Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
AWS politica gestita: AmazonDataZoneEnvironmentRolePermissionsBoundary
Nota
Questa politica rappresenta un limite delle autorizzazioni. Un limite delle autorizzazioni imposta il numero massimo di autorizzazioni che una policy basata su identità ha la possibilità di concedere a un'entità IAM. Non devi utilizzare e allegare autonomamente le politiche limite DataZone relative alle autorizzazioni di Amazon. Le politiche sui limiti DataZone delle autorizzazioni di Amazon devono essere allegate solo ai ruoli DataZone gestiti da Amazon. Per ulteriori informazioni sui limiti delle autorizzazioni, consulta Limiti delle autorizzazioni per le entità IAM nella Guida per l'utente IAM.
Quando crei un ambiente tramite il portale DataZone dati Amazon, Amazon DataZone applica questo limite di autorizzazioni ai ruoli IAM prodotti durante la creazione dell'ambiente. Il limite delle autorizzazioni limita l'ambito dei ruoli DataZone creati da Amazon e dei ruoli aggiunti.
Amazon DataZone utilizza la policy AmazonDataZoneEnvironmentRolePermissionsBoundary gestita per limitare il principale IAM fornito a cui è collegata. I responsabili potrebbero assumere la forma dei ruoli utente che Amazon DataZone può assumere per conto di utenti aziendali interattivi o di servizi di analisi (ad esempio)AWS Glue, e quindi condurre azioni per elaborare dati come la lettura e la scrittura da Amazon S3 o l'esecuzione. Crawler di AWS Glue
La AmazonDataZoneEnvironmentRolePermissionsBoundary policy concede l'accesso in lettura e scrittura per Amazon DataZone a servizi come Amazon S3 AWS Glue AWS Lake Formation, Amazon Redshift e Amazon Athena. La policy fornisce inoltre autorizzazioni di lettura e scrittura ad alcune risorse dell'infrastruttura necessarie per utilizzare questi servizi, come interfacce e chiavi di rete. AWS KMS
Amazon DataZone applica la policy AmazonDataZoneEnvironmentRolePermissionsBoundary AWS gestita come limite di autorizzazioni per tutti i ruoli DataZone dell'ambiente Amazon (proprietario e collaboratore). Questo limite di autorizzazioni limita questi ruoli per consentire l'accesso solo alle risorse e alle azioni richieste necessarie per un ambiente.
Il limite include le seguenti istruzioni JSON:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateGlueConnection", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "aws-glue-service-resource" ] } } }, { "Sid": "GlueOperations", "Effect": "Allow", "Action": [ "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "PassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/datazone*" ], "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" } } }, { "Sid": "SameAccountKmsOperations", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "KmsOperationsWithResourceTag", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ListKeys", "kms:Encrypt", "kms:GenerateDataKey", "kms:Verify", "kms:Sign" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "AnalyticsOperations", "Effect": "Allow", "Action": [ "datazone:*", "sqlworkbench:*" ], "Resource": "*" }, { "Sid": "QueryOperations", "Effect": "Allow", "Action": [ "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:Describe*", "glue:BatchCreatePartition", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:SearchTables", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateDatabase", "glue:UpdatePartition", "glue:UpdateTable", "iam:GetRole", "iam:GetRolePolicy", "iam:ListGroups", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:DescribeMetricFilters", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "secretsmanager:ListSecrets", "tag:GetResources" ], "Resource": "*" }, { "Sid": "QueryOperationsWithResourceTag", "Effect": "Allow", "Action": [ "athena:GetQueryResultsStream" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "SecretsManagerOperationsWithTagKeys", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", "Condition": { "StringLike": { "aws:ResourceTag/AmazonDataZoneDomain": "*", "aws:ResourceTag/AmazonDataZoneProject": "*" }, "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonDataZoneDomain", "AmazonDataZoneProject" ] } } }, { "Sid": "DataZoneS3Buckets", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject" ], "Resource": [ "arn:aws:s3:::*/datazone/*" ] }, { "Sid": "DataZoneS3BucketLocation", "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "ListDataZoneS3Bucket", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "*" ], "Condition": { "StringLike": { "s3:prefix": [ "*/datazone/*", "datazone/*" ] } } }, { "Sid": "NotDeniedOperations", "Effect": "Deny", "NotAction": [ "datazone:*", "sqlworkbench:*", "athena:BatchGetNamedQuery", "athena:BatchGetPreparedStatement", "athena:BatchGetQueryExecution", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:GetDatabase", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetQueryRuntimeStatistics", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ImportNotebook", "athena:ListDatabases", "athena:ListDataCatalogs", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:DeleteNetworkInterface", "ec2:DeleteTags", "ec2:Describe*", "glue:*DataQuality*", "glue:BatchCreatePartition", "glue:BatchDeleteConnection", "glue:BatchDeletePartition", "glue:BatchDeleteTable", "glue:BatchDeleteTableVersion", "glue:BatchGetJobs", "glue:BatchGetPartition", "glue:BatchGetWorkflows", "glue:BatchStopJobRun", "glue:BatchUpdatePartition", "glue:CreateBlueprint", "glue:CreateConnection", "glue:CreateCrawler", "glue:CreateDatabase", "glue:CreateJob", "glue:CreatePartition", "glue:CreatePartitionIndex", "glue:CreateTable", "glue:CreateWorkflow", "glue:DeleteBlueprint", "glue:DeleteColumnStatisticsForPartition", "glue:DeleteColumnStatisticsForTable", "glue:DeleteConnection", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeletePartition", "glue:DeletePartitionIndex", "glue:DeleteTable", "glue:DeleteTableVersion", "glue:DeleteWorkflow", "glue:GetColumnStatisticsForPartition", "glue:GetColumnStatisticsForTable", "glue:GetConnection", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:ListSchemas", "glue:ListJobs", "glue:NotifyEvent", "glue:PutWorkflowRunProperties", "glue:ResetJobBookmark", "glue:ResumeWorkflowRun", "glue:SearchTables", "glue:StartBlueprintRun", "glue:StartCrawler", "glue:StartCrawlerSchedule", "glue:StartJobRun", "glue:StartWorkflowRun", "glue:StopCrawler", "glue:StopCrawlerSchedule", "glue:StopWorkflowRun", "glue:UpdateBlueprint", "glue:UpdateColumnStatisticsForPartition", "glue:UpdateColumnStatisticsForTable", "glue:UpdateConnection", "glue:UpdateCrawler", "glue:UpdateCrawlerSchedule", "glue:UpdateDatabase", "glue:UpdateJob", "glue:UpdatePartition", "glue:UpdateTable", "glue:UpdateWorkflow", "iam:GetRole", "iam:GetRolePolicy", "iam:List*", "iam:PassRole", "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ListKeys", "kms:Verify", "kms:Sign", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:DescribeQueries", "logs:DescribeQueryDefinitions", "logs:StartQuery", "logs:StopQuery", "logs:GetLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogRecord", "logs:PutLogEvents", "logs:CreateLogStream", "logs:FilterLogEvents", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetResourceLFTags", "lakeformation:ListPermissions", "redshift-data:ListTables", "redshift-data:DescribeTable", "redshift-data:ListSchemas", "redshift-data:ListDatabases", "redshift-data:ExecuteStatement", "redshift-data:GetStatementResult", "redshift-data:DescribeStatement", "redshift:CreateClusterUser", "redshift:DescribeClusters", "redshift:DescribeDataShares", "redshift:GetClusterCredentials", "redshift:GetClusterCredentialsWithIAM", "redshift:JoinGroup", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:GetCredentials", "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetBucketLocation", "s3:ListBucket", "s3:PutObject", "s3:PutObjectRetention", "s3:ReplicateObject", "s3:RestoreObject", "secretsmanager:CreateSecret", "secretsmanager:ListSecrets", "secretsmanager:TagResource", "tag:GetResources" ], "Resource": [ "*" ] } ] }
