本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AmazonDataZoneProjectDeploymentPermissionsBoundary
**描述**:Amazon DataZone 會建立用於部署資料分析專案的 IAM 角色。DataZone 會在建立這些角色時使用此政策來定義其許可的界限。
`AmazonDataZoneProjectDeploymentPermissionsBoundary` 是 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
## 使用此政策
您可以將 `AmazonDataZoneProjectDeploymentPermissionsBoundary` 連接至使用者、群組與角色。
## 政策詳細資訊
+ **類型**: AWS 受管政策
+ **建立時間**:2023 年 3 月 21 日 02:54 UTC
+ **編輯時間:**2023 年 4 月 4 日 02:48 UTC
+ **ARN**: `arn:aws:iam::aws:policy/AmazonDataZoneProjectDeploymentPermissionsBoundary`
## 政策版本
**政策版本:** v2 (預設)
政策的預設版本是定義政策許可的版本。當具有 政策的使用者或角色提出存取 AWS 資源的請求時, 會 AWS 檢查政策的預設版本,以決定是否允許請求。
## JSON 政策文件
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"iam:CreateRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource" : "arn:aws:iam::*:role/*datazone*",
"Condition" : {
"StringEquals" : {
"iam:PermissionsBoundary" : "arn:aws:iam::aws:policy/AmazonDataZoneProjectRolePermissionsBoundary"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:DeleteRole"
],
"Resource" : [
"arn:aws:iam::*:role/*datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"kms:CreateKey",
"kms:TagResource",
"athena:CreateWorkGroup",
"athena:TagResource",
"iam:TagRole",
"iam:TagPolicy",
"logs:CreateLogGroup",
"logs:TagLogGroup",
"ssm:AddTagsToResource"
],
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringLike" : {
"aws:TagKeys" : "datazone:*"
},
"StringLike" : {
"aws:ResourceTag/datazone:projectId" : "proj-*"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"athena:DeleteWorkGroup",
"kms:ScheduleKeyDeletion",
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:DisableKeyRotation",
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:Decrypt",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource" : "*",
"Condition" : {
"StringLike" : {
"aws:ResourceTag/datazone:projectId" : "proj-*"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringLike" : {
"aws:TagKeys" : "datazone:projectId"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:DeletePolicy",
"s3:DeleteBucket"
],
"Resource" : [
"arn:aws:iam::*:policy/datazone*",
"arn:aws:s3:::datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"ssm:GetParameter*",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource" : [
"arn:aws:ssm:*:*:parameter/*datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:GetRole",
"iam:GetPolicy",
"iam:GetRolePolicy",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"lakeformation:RegisterResource",
"lakeformation:DeregisterResource",
"lakeformation:GrantPermissions",
"lakeformation:PutDataLakeSettings",
"lakeformation:GetDataLakeSettings",
"lakeformation:RevokePermissions",
"lakeformation:ListPermissions",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabases",
"glue:GetDatabase",
"sts:GetCallerIdentity"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:aws:iam::*:role/*datazone*"
]
},
{
"Effect" : "Allow",
"Action" : [
"s3:PutEncryptionConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucketPolicy",
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:PutBucketAcl",
"s3:PutBucketVersioning",
"s3:PutBucketTagging",
"s3:PutBucketLogging",
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:GetEncryptionConfiguration",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Resource" : "arn:aws:s3:::*datazone*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"athena:Get*",
"athena:List*",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:Describe*",
"ec2:Get*",
"ec2:List*",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:DeleteLogGroup",
"logs:DeleteRetentionPolicy"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"kms:PutKeyPolicy"
],
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
}
},
{
"Effect" : "Allow",
"Action" : "ec2:CreateVpcEndpoint",
"NotResource" : "arn:aws:ec2:*:*:vpc-endpoint/*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint"
],
"Resource" : "arn:aws:ec2:*:*:vpc-endpoint/*",
"Condition" : {
"StringLike" : {
"ec2:VpceServiceName" : [
"com.amazonaws.*.logs",
"com.amazonaws.*.s3",
"com.amazonaws.*.glue",
"com.amazonaws.*.athena"
]
}
}
},
{
"Action" : [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:TagResource",
"cloudformation:GetTemplateSummary"
],
"Effect" : "Allow",
"Resource" : [
"arn:aws:cloudformation:*:*:stack/DataZone*"
]
},
{
"Effect" : "Deny",
"Action" : [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:GetEncryptionConfiguration",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*",
"s3:DeleteBucket"
],
"NotResource" : [
"arn:aws:s3:::*datazone*"
]
},
{
"Effect" : "Deny",
"Action" : [
"kms:*"
],
"Resource" : "*",
"Condition" : {
"StringNotEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Effect" : "Deny",
"NotAction" : [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:AddTagsToResource",
"ssm:GetParameters",
"ssm:GetParameter",
"s3:PutEncryptionConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucketPolicy",
"s3:CreateBucket",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning",
"s3:PutBucketTagging",
"s3:ListBucket",
"s3:PutBucketLogging",
"s3:DeleteBucket",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:TagResource",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:GetTemplateSummary",
"athena:*",
"kms:*",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabases",
"glue:GetDatabase",
"lambda:*",
"ec2:*",
"logs:*",
"servicecatalog:CreateApplication",
"servicecatalog:DeleteApplication",
"servicecatalog:GetApplication",
"lakeformation:RegisterResource",
"lakeformation:DeregisterResource",
"lakeformation:GrantPermissions",
"lakeformation:PutDataLakeSettings",
"lakeformation:RevokePermissions",
"lakeformation:GetDataLakeSettings",
"lakeformation:ListPermissions",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:UntagRole",
"iam:PassRole",
"iam:TagRole",
"s3:GetBucket*",
"s3:GetObject*",
"s3:Abort*",
"s3:GetEncryptionConfiguration",
"s3:PutObject*"
],
"Resource" : [
"*"
]
}
]
}
```
## 進一步了解
+ [在 IAM Identity Center 中使用 AWS 受管政策建立許可集](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html)
+ [新增和移除 IAM 身分許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [了解 IAM 政策的版本控制](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [開始使用 AWS 受管政策並邁向最低權限許可](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)