docs/source/_static/managed-policies/AmazonDataZoneGlueManageAccessRolePolicy.json from udondan/iam-floyd

docs/source/_static/managed-policies/AmazonDataZoneGlueManageAccessRolePolicy.json
Summary

Maintainability

Test Coverage

Issues
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GlueTagDatabasePermissions",
      "Effect": "Allow",
      "Action": [
        "glue:TagResource",
        "glue:UntagResource",
        "glue:GetTags"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        },
        "ForAnyValue:StringLikeIfExists": {
          "aws:TagKeys": "DataZoneDiscoverable_*"
        }
      }
    },
    {
      "Sid": "GlueDataQualityPermissions",
      "Effect": "Allow",
      "Action": [
        "glue:ListDataQualityResults",
        "glue:GetDataQualityResult"
      ],
      "Resource": "arn:aws:glue:*:*:dataQualityRuleset/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid": "GlueTableDatabasePermissions",
      "Effect": "Allow",
      "Action": [
        "glue:CreateTable",
        "glue:DeleteTable",
        "glue:GetDatabases",
        "glue:GetTables"
      ],
      "Resource": [
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*",
        "arn:aws:glue:*:*:table/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid": "LakeformationResourceSharingPermissions",
      "Effect": "Allow",
      "Action": [
        "lakeformation:BatchGrantPermissions",
        "lakeformation:BatchRevokePermissions",
        "lakeformation:CreateDataCellsFilter",
        "lakeformation:CreateLakeFormationOptIn",
        "lakeformation:DeleteDataCellsFilter",
        "lakeformation:DeleteLakeFormationOptIn",
        "lakeformation:GrantPermissions",
        "lakeformation:GetDataCellsFilter",
        "lakeformation:GetResourceLFTags",
        "lakeformation:ListDataCellsFilter",
        "lakeformation:ListLakeFormationOptIns",
        "lakeformation:ListPermissions",
        "lakeformation:RegisterResource",
        "lakeformation:RevokePermissions",
        "lakeformation:UpdateDataCellsFilter",
        "glue:GetDatabase",
        "glue:GetTable",
        "organizations:DescribeOrganization",
        "ram:GetResourceShareInvitations",
        "ram:ListResources"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CrossAccountRAMResourceSharingPermissions",
      "Effect": "Allow",
      "Action": [
        "glue:DeleteResourcePolicy",
        "glue:PutResourcePolicy"
      ],
      "Resource": [
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/*",
        "arn:aws:glue:*:*:table/*"
      ],
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:CalledVia": [
            "ram.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "CrossAccountLakeFormationResourceSharingPermissions",
      "Effect": "Allow",
      "Action": [
        "ram:CreateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringEqualsIfExists": {
          "ram:RequestedResourceType": [
            "glue:Table",
            "glue:Database",
            "glue:Catalog"
          ]
        },
        "ForAnyValue:StringEquals": {
          "aws:CalledVia": [
            "lakeformation.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "CrossAccountRAMResourceShareInvitationPermission",
      "Effect": "Allow",
      "Action": [
        "ram:AcceptResourceShareInvitation"
      ],
      "Resource": "arn:aws:ram:*:*:resource-share-invitation/*"
    },
    {
      "Sid": "CrossAccountRAMResourceSharingViaLakeFormationPermissions",
      "Effect": "Allow",
      "Action": [
        "ram:AssociateResourceShare",
        "ram:DeleteResourceShare",
        "ram:DisassociateResourceShare",
        "ram:GetResourceShares",
        "ram:ListResourceSharePermissions",
        "ram:UpdateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ram:ResourceShareName": [
            "LakeFormation*"
          ]
        },
        "ForAnyValue:StringEquals": {
          "aws:CalledVia": [
            "lakeformation.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "CrossAccountRAMResourceSharingViaLakeFormationHybrid",
      "Effect": "Allow",
      "Action": "ram:AssociateResourceSharePermission",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ram:PermissionArn": "arn:aws:ram::aws:permission/AWSRAMLFEnabled*"
        },
        "ForAnyValue:StringEquals": {
          "aws:CalledVia": [
            "lakeformation.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "KMSDecryptPermission",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/datazone:projectId": "proj-all"
        }
      }
    },
    {
      "Sid": "GetRoleForDataZone",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/AmazonDataZone*",
        "arn:aws:iam::*:role/service-role/AmazonDataZone*"
      ]
    },
    {
      "Sid": "PassRoleForDataLocationRegistration",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/AmazonDataZone*",
        "arn:aws:iam::*:role/service-role/AmazonDataZone*"
      ],
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "lakeformation.amazonaws.com"
          ]
        }
      }
    }
  ]
}