aws:TagKeys": "AmazonDataZoneEnvironment"
				},
				"Null": {
					"aws:ResourceTag/AmazonDataZoneEnvironment": "false"
				},
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneEnvironmentLogGroupManagement",
			"Action": [
				"logs:PutRetentionPolicy"
			],
			"Resource": "arn:aws:logs:*:*:log-group:datazone-*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneEnvironmentIAMPolicyManagement",
			"Effect": "Allow",
			"Action": [
				"iam:DeletePolicy",
				"iam:CreatePolicy",
				"iam:GetPolicy",
				"iam:ListPolicyVersions"
			],
			"Resource": [
				"arn:aws:iam::*:policy/datazone*"
			],
			"Condition": {
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AmazonDataZoneEnvironmentS3ValidationPermissions",
			"Effect": "Allow",
			"Action": [
				"s3:ListAllMyBuckets",
				"s3:ListBucket"
			],
			"Resource": "arn:aws:s3:::*"
		},
		{
			"Sid": "AmazonDataZoneEnvironmentKMSDecryptPermissions",
			"Effect": "Allow",
			"Action": [
				"kms:GenerateDataKey",
				"kms:Decrypt"
			],
			"Resource": "*",
			"Condition": {
				"Null": {
					"aws:ResourceTag/AmazonDataZoneEnvironment": "false"
				}
			}
		},
		{
			"Sid": "PermissionsToTagAmazonDataZoneEnvironmentGlueResources",
			"Effect": "Allow",
			"Action": [
				"glue:TagResource"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringLike": {
					"aws:TagKeys": "AmazonDataZoneEnvironment"
				},
				"Null": {
					"aws:RequestTag/AmazonDataZoneEnvironment": "false"
				}
			}
		},
		{
			"Sid": "PermissionsToGetAmazonDataZoneEnvironmentBlueprintTemplates",
			"Effect": "Allow",
			"Action": "s3:GetObject",
			"Resource": "*",
			"Condition": {
				"StringNotEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				},
				"StringEquals": {
					"aws:CalledViaFirst": [
						"cloudformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "RedshiftDataPermissions",
			"Effect": "Allow",
			"Action": [
				"redshift-data:ListSchemas",
				"redshift-data:ExecuteStatement"
			],
			"Resource": [
				"arn:aws:redshift-serverless:*:*:workgroup/*",
				"arn:aws:redshift:*:*:cluster:*"
			]
		},
		{
			"Sid": "DescribeStatementPermissions",
			"Effect": "Allow",
			"Action": [
				"redshift-data:DescribeStatement"
			],
			"Resource": "*"
		},
		{
			"Sid": "GetSecretValuePermissions",
			"Effect": "Allow",
			"Action": [
				"secretsmanager:GetSecretValue"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"secretsmanager:ResourceTag/AmazonDataZoneDomain": "dzd*"
				}
			}
		}
	]
}
您的瀏覽器已停用或無法使用 Javascript。
您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。
文件慣用形式
AmazonDataZoneEnvironmentRolePermissionsBoundary
AmazonDataZoneGlueManageAccessRolePolicy