# Amazon DataZone updates to AWS managed policies
<a name="security-iam-awsmanpol-updates"></a>

View details about updates to AWS managed policies for Amazon DataZone since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon DataZone [Document history](https://docs.aws.amazon.com//datazone/latest/userguide/doc-history.html) page.




| Change | Description | Date | 
| --- | --- | --- | 
|  AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary - policy updates  |  Policy updates to the **AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary**. Added a Deny statement for the `sagemaker:UpdateNotebookInstanceLifecycleConfig` action to restrict this high-privilege operation.  | March 11th, 2026 | 
|  AmazonDataZoneDomainExecutionRolePolicy - policy updates  |  Policy updates to the **AmazonDataZoneDomainExecutionRolePolicy** - adding permissions for the `QueryGraph` action to support graph-based entity search capabilities.  | February 25th, 2026 | 
|  AmazonDataZoneGlueManageAccessRolePolicy - policy updates  |  Policy updates to the **AmazonDataZoneGlueManageAccessRolePolicy** - adding permissions to the `GetConnection` action to support data lineage capture for connection based data sources of AWS Glue.  | July 30th, 2025 | 
|  AmazonDataZoneFullAccess - policy updates  |  Policy updates to the **AmazonDataZoneFullAccess** - generalizing the scope for SecretsManager `create` and `tag` permissions for new domains that will have the format of `dzd-` instead of `dzd_..`.  | July 23rd, 2025 | 
|  AmazonDataZoneFullAccess - policy updates  |  Policy updates to the **AmazonDataZoneFullAccess** - enabling the console to attach or update AWS managed permissions in AWS RAM resource shares.  | May 22nd, 2025 | 
|  AmazonDataZoneGlueManageAccessRolePolicy - policy updates  |  Policy updates to the **AmazonDataZoneGlueManageAccessRolePolicy** - the Amazon DataZone project user role is used as the data transfer role for federated tables. This update adds `datazone_usr_role*` to the `iam:PassRole` statement, enabling the project user role to be used for this purpose.  | May 21st, 2025 | 
|  AmazonDataZoneSageMakerProvisioningRolePolicy - policy updates  |  Policy updates to the **AmazonDataZoneSageMakerProvisioningRolePolicy** - adding support for the `glue:GetConnection` action.   | January 2nd, 2025 | 
|  AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary - policy updates  |  Policy updates to the **AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary** - this change adds the `sagemaker:AddTags` to the permission boundary to enable Amazon DataZone to succesfully call `CreateUserProfile` with neccessary tags.   | December 3rd, 2024 | 
|  AmazonDataZoneSageMakerAccess, and AmazonDataZoneGlueManageAccessRolePolicy - policy updates  |  Policy updates to the **AmazonDataZoneFullAccess**, **AmazonDataZoneSageMakerAccess**, and **AmazonDataZoneGlueManageAccessRolePolicy** - to enable support for the Amazon SageMaker Unified Studio experience.   | December 3rd, 2024 | 
|  AmazonDataZoneDomainExecutionRolePolicy and AmazonDataZoneFullUserAccess - policy updates  |  Policy updates to the **AmazonDataZoneDomainExecutionRolePolicy** and **AmazonDataZoneFullUserAccess** - to enable support for metadata enforcement rules for subscription requests.  | November 19th, 2024 | 
|  AmazonDataZoneRedshiftGlueProvisioningPolicy - policy updates  |  Policy updates to the **AmazonDataZoneRedshiftGlueProvisioningPolicy** - to Adding `iam:DeletePolicyVersion` to allow users to delete policy versions for policies created with `datazone*`. This helps unblock users who need to update their environment user role policy.  | October 22nd, 2024 | 
|  AmazonDataZoneDomainExecutionRolePolicy and AmazonDataZoneFullUserAccess - policy updates  |  Policy updates to the **AmazonDataZoneDomainExecutionRolePolicy** and **AmazonDataZoneFullUserAccess**- to enable support for the new APIs that are used to create and manage Amazon DataZone domain units and data products.   | July 31st, 2024 | 
|  AmazonDataZoneGlueManageAccessRolePolicy - policy update  |  Policy update to the **AmazonDataZoneGlueManageAccessRolePolicy** - Amazon DataZone is adding IAM permissions that are used for fine grained access control functionality in order to scope down the permission granting in Lake Formation.   | July 2nd, 2024 | 
|  AmazonDataZoneExecutionRolePolicy and AmazonDataZoneFullUserAccess - policy update  |  Policy update to the **AmazonDataZoneExecutionRolePolicy ** and **AmazonDataZoneFullUserAccess** to enable support for the data lineage and fine grained access control APIs.   | June 27th, 2024 | 
|  AmazonDataZoneGlueManageAccessRolePolicy - policy update  |  Policy update to the **AmazonDataZoneGlueManageAccessRolePolicy ** that adds IAM permissions required for the self-subscribe functionality in Amazon DataZone in order to scope down the permissions granting in lake formation. With the self-subscribe functionality, the lake formation permissions can only be granted to tagged resourcese.   | June 14th, 2024 | 
|  AmazonDataZoneDomainExecutionRolePolicy - policy update  |  Policy update to the **AmazonDataZoneDomainExecutionRolePolicy ** that adds new APIs to Amazon DataZone that enable users to configure actions for their Amazon DataZone environments.  | June 14th, 2024 | 
|  AmazonDataZoneFullAccess - policy update  |  Policy update to the **AmazonDataZoneFullAccess** that enables the Amazon DataZone management console to create secrets on user's behalf with both domain and project tags. Also including the `ram:ListResourceSharePermissions` action to enable administrations from the domain owner account to view the account association status of the associated accounts.  | June 14th, 2024 | 
|  AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary - new permissions boundary  |  New permissions boundary called **AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary **. When you create an Amazon SageMaker environment via the Amazon DataZone data portal, Amazon DataZone applies this permissions boundary to the IAM roles that are produced during environment creation. The permissions boundary limits the scope of the roles that Amazon DataZone creates and any roles that you add.  | April 30th, 2024 | 
|  AmazonDataZoneSageMakerAccess - new policy  |  New policy called **AmazonDataZoneSageMakerAccess ** gives Amazon DataZone permissions to publish Amazon SageMaker assets to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to the Amazon SageMaker published assets in the catalog.  | April 30th, 2024 | 
|  AmazonDataZoneFullAccess - policy update  |  An update to the **AmazonDataZoneFullAccess** policy that adds access to `DescribeSecurityGroups` action to improve the usability for account administrators configuring blueprints in the console and `GetPolicy` action to help retrieve information about the specified managed policy.  | April 30th, 2024 | 
|  AmazonDataZoneSageMakerProvisioningRolePolicy - new policy  |  New policy called **AmazonDataZoneSageMakerProvisioningRolePolicy** grants Amazon DataZone the permissions required to interoperate with Amazon SageMaker.  | April 30th, 2024 | 
|  AmazonDataZoneS3Manage-<region>-<domainId> - new role  |  New role called **AmazonDataZoneS3Manage-<region>-<domainId>** that is used when Amazon DataZone calls AWS Lake Formation to register an Amazon Simple Storage Service (Amazon S3) location. AWS Lake Formation assumes this role when accessing the data in that location.  | April 1st, 2024 | 
|  AmazonDataZoneGlueManageAccessRolePolicy - Policy update  |  Updated the **AmazonDataZoneGlueManageAccessRolePolicy** to enable support for permissions that allow Amazon DataZone to enable publishing and access grants to data.  | April 1st, 2024 | 
|  AmazonDataZoneDomainExecutionRolePolicy and AmazonDataZoneFullUserAccess - Policy update  |  Updated the **AmazonDataZoneDomainExecutionRolePolicy** and **AmazonDataZoneFullUserAccess** to enable support for the `CancelMetadataGenerationRun` API.   | March 29, 2024 | 
|  AmazonDataZoneFullAccess - Policy update  |  Updated the `AmazonDataZoneFullAccess` to enable users to choose their secrets, clusters, vpc's, and subnets in the Amazon DataZone management console rather than type them in a text box.   | March 13, 2024 | 
|  AmazonDataZoneDomainExecutionRolePolicy - Policy update  |  Updated the **AmazonDataZoneDomainExecutionRolePolicy** to enable support for the `ListEnvironmentBlueprintConfigurationSummaries` API that is required for creating environment profiles by identifying which blueprints are enabled in which account and region.   | February 01, 2024 | 
|  AmazonDataZoneGlueManageAccessRolePolicy - Policy update  |  Updated the **AmazonDataZoneGlueManageAccessRolePolicy** to enable support for the AWS Lake Formation hybrid mode.  | December 14, 2023 | 
|  AmazonDataZoneFullUserAccess and AmazonDataZoneDomainExecutionRolePolicy - Policy updates  |  Updated the **AmazonDataZoneFullUserAccess** and the **AmazonDataZoneDomainExecutionRolePolicy** policies to support the generative AI-powered data descriptions functionality in Amazon DataZone.   | November 28, 2023 | 
|  AmazonDataZoneEnvironmentRolePermissionsBoundary - Policy update  |  Amazon DataZone made an update to the **AmazonDataZoneEnvironmentRolePermissionsBoundary** managed policy that consists of an additional `athena:GetQueryResultsStream` permission scoped down with the `ResourceTag` condition.  | November 17, 2023 | 
|  AmazonDataZoneRedshiftManageAccessRolePolicy - Policy update  |  Amazon DataZone updated the **AmazonDataZoneRedshiftManageAccessRolePolicy** by removing the check on organization ID for the `redshift:AssociateDataShareConsumer` action. This enables you to share resource across AWS organizations.  | November 16, 2023 | 
|  AmazonDataZoneFullUserAccess - Policy update  |  Amazon DataZone updated the **AmazonDataZoneFullUserAccess** policy that grants full access to Amazon DataZone, but it does not allow the management of domains, users, or associated accounts.  | October 02, 2023 | 
|  AmazonDataZonePortalFullAccessPolicy - policy deprecated  |  Amazon DataZone deprecated the **AmazonDataZonePortalFullAccessPolicy**.  | September 29, 2023 | 
|  AmazonDataZonePreviewConsoleFullAccess - policy deprecated  |  Amazon DataZone deprecated the **AmazonDataZonePreviewConsoleFullAccess**.  | September 29, 2023 | 
|  AmazonDataZoneDomainExecutionRolePolicy - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneDomainExecutionRolePolicy**. This is the default policy for the Amazon DataZone `AmazonDataZoneDomainExecutionRole` service role. This role is used by Amazon DataZone to catalog, discover, govern, share, and analyze data in the Amazon DataZone domain. You can attach the `AmazonDataZoneDomainExecutionRolePolicy` policy to your `AmazonDataZoneDomainExecutionRole`.  | September 25, 2023 | 
|  AmazonDataZoneCrossAccountAdmin - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneCrossAccountAdmin** that enables users to work with Amazon DataZone and its associated accounts.  | September 19, 2023 | 
|  AmazonDataZoneFullUserAccess - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneFullUserAccess** that grants full access to Amazon DataZone, but it does not allow the management of domains, users, or associated accounts.  | September 12, 2023 | 
|  AmazonDataZoneRedshiftManageAccessRolePolicy - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneRedshiftManageAccessRolePolicy** that grants permissions to allow Amazon DataZone to enable publishing and access grants to data.  | September 12, 2023 | 
|  AmazonDataZoneGlueManageAccessRolePolicy - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneGlueManageAccessRolePolicy** that grants Amazon DataZone permissions to publish AWS Glue data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to AWS Glue published assets in the catalog.  | September 12, 2023 | 
|  AmazonDataZoneRedshiftGlueProvisioningPolicy - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneRedshiftGlueProvisioningPolicy** that grants Amazon DataZone the permissions required to interoperate with the supported data sources.  | September 12, 2023 | 
|  AmazonDataZoneEnvironmentRolePermissionsBoundary - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneEnvironmentRolePermissionsBoundary** that limits the provisioned IAM principal to which it is attached.  | September 12, 2023 | 
|  AmazonDataZoneFullAccess - New policy  |  Amazon DataZone added a new policy called **AmazonDataZoneFullAccess** that provides full access to Amazon DataZone via the AWS Management Console.   | September 12, 2023 | 
|  Managed policy update  |  Updates to the **AmazonDataZonePreviewConsoleFullAccess** managed policy that consists of an additional `iam:GetPolicy` permissions.  | June 13, 2023 | 
|  Amazon DataZone started tracking changes  |  Amazon DataZone started tracking changes for its AWS managed policies.  | March 20, 2023 |