Restrict creation of environment profiles in Amazon DataZone

0

I'm experimenting with Amazon DataZone and encountered something unexpected. I have a simple setup with one AWS account and one DataZone domain, which includes:

1 Glue Table 1 S3 bucket with my physical data 2 IAM users (one acting as a producer and the other as a consumer) 1 DataZone domain

Here's the scenario:

  1. The producer logs into the DataZone domain and creates a project, an environment profile, and an environment.
  2. A data source is created for the existing Glue Table within the environment.
  3. The data asset is published.
  4. The consumer logs in and creates a project, an environment profile, and an environment.
  5. The consumer searches for the data asset using the asset search.
  6. The consumer requests access to the data asset.
  7. After approval, the consumer gains access to the data asset and can query the data using the DataZone environment.

This process works as expected. However, we noticed that when creating an environment profile, there is an option to "Publish from any database." This option suggests that one can publish from any database within the AWS account.

In theory, the consumer could create a new environment profile with this option enabled and publish a data asset from the Glue Table they want access to. We tested this and found that the consumer can indeed publish a data asset for the Glue Table with this option enabled. The consumer can then subscribe to their own published data asset, thereby accessing the data without an access request. This seems to bypass the entire approval mechanism.

It's important to note that the consumer role/user used to log into DataZone doesn't have direct access to the data or the table in Glue. However, using DataZone as described above, the user can query the data.

My questions are:

Is this expected behavior? Can every user create an environment profile and access all data in the AWS account? Can we restrict this? Specifically, can we prevent a user from creating an environment profile? Thanks!

1 Answer
0

Yes, you can you can control which projects can use the blueprint(s) in your account to create environment profiles. You can do this by assigning managing projects to the blueprint’s configuration. Documentation link: https://docs.aws.amazon.com/datazone/latest/userguide/enable-default-blueprint.html.

Specify managing projects on enabled blueprints Navigate to the Amazon DataZone console at https://console.aws.amazon.com/datazone and sign in with your account credentials. Choose View Domains and then choose the domain where you want to add the managing project(s) for the chosen blueprint(s). Choose the Blueprints tab and then choose the blueprint that you want to work with. By default, all projects within the domain can use the DefaultDataLake or DefaultDataWareshouse, or the Amazon SageMaker blueprints in the account to create environment profiles. However, you can restrict this by assigning managing projects to the blueprints. To add managing projects, choose Select managing project, then choose the projects that you want to add as managing projects from the drop down menu, and then choose Select managing projects(s).

AWS
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions