Amazon managed policies for Amazon Glue - Amazon Glue
Amazon managed (predefined) policies for Amazon GluePolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Glue

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed (predefined) policies for Amazon Glue

Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see Amazon managed policies in the IAM User Guide.

The following Amazon managed policies, which you can attach to identities in your account, are specific to Amazon Glue and are grouped by use case scenario:

  • AWSGlueConsoleFullAccess – Grants full access to Amazon Glue resources when an identity that the policy is attached to uses the Amazon Web Services Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console.

  • AWSGlueServiceRole – Grants access to resources that various Amazon Glue processes require to run on your behalf. These resources include Amazon Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, Amazon Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints.

  • AwsGlueSessionUserRestrictedServiceRole – Provides full access to all Amazon Glue resources except for sessions. It allows users to create and use only the interactive sessions that are associated with the user. This policy includes other permissions needed by Amazon Glue to manage Amazon Glue resources in other Amazon services. The policy also allows adding tags to Amazon Glue resources in other Amazon services.

    Note

    To achieve the full security benefits, do not grant this policy to a user that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.

  • AwsGlueSessionUserRestrictedPolicy – Provides access to create Amazon Glue interactive sessions using the CreateSession API operation only if a tag key “owner” and value that match the assignee's Amazon user ID are provided. This identity policy is attached to the IAM user that invokes the CreateSession API operation. This policy also permits the assignee to interact with the Amazon Glue interactive session resources that were created with an “owner” tag and value that match their Amazon user ID. This policy denies permission to change or remove "owner" tags from an Amazon Glue session resource after the session is created.

    Note

    To achieve the full security benefits, do not grant this policy to a user that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.

  • AwsGlueSessionUserRestrictedNotebookServiceRole – Provides sufficient access to the Amazon Glue Studio notebook session to interact with specific Amazon Glue interactive session resources. These are resources that are created with the “owner” tag value that matches the Amazon user ID of the principal (IAM user or role) that creates the notebook. For more information about these tags, see the Principal key values chart in the IAM User Guide.

    This service-role policy is attached to the role that is specified with a magic command within the notebook or is passed as a role to the CreateSession API operation. This policy also permits the principal to create an Amazon Glue interactive session from the Amazon Glue Studio notebook interface only if a tag key “owner” and value match the Amazon user ID of the principal. This policy denies permission to change or remove "owner" tags from an Amazon Glue session resource after the session is created. This policy also includes permissions for writing and reading from Amazon S3 buckets, writing CloudWatch logs, and creating and deleting tags for Amazon EC2 resources used by Amazon Glue.

    Note

    To achieve the full security benefits, do not grant this policy to a role that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.

  • AwsGlueSessionUserRestrictedNotebookPolicy – Provides access to create an Amazon Glue interactive session from the Amazon Glue Studio notebook interface only if there is a tag key “owner” and value that match the Amazon user IDof the principal (IAM user or role) that creates the notebook. For more information about these tags, see the Principal key values chart in the IAM User Guide.

    This policy is attached to the principal (IAM user or role) that creates sessions from the Amazon Glue Studio notebook interface. This policy also permits sufficient access to the Amazon Glue Studio notebook to interact with specific Amazon Glue interactive session resources. These are resources that are created with the “owner” tag value that matches the Amazon user ID of the principal. This policy denies permission to change or remove "owner" tags from an Amazon Glue session resource after the session is created.

  • AWSGlueServiceNotebookRole – Grants access to Amazon Glue sessions started in an Amazon Glue Studio notebook. This policy allows listing and getting session information for all sessions, but only permits users to create and use the sessions tagged with their Amazon user ID. This policy denies permission to change or remove “owner” tags from Amazon Glue session resources tagged with their Amazon ID.

    Assign this policy to the Amazon user who creates jobs using the notebook interface in Amazon Glue Studio.

  • AWSGlueConsoleSageMakerNotebookFullAccess – Grants full access to Amazon Glue and SageMaker resources when the identity that the policy is attached to uses the Amazon Web Services Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console who manage SageMaker notebooks.

  • AWSGlueSchemaRegistryFullAccess – Grants full access to Amazon Glue Schema Registry resources when the identity that the policy is attached to uses the Amazon Web Services Management Console or Amazon CLI. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console or Amazon CLI who manage the Amazon Glue Schema Registry.

  • AWSGlueSchemaRegistryReadonlyAccess – Grants read-only access to Amazon Glue Schema Registry resources when an identity that the policy is attached to uses the Amazon Web Services Management Console or Amazon CLI. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console or Amazon CLI who use the Amazon Glue Schema Registry.

Note

You can review these permissions policies by signing in to the IAM console and searching for specific policies there.

You can also create your own custom IAM policies to allow permissions for Amazon Glue actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Amazon Glue updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon Glue since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Glue Document history page.

Change Description Date
AwsGlueSessionUserRestrictedPolicy – Minor update to an existing policy. Add glue:StartCompletion and glue:GetCompletion to policy. Required for Amazon Q data integration in Amazon Glue. April, 30, 2024
AwsGlueSessionUserRestrictedNotebookServiceRole – Minor update to an existing policy. Add glue:StartCompletion and glue:GetCompletion to policy. Required for Amazon Q data integration in Amazon Glue. April, 30, 2024
AwsGlueSessionUserRestrictedServiceRole – Minor update to an existing policy. Add glue:StartCompletion and glue:GetCompletion to policy. Required for Amazon Q data integration in Amazon Glue. April, 30, 2024
AWSGlueServiceNotebookRole – Minor update to an existing policy. Add glue:StartCompletion and glue:GetCompletion to policy. Required for Amazon Q data integration in Amazon Glue. Jan 30, 2024
AwsGlueSessionUserRestrictedNotebookPolicy – Minor update to an existing policy. Add glue:StartCompletion and glue:GetCompletion to policy. Required for Amazon Q data integration in Amazon Glue. Nov 29, 2023
AWSGlueServiceNotebookRole – Minor update to an existing policy. Add codewhisperer:GenerateRecommendations to policy. Required for a new feature where Amazon Glue generates CodeWhisperer recommendations. Oct 9, 2023

AWSGlueServiceRole – Minor update to an existing policy.

 Tighten scope of CloudWatch permissions to better reflect Amazon Glue logging. Aug 4, 2023

AWSGlueConsoleFullAccess – Minor update to an existing policy.

 Add databrew recipe List and Describe permissions to policy. Required to provide full administrative access for new features where Amazon Glue can access recipes. May 9, 2023

AWSGlueConsoleFullAccess – Minor update to an existing policy.

 Add cloudformation:ListStacks to policy. Preserves existing capabilities after changes to Amazon CloudFormation authorization requirements. March 28, 2023

New managed policies added for the interactive sessions feature:

  • AwsGlueSessionUserRestrictedServiceRole

  • AwsGlueSessionUserRestrictedPolicy

  • AwsGlueSessionUserRestrictedNotebookServiceRole

  • AwsGlueSessionUserRestrictedNotebookPolicy

These policies were designed to provide additional security for interactive sessions and notebooks in Amazon Glue Studio. The policies restrict access to the CreateSession API operation so that only the owner has access.

 November 30, 2021

AWSGlueConsoleSageMakerNotebookFullAccess – Update to an existing policy.

Removed a redundant resource ARN (arn:aws:s3:::aws-glue-*/*) for the action that grants read/write permissions on Amazon S3 buckets that Amazon Glue uses to store scripts and temporary files.

Fixed a syntax issue by changing "StringEquals" to "ForAnyValue:StringLike", and moved the "Effect": "Allow" lines to precede the "Action": line in each place where they were out of order.

 July 15, 2021

AWSGlueConsoleFullAccess – Update to an existing policy.

 Removed a redundant resource ARN (arn:aws:s3:::aws-glue-*/*) for the action that grants read/write permissions on Amazon S3 buckets that Amazon Glue uses to store scripts and temporary files. July 15, 2021

Amazon Glue started tracking changes.

 Amazon Glue started tracking changes for its Amazon managed policies. June 10, 2021