{"id":125,"date":"2026-04-12T22:01:37","date_gmt":"2026-04-12T22:01:37","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/aws-amazon-datazone-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-analytics\/"},"modified":"2026-04-12T22:01:37","modified_gmt":"2026-04-12T22:01:37","slug":"aws-amazon-datazone-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-analytics","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/aws-amazon-datazone-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-analytics\/","title":{"rendered":"AWS Amazon DataZone Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Analytics"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Analytics<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Amazon DataZone is an AWS Analytics service for organizing, discovering, governing, and sharing data across teams\u2014using a business-friendly data portal backed by AWS-native access controls.<\/p>\n\n\n\n

In simple terms: Amazon DataZone helps producers publish trusted datasets (\u201cdata products\u201d) and helps consumers find and request access to them, with approvals and governance built in.<\/p>\n\n\n\n

Technically, Amazon DataZone provides a domain-based<\/strong> data management layer (portal, catalog, and workflows) that integrates with AWS data systems such as Amazon S3 + AWS Glue Data Catalog + AWS Lake Formation<\/strong> and Amazon Redshift<\/strong>. It captures metadata, supports curation and ownership, and orchestrates subscription workflows so access can be granted in the underlying data systems.<\/p>\n\n\n\n

It solves a common problem in modern analytics platforms: data exists everywhere, but people can\u2019t find it, trust it, or get access to it safely<\/strong>. Amazon DataZone addresses discovery (catalog\/search), trust (metadata\/ownership), and controlled sharing (requests\/approvals + integrated permissions).<\/p>\n\n\n\n

2. What is Amazon DataZone?<\/h2>\n\n\n\n

Official purpose (what AWS built it for):<\/strong> Amazon DataZone is a managed data management service that helps organizations catalog, discover, share, and govern data at scale using a data portal, data products, and workflow-driven access.<\/p>\n\n\n\n

Core capabilities<\/h3>\n\n\n\n
    \n
  • Data discovery and cataloging:<\/strong> Bring technical metadata from supported sources into a searchable catalog.<\/li>\n
  • Business context:<\/strong> Add business metadata (descriptions, owners, glossary terms) so data is understandable to non-experts.<\/li>\n
  • Data products:<\/strong> Package datasets with context and ownership so they can be shared reliably.<\/li>\n
  • Subscription workflows:<\/strong> Let consumers request access; route requests to approvers; track status.<\/li>\n
  • Governed access:<\/strong> Integrate with AWS governance services (notably AWS Lake Formation for data lakes) so approvals can map to permissions in the underlying data system (capabilities vary by source type\u2014verify in official docs for your connectors and blueprints).<\/li>\n<\/ul>\n\n\n\n

    Major components (mental model)<\/h3>\n\n\n\n
      \n
    • Domain:<\/strong> The top-level boundary (like a \u201cdata organization\u201d) that hosts the data portal and governance model.<\/li>\n
    • Data portal:<\/strong> The user-facing web experience for search, publishing, and requesting access.<\/li>\n
    • Projects:<\/strong> Collaboration spaces where teams publish data products (producers) or consume them (consumers).<\/li>\n
    • Environments \/ Environment profiles \/ Blueprints:<\/strong> A structured way to attach real AWS data systems (for example, a data lake or data warehouse) to a project. Amazon DataZone uses these to understand where data lives and where access should be provisioned.<\/li>\n
    • Data sources and runs:<\/strong> Connect to supported metadata sources (for example, AWS Glue Data Catalog) and import assets into the catalog.<\/li>\n
    • Data assets:<\/strong> Catalog entries representing tables, views, files, etc. (depending on source).<\/li>\n
    • Data products:<\/strong> Curated, publishable groupings of assets with business metadata and ownership.<\/li>\n
    • Subscriptions:<\/strong> Requests and approvals for access to a data product (and, where supported, automated provisioning of permissions).<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n
        \n
      • Managed AWS service<\/strong> with a console experience (portal) and APIs.<\/li>\n
      • Typically used as a governance and enablement layer<\/strong> above data lakes\/warehouses, not as a storage or compute engine itself.<\/li>\n<\/ul>\n\n\n\n

        Scope (regional\/global, and how to think about boundaries)<\/h3>\n\n\n\n
          \n
        • Regional service in practice:<\/strong> A domain is created in a specific AWS Region and is managed there. Data sources and environment integrations are typically Region-aligned.\nVerify current Region support and cross-Region behavior in official docs<\/strong>, because supported Regions and cross-account\/cross-Region patterns evolve.<\/li>\n<\/ul>\n\n\n\n

          Fit in the AWS ecosystem<\/h3>\n\n\n\n

          Amazon DataZone is not a replacement for your lake or warehouse; it sits \u201cabove\u201d them:\n– Amazon S3<\/strong> stores data.\n– AWS Glue Data Catalog<\/strong> stores table metadata for lake datasets.\n– AWS Lake Formation<\/strong> governs fine-grained access to S3\/Glue-based data lakes.\n– Amazon Athena<\/strong> queries S3 data (and uses Glue catalog metadata).\n– Amazon Redshift<\/strong> provides warehouse analytics and access controls.\n– AWS IAM Identity Center<\/strong> commonly provides workforce identity for the portal.\n– AWS CloudTrail<\/strong> provides audit trails of API activity.<\/p>\n\n\n\n

          3. Why use Amazon DataZone?<\/h2>\n\n\n\n

          Business reasons<\/h3>\n\n\n\n
            \n
          • Faster analytics outcomes:<\/strong> Teams spend less time hunting for data and negotiating access.<\/li>\n
          • Improved trust:<\/strong> Data products introduce ownership, context, and quality signals (as defined by your org).<\/li>\n
          • Scalable collaboration:<\/strong> Helps align many teams around a consistent catalog and request process.<\/li>\n<\/ul>\n\n\n\n

            Technical reasons<\/h3>\n\n\n\n
              \n
            • Metadata unification:<\/strong> Connects technical metadata to business context without forcing you to move data.<\/li>\n
            • Workflow-driven access:<\/strong> Standardizes \u201crequest \u2192 approve \u2192 provision\u201d patterns instead of ad hoc tickets.<\/li>\n
            • AWS-native integration:<\/strong> Builds on AWS governance constructs (especially relevant for S3\/Glue\/Lake Formation-based lakes).<\/li>\n<\/ul>\n\n\n\n

              Operational reasons<\/h3>\n\n\n\n
                \n
              • Repeatable governance model:<\/strong> Domains, projects, and roles formalize who can publish and approve.<\/li>\n
              • Reduced manual access management:<\/strong> Where supported, approvals can translate into permissions automatically.<\/li>\n
              • Self-service discovery:<\/strong> Portal experience reduces support load on platform teams.<\/li>\n<\/ul>\n\n\n\n

                Security\/compliance reasons<\/h3>\n\n\n\n
                  \n
                • Controlled sharing:<\/strong> Access is requested explicitly, often with approvers and audit trails.<\/li>\n
                • Least privilege:<\/strong> Aligns with IAM\/Lake Formation\/Redshift controls rather than broad bucket sharing.<\/li>\n
                • Auditability:<\/strong> Actions can be logged via AWS logging\/auditing tools (notably CloudTrail).<\/li>\n<\/ul>\n\n\n\n

                  Scalability\/performance reasons<\/h3>\n\n\n\n
                    \n
                  • Amazon DataZone primarily manages metadata and workflows; analytics performance depends on the underlying engines (Athena, Redshift, etc.). Scaling data discovery and governance becomes more manageable because it is centralized and standardized.<\/li>\n<\/ul>\n\n\n\n

                    When teams should choose Amazon DataZone<\/h3>\n\n\n\n

                    Choose it when you need:\n– A business-friendly data portal<\/strong> for discovery and sharing\n– A data product<\/strong> model to drive ownership and reuse\n– A standard access request process<\/strong> that can integrate with AWS governance controls\n– A multi-team or multi-account<\/strong> governance layer on AWS<\/p>\n\n\n\n

                    When teams should not choose Amazon DataZone<\/h3>\n\n\n\n

                    Avoid (or delay) it when:\n– You only have a small number of datasets and informal sharing is sufficient.\n– You need a full enterprise data governance suite with deep, vendor-agnostic capabilities across many non-AWS platforms\u2014Amazon DataZone may still fit, but validate connectors and governance requirements first.\n– Your primary challenge is data transformation\/ETL\/ELT\u2014Amazon DataZone is not an ETL service (consider AWS Glue, EMR, or managed third-party tools).\n– You need an on-prem-first catalog with extensive custom integrations; Amazon DataZone is AWS-managed and AWS-integrated by design.<\/p>\n\n\n\n

                    4. Where is Amazon DataZone used?<\/h2>\n\n\n\n

                    Industries<\/h3>\n\n\n\n
                      \n
                    • Financial services:<\/strong> governed access, audit trails, segregation of duties.<\/li>\n
                    • Healthcare & life sciences:<\/strong> controlled sharing of sensitive datasets and consistent dataset documentation.<\/li>\n
                    • Retail & e-commerce:<\/strong> cross-team sharing (marketing, merchandising, supply chain) and reuse.<\/li>\n
                    • Media & advertising:<\/strong> discoverability across event, audience, and campaign datasets.<\/li>\n
                    • Manufacturing & IoT:<\/strong> sharing telemetry-derived datasets across engineering, operations, and analytics.<\/li>\n<\/ul>\n\n\n\n

                      Team types<\/h3>\n\n\n\n
                        \n
                      • Data platform teams building an internal data portal<\/li>\n
                      • Data engineering teams publishing curated datasets<\/li>\n
                      • Governance and security teams defining access patterns<\/li>\n
                      • Analytics\/BI teams consuming governed datasets<\/li>\n
                      • ML teams discovering feature-ready datasets<\/li>\n<\/ul>\n\n\n\n

                        Workloads and architectures<\/h3>\n\n\n\n
                          \n
                        • Lake house<\/strong> on AWS: S3 + Glue + Lake Formation + Athena\/Redshift<\/li>\n
                        • Data mesh-style organizations with domain-oriented ownership (marketing, finance, product, etc.)<\/li>\n
                        • Multi-account analytics landing zones (central governance account + producer\/consumer accounts)<\/li>\n<\/ul>\n\n\n\n

                          Real-world deployment contexts<\/h3>\n\n\n\n
                            \n
                          • Production:<\/strong> typically includes cross-account integration, formal roles\/groups, approval workflows, and integration with Lake Formation\/Redshift permissioning.<\/li>\n
                          • Dev\/test:<\/strong> often a single account and a simplified governance model to validate portal, metadata ingestion, and subscription flows.<\/li>\n<\/ul>\n\n\n\n

                            5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                            Below are realistic scenarios where Amazon DataZone is commonly applied.<\/p>\n\n\n\n

                            1) Enterprise data catalog for AWS lake house<\/h3>\n\n\n\n
                              \n
                            • Problem:<\/strong> Data is spread across S3\/Glue\/Athena and Redshift; people can\u2019t find the right dataset.<\/li>\n
                            • Why Amazon DataZone fits:<\/strong> Central portal + metadata ingestion + ownership and descriptions.<\/li>\n
                            • Scenario:<\/strong> A platform team sets up one domain; each data domain creates projects to publish curated \u201cgold\u201d datasets as data products.<\/li>\n<\/ul>\n\n\n\n

                              2) Data mesh enablement (domain-based ownership)<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> Central data team becomes a bottleneck for publishing and access.<\/li>\n
                              • Why it fits:<\/strong> Projects + data products allow decentralization with governance guardrails.<\/li>\n
                              • Scenario:<\/strong> Finance, marketing, and product each publish their own data products; consumers request access through standardized workflows.<\/li>\n<\/ul>\n\n\n\n

                                3) Standardized access requests and approvals<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Access is handled via tickets and manual IAM\/Lake Formation changes.<\/li>\n
                                • Why it fits:<\/strong> Subscriptions with approval workflow; can reduce manual steps.<\/li>\n
                                • Scenario:<\/strong> A consumer requests access to a PII-limited dataset; approval routes to data owner and compliance approver.<\/li>\n<\/ul>\n\n\n\n

                                  4) Curated \u201ccertified datasets\u201d program<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Analysts use inconsistent datasets and definitions.<\/li>\n
                                  • Why it fits:<\/strong> Data products + metadata and ownership; \u201ccertified\u201d can be represented via naming\/tagging conventions and governance.<\/li>\n
                                  • Scenario:<\/strong> The data governance team defines product templates for certified revenue metrics datasets.<\/li>\n<\/ul>\n\n\n\n

                                    5) Cross-account dataset sharing within an AWS Organization<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Producer and consumer teams operate in separate AWS accounts for isolation.<\/li>\n
                                    • Why it fits:<\/strong> Domain\/projects can be designed to map to multi-account environments (verify supported multi-account patterns in docs).<\/li>\n
                                    • Scenario:<\/strong> A shared services account hosts the domain; producer accounts publish; consumer accounts subscribe.<\/li>\n<\/ul>\n\n\n\n

                                      6) Onboarding new analysts and engineers faster<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> New hires don\u2019t know what data exists or what it means.<\/li>\n
                                      • Why it fits:<\/strong> Portal search + glossary + business descriptions reduce tribal knowledge.<\/li>\n
                                      • Scenario:<\/strong> New analyst searches \u201ccustomer churn,\u201d finds a product with definition, owner, and sample query.<\/li>\n<\/ul>\n\n\n\n

                                        7) Governance for sensitive datasets (PII\/PHI)<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Sensitive datasets need controlled access and traceability.<\/li>\n
                                        • Why it fits:<\/strong> Subscription workflows + integration with AWS governance controls.<\/li>\n
                                        • Scenario:<\/strong> HR data products require manager approval and documented purpose before access.<\/li>\n<\/ul>\n\n\n\n

                                          8) Rationalizing duplicate datasets<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Multiple teams publish the same dataset in different places.<\/li>\n
                                          • Why it fits:<\/strong> Central discovery and ownership highlights duplication.<\/li>\n
                                          • Scenario:<\/strong> Two \u201corders\u201d tables exist; DataZone metadata helps identify authoritative vs legacy.<\/li>\n<\/ul>\n\n\n\n

                                            9) Data producer\/consumer contract management<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Consumers break when producers change schema.<\/li>\n
                                            • Why it fits:<\/strong> Data products provide a durable interface concept; governance can formalize change processes.<\/li>\n
                                            • Scenario:<\/strong> Producer publishes v1 and v2 products; consumers migrate with communicated timelines.<\/li>\n<\/ul>\n\n\n\n

                                              10) Audit-friendly reporting of who has access to what<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> Compliance asks who accessed datasets and who approved.<\/li>\n
                                              • Why it fits:<\/strong> Workflow trail + integration with AWS auditing (CloudTrail) and underlying service logs.<\/li>\n
                                              • Scenario:<\/strong> Quarterly audit exports subscription approvals and validates Lake Formation grants.<\/li>\n<\/ul>\n\n\n\n

                                                6. Core Features<\/h2>\n\n\n\n
                                                \n

                                                Note: Feature availability and exact integrations can vary by Region and by source\/blueprint. Always validate in the official Amazon DataZone documentation for your Region and data systems.<\/p>\n<\/blockquote>\n\n\n\n

                                                1) Domains (governance boundary)<\/h3>\n\n\n\n
                                                  \n
                                                • What it does:<\/strong> Creates a dedicated Amazon DataZone space with a portal, user access model, and governance configuration.<\/li>\n
                                                • Why it matters:<\/strong> Separates governance and cataloging across organizations\/units if needed.<\/li>\n
                                                • Practical benefit:<\/strong> Clear boundary for policy, roles, and operational ownership.<\/li>\n
                                                • Caveat:<\/strong> Domain is Region-scoped in practice; plan for Region strategy.<\/li>\n<\/ul>\n\n\n\n

                                                  2) Data portal (search and discovery UI)<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does:<\/strong> User interface to search, browse, and understand data assets and data products.<\/li>\n
                                                  • Why it matters:<\/strong> Enables self-service discovery for analysts and engineers.<\/li>\n
                                                  • Practical benefit:<\/strong> Reduced dependency on data platform teams.<\/li>\n
                                                  • Caveat:<\/strong> Users typically authenticate via AWS workforce identity integration (commonly IAM Identity Center).<\/li>\n<\/ul>\n\n\n\n

                                                    3) Projects (team workspaces)<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Organizes producers\/consumers into collaborative scopes for publishing and subscriptions.<\/li>\n
                                                    • Why it matters:<\/strong> Aligns governance and collaboration to team boundaries.<\/li>\n
                                                    • Practical benefit:<\/strong> Ownership, approvals, and assets can be managed per project.<\/li>\n
                                                    • Caveat:<\/strong> Project role design (owner\/contributor) must be planned to avoid over-permissioning.<\/li>\n<\/ul>\n\n\n\n

                                                      4) Environments and environment profiles (link projects to real data systems)<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> Connects a project to a target environment where data lives or where access is provisioned.<\/li>\n
                                                      • Why it matters:<\/strong> Data governance is only effective when tied to actual systems and permissions.<\/li>\n
                                                      • Practical benefit:<\/strong> Standardizes how teams onboard new data systems.<\/li>\n
                                                      • Caveat:<\/strong> Provisioning may require prerequisite IAM roles and (for lakes) Lake Formation configuration.<\/li>\n<\/ul>\n\n\n\n

                                                        5) Data sources and metadata ingestion (\u201cruns\u201d)<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Imports technical metadata from supported systems into the Amazon DataZone catalog.<\/li>\n
                                                        • Why it matters:<\/strong> Keeps the portal aligned with real datasets.<\/li>\n
                                                        • Practical benefit:<\/strong> Reduces manual catalog entry and drift.<\/li>\n
                                                        • Caveat:<\/strong> Permissions must allow metadata read; ingestion is not the same as data movement.<\/li>\n<\/ul>\n\n\n\n

                                                          6) Data assets (catalog entries)<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Represents datasets (tables, views, etc.) discovered from a data source and enriched with metadata.<\/li>\n
                                                          • Why it matters:<\/strong> Assets are the atomic discoverable items in the portal.<\/li>\n
                                                          • Practical benefit:<\/strong> Enables searching by name, description, schema, and other metadata.<\/li>\n
                                                          • Caveat:<\/strong> Asset types depend on the connected source.<\/li>\n<\/ul>\n\n\n\n

                                                            7) Data products (curated shareable packages)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Packages one or more assets with business metadata (purpose, owner, usage notes).<\/li>\n
                                                            • Why it matters:<\/strong> Promotes reliable reuse and establishes accountability.<\/li>\n
                                                            • Practical benefit:<\/strong> Consumers subscribe to a product rather than random tables.<\/li>\n
                                                            • Caveat:<\/strong> You need internal standards (naming, owners, lifecycle) to make products meaningful.<\/li>\n<\/ul>\n\n\n\n

                                                              8) Subscription requests and approval workflows<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Lets consumers request access; routes to approvers; tracks status.<\/li>\n
                                                              • Why it matters:<\/strong> Replaces ad hoc access paths with auditable workflows.<\/li>\n
                                                              • Practical benefit:<\/strong> Consistent governance and reduced operational chaos.<\/li>\n
                                                              • Caveat:<\/strong> Automated provisioning depends on environment\/source integration; otherwise approvals may require manual follow-up.<\/li>\n<\/ul>\n\n\n\n

                                                                9) Integrated access provisioning (where supported)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> After approvals, configures access in underlying systems (for example, data lake permissions).<\/li>\n
                                                                • Why it matters:<\/strong> Governance must translate into enforceable permissions.<\/li>\n
                                                                • Practical benefit:<\/strong> Reduces manual policy updates.<\/li>\n
                                                                • Caveat:<\/strong> The exact behavior depends on the underlying systems and your setup; verify for your blueprint\/source.<\/li>\n<\/ul>\n\n\n\n

                                                                  10) Business metadata and glossary concepts<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Enables consistent business definitions and context.<\/li>\n
                                                                  • Why it matters:<\/strong> Technical schemas alone are not enough for trust and comprehension.<\/li>\n
                                                                  • Practical benefit:<\/strong> Reduces ambiguity (\u201cWhat is \u2018customer\u2019?\u201d).<\/li>\n
                                                                  • Caveat:<\/strong> Glossary success depends on governance ownership and upkeep.<\/li>\n<\/ul>\n\n\n\n

                                                                    11) APIs, SDK support, and automation potential<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does:<\/strong> Offers programmatic access to manage domains\/projects\/assets\/subscriptions (via AWS APIs\/CLI where supported).<\/li>\n
                                                                    • Why it matters:<\/strong> Enables infrastructure-as-code adjacent workflows and integration with internal tooling.<\/li>\n
                                                                    • Practical benefit:<\/strong> Automate onboarding, metadata updates, and reporting.<\/li>\n
                                                                    • Caveat:<\/strong> Not all portal actions may be exposed equally; validate API coverage.<\/li>\n<\/ul>\n\n\n\n

                                                                      12) Auditing and observability via AWS-native tooling<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does:<\/strong> Integrates with AWS audit logging for API activity (notably CloudTrail).<\/li>\n
                                                                      • Why it matters:<\/strong> Governance requires traceability.<\/li>\n
                                                                      • Practical benefit:<\/strong> Supports compliance and incident investigations.<\/li>\n
                                                                      • Caveat:<\/strong> You must configure organization-level logging and retention to meet requirements.<\/li>\n<\/ul>\n\n\n\n

                                                                        7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                        High-level architecture<\/h3>\n\n\n\n

                                                                        Amazon DataZone sits between users and data systems:<\/p>\n\n\n\n

                                                                          \n
                                                                        1. Producers<\/strong> connect data sources (like AWS Glue Data Catalog) to import metadata into Amazon DataZone.<\/li>\n
                                                                        2. Producers curate assets<\/strong> into data products<\/strong> and publish them to the portal.<\/li>\n
                                                                        3. Consumers<\/strong> search the portal, evaluate metadata, and submit subscription requests<\/strong>.<\/li>\n
                                                                        4. Approvers review requests; when approved, Amazon DataZone (where supported) provisions permissions in the underlying data system (for example, Lake Formation grants) and tracks subscription status.<\/li>\n<\/ol>\n\n\n\n

                                                                          Control plane vs data plane<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Control plane (Amazon DataZone):<\/strong> metadata, workflows, approvals, catalog, and portal.<\/li>\n
                                                                          • Data plane (your data systems):<\/strong> S3\/Glue\/Athena\/Redshift where data is stored and queried.<\/li>\n
                                                                          • Important: Amazon DataZone generally does not become your query engine; your analytics engines remain Athena, Redshift, etc.<\/li>\n<\/ul>\n\n\n\n

                                                                            Integrations and dependency services (common)<\/h3>\n\n\n\n
                                                                              \n
                                                                            • AWS IAM Identity Center<\/strong> for user sign-in to the portal (verify identity prerequisites for your setup).<\/li>\n
                                                                            • AWS Glue Data Catalog<\/strong> as a metadata source for lake datasets.<\/li>\n
                                                                            • AWS Lake Formation<\/strong> for governed permissions in S3-based data lakes.<\/li>\n
                                                                            • Amazon Athena<\/strong> for querying S3 datasets.<\/li>\n
                                                                            • Amazon Redshift<\/strong> for warehouse datasets and access control (verify supported patterns).<\/li>\n
                                                                            • AWS CloudTrail<\/strong> for auditing.<\/li>\n
                                                                            • AWS KMS<\/strong> for encryption at rest (service-managed or customer-managed keys depending on configuration; verify options in your Region).<\/li>\n<\/ul>\n\n\n\n

                                                                              Security\/authentication model (typical)<\/h3>\n\n\n\n
                                                                                \n
                                                                              • End users authenticate to the portal (commonly via IAM Identity Center).<\/li>\n
                                                                              • Amazon DataZone uses AWS IAM roles to access metadata sources and to provision permissions.<\/li>\n
                                                                              • Fine-grained access enforcement occurs in the underlying data system (Lake Formation, Redshift, etc.).<\/li>\n<\/ul>\n\n\n\n

                                                                                Networking model (typical)<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Portal access is over standard AWS service endpoints.<\/li>\n
                                                                                • Access to your data plane remains within your AWS accounts and VPCs as configured for Athena\/Redshift and S3.<\/li>\n
                                                                                • If you require private connectivity (VPC endpoints\/PrivateLink), verify current support for Amazon DataZone endpoints<\/strong> in the official docs.<\/li>\n<\/ul>\n\n\n\n

                                                                                  Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Use CloudTrail<\/strong> to log Amazon DataZone API calls and correlate with user activity.<\/li>\n
                                                                                  • Monitor provisioning failures (environment creation, subscription provisioning) via the Amazon DataZone console and underlying services (CloudFormation\/Service Catalog\/Lake Formation\/Redshift logs depending on blueprint).<\/li>\n
                                                                                  • Establish governance KPIs: number of published products, subscription turnaround time, rejected requests, stale assets.<\/li>\n<\/ul>\n\n\n\n

                                                                                    Simple architecture diagram (conceptual)<\/h4>\n\n\n\n
                                                                                    flowchart LR\n  U1[Producer] --> P[Amazon DataZone Portal]\n  U2[Consumer] --> P\n\n  subgraph DZ[Amazon DataZone Domain]\n    P --> C[Catalog & Metadata]\n    P --> W[Subscription Workflow]\n  end\n\n  subgraph Lake[AWS Data Lake]\n    S3[(Amazon S3)]\n    Glue[(AWS Glue Data Catalog)]\n    LF[AWS Lake Formation]\n    Athena[Amazon Athena]\n    S3 --- Glue\n    LF --- S3\n    Athena --- Glue\n    Athena --- S3\n  end\n\n  C <---> Glue\n  W --> LF\n<\/code><\/pre>\n\n\n\n
                                                                                    Production-style architecture diagram (multi-account, governed)<\/h4>\n\n\n\n
                                                                                    flowchart TB\n  subgraph IdP[Workforce Identity]\n    IIC[AWS IAM Identity Center]\n  end\n\n  subgraph GovAcct[Shared Services \/ Governance Account]\n    DZ[Amazon DataZone Domain + Portal]\n    CT[Org CloudTrail + Central Log Archive]\n  end\n\n  subgraph ProdAcct1[Producer Account(s)]\n    S3P[(S3 data lake buckets)]\n    GlueP[(Glue Data Catalog)]\n    LFP[AWS Lake Formation]\n    ETL[AWS Glue \/ ETL jobs]\n  end\n\n  subgraph ConsAcct1[Consumer Account(s)]\n    AthenaC[Amazon Athena]\n    RedshiftC[Amazon Redshift]\n    RoleC[IAM roles for consumers]\n  end\n\n  IIC --> DZ\n  DZ -->|Ingest metadata| GlueP\n  DZ -->|Subscription approvals| DZ\n  DZ -->|Provision governed access (where supported)| LFP\n  LFP -->|Permissions| S3P\n\n  AthenaC --> GlueP\n  AthenaC --> S3P\n\n  DZ --> CT\n  GlueP --> CT\n  LFP --> CT\n  AthenaC --> CT\n  RedshiftC --> CT\n<\/code><\/pre>\n\n\n\n
                                                                                    8. Prerequisites<\/h2>\n\n\n\n
                                                                                    AWS account and org prerequisites<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • An AWS account where you can create and manage Amazon DataZone resources.<\/li>\n
                                                                                    • For enterprise patterns: AWS Organizations and multiple accounts are common, but not required for this lab.<\/li>\n<\/ul>\n\n\n\n
                                                                                      Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                      You typically need permissions to:\n– Create and manage an Amazon DataZone domain and projects\n– Configure IAM Identity Center (if not already configured)\n– Read metadata from AWS Glue Data Catalog\n– Create S3 buckets and upload a small dataset\n– Run Athena queries and create Glue catalog objects (database\/table)\n– (Optional but common) Configure Lake Formation administrators and grants<\/p>\n\n\n\n
                                                                                      A practical starting point for a lab:\n– Admin-level permissions in a sandbox account, or a role that includes:\n  – AmazonDataZoneFullAccess<\/code> (or equivalent fine-grained permissions\u2014verify AWS managed policies available in your account)\n  – IAMFullAccess<\/code> (for role creation\/inspection during lab)\n  – AmazonS3FullAccess<\/code>\n  – AmazonAthenaFullAccess<\/code>\n  – AWSGlueConsoleFullAccess<\/code>\n  – AWSLakeFormationDataAdmin<\/code> (if Lake Formation governance is part of your flow)<\/p>\n\n\n\n
                                                                                      Billing requirements<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • A billable AWS account.<\/li>\n
                                                                                      • Amazon DataZone has its own pricing plus indirect costs from S3, Glue, Athena, Lake Formation, and data transfer.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Tools needed<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • AWS Console access<\/li>\n
                                                                                        • AWS CLI v2 (optional but useful): https:\/\/docs.aws.amazon.com\/cli\/latest\/userguide\/getting-started-install.html<\/li>\n
                                                                                        • A text editor for CSV data<\/li>\n<\/ul>\n\n\n\n
                                                                                          Region availability<\/h3>\n\n\n\n
                                                                                          Amazon DataZone is not available in every Region.\n– Verify: https:\/\/aws.amazon.com\/about-aws\/global-infrastructure\/regional-product-services\/<\/p>\n\n\n\n
                                                                                          Quotas\/limits<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Check Service Quotas<\/strong> for Amazon DataZone in your Region.<\/li>\n
                                                                                          • Also consider quotas for Glue, Athena, Lake Formation, IAM Identity Center, and CloudFormation\/Service Catalog if used by environment provisioning.\n  Verify quotas in the Service Quotas console and the Amazon DataZone documentation.<\/li>\n<\/ul>\n\n\n\n
                                                                                            Prerequisite services<\/h3>\n\n\n\n
                                                                                            Common dependencies in real deployments:\n– AWS IAM Identity Center\n– AWS Glue Data Catalog\n– Amazon S3\n– Amazon Athena and\/or Amazon Redshift\n– AWS Lake Formation (for governed S3 lake access)<\/p>\n\n\n\n
                                                                                            9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                            Amazon DataZone pricing is usage-based. The exact dimensions and rates can change and can be Region-dependent.<\/p>\n\n\n\n
                                                                                              \n
                                                                                            • Official pricing page: https:\/\/aws.amazon.com\/datazone\/pricing\/<\/li>\n
                                                                                            • AWS Pricing Calculator: https:\/\/calculator.aws\/#\/<\/li>\n<\/ul>\n\n\n\n
                                                                                              Pricing dimensions (what typically drives cost)<\/h3>\n\n\n\n
                                                                                              From AWS\u2019s standard approach for governance\/catalog services, Amazon DataZone commonly charges based on:\n– Domain usage<\/strong> (for example, an hourly \u201cdomain\u201d charge), and\/or\n– User-based access<\/strong> (for example, active users per month)<\/p>\n\n\n\n
                                                                                              Verify the current pricing dimensions and definitions on the official pricing page<\/strong>, including how AWS defines \u201cusers\u201d (for example, portal users) and what constitutes billable domain time.<\/p>\n\n\n\n
                                                                                              Free tier<\/h3>\n\n\n\n
                                                                                              Amazon DataZone may or may not have a free tier or trial in your Region\/time period.\n– Verify on the official pricing page<\/strong>.<\/p>\n\n\n\n
                                                                                              Direct cost drivers<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Number of domains<\/li>\n
                                                                                              • Number of users accessing the portal (depending on pricing model)<\/li>\n
                                                                                              • Duration domains are running (if domain-hour based)<\/li>\n
                                                                                              • Automation\/API usage (if requests are billed\u2014verify)<\/li>\n<\/ul>\n\n\n\n
                                                                                                Hidden or indirect costs (often bigger than the DataZone line item)<\/h3>\n\n\n\n
                                                                                                Even if Amazon DataZone costs are modest, the total solution cost often comes from:\n– S3 storage<\/strong> (data lake)\n– Athena query scanning<\/strong> (pay-per-data-scanned)\n– Glue<\/strong> (crawlers, jobs, Data Catalog requests)\n– Redshift<\/strong> (clusters\/serverless usage)\n– CloudTrail + log storage<\/strong> (especially org-wide)\n– Data transfer<\/strong> (cross-Region, cross-account, NAT gateways; depends on architecture)<\/p>\n\n\n\n
                                                                                                Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • DataZone mostly handles metadata and control-plane actions, but if your consumers query data across accounts\/Regions or through NAT gateways, data transfer can dominate costs.<\/li>\n
                                                                                                • Prefer same-Region access patterns for lake queries where possible.<\/li>\n<\/ul>\n\n\n\n
                                                                                                  How to optimize cost<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Use one domain per governance boundary<\/strong>, not per team, unless required.<\/li>\n
                                                                                                  • Manage portal access through groups; remove inactive users promptly.<\/li>\n
                                                                                                  • Keep dev\/test domains short-lived if domain-hour pricing applies.<\/li>\n
                                                                                                  • Reduce Athena scan costs with partitioning and columnar formats (Parquet\/ORC) and use workgroup controls.<\/li>\n
                                                                                                  • Use Glue crawlers sparingly; prefer schema-on-read or controlled DDL where possible.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Example low-cost starter estimate (formula-based, no fabricated numbers)<\/h3>\n\n\n\n
                                                                                                    A minimal pilot often includes:\n– 1 Amazon DataZone domain\n– 10\u201350 portal users\n– A small S3 bucket with sample data\n– A few Athena queries and a Glue database\/table<\/p>\n\n\n\n
                                                                                                    Estimate:\n– Amazon DataZone<\/strong>: (domain_rate \u00d7 hours) + (user_rate \u00d7 users) (verify rates)<\/em>\n– S3<\/strong>: storage_gb_month + requests\n– Athena<\/strong>: data_scanned_gb \u00d7 rate_per_tb (verify)<\/em>\n– Glue<\/strong>: crawler_minutes\/job_minutes (if used)<\/em><\/p>\n\n\n\n
                                                                                                    Use the AWS Pricing Calculator to model your specific Region and usage.<\/p>\n\n\n\n
                                                                                                    Example production cost considerations<\/h3>\n\n\n\n
                                                                                                    In production, cost drivers shift:\n– Many more users (hundreds\/thousands)\n– Multiple accounts and environments\n– Larger query volumes (Athena\/Redshift)\n– Higher logging and retention requirements\n– More governance overhead (crawlers, metadata refresh schedules)<\/p>\n\n\n\n
                                                                                                    A best practice is to track:\n– cost per domain\n– cost per active portal user\n– cost per subscribed product\n– cost per query workload (Athena\/Redshift)<\/p>\n\n\n\n
                                                                                                    10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                    This lab walks you through a small, realistic Amazon DataZone setup in a single AWS account:\n– Create an Amazon DataZone domain\n– Create producer and consumer projects\n– Register a Glue Data Catalog table as a discoverable asset\n– Publish a data product\n– Request and approve a subscription\n– Validate outcomes and clean up safely<\/p>\n\n\n\n
                                                                                                    Objective<\/h3>\n\n\n\n
                                                                                                    Build a minimal governed data-sharing workflow using Amazon DataZone with an S3 + Athena + Glue dataset.<\/p>\n\n\n\n
                                                                                                    Lab Overview<\/h3>\n\n\n\n
                                                                                                    You will:\n1. Prepare a small dataset in Amazon S3 and register it in the AWS Glue Data Catalog (via Athena DDL).\n2. Create an Amazon DataZone domain (portal).\n3. Create two projects: Producer<\/strong> and Consumer<\/strong>.\n4. Configure a metadata source (Glue Data Catalog) and run ingestion.\n5. Create and publish a data product from the ingested asset.\n6. Request access to the data product from the consumer project and approve it.\n7. Validate that the subscription completes (and optionally validate Lake Formation grants if your setup uses LF).<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                    Notes before you begin:\n– Amazon DataZone requires a supported Region. Pick one where it is available.\n– Identity setup varies by account. Many setups use IAM Identity Center.\n– If any step differs in your console (AWS updates UI often), follow the closest equivalent in the official docs: https:\/\/docs.aws.amazon.com\/datazone\/<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 1: Choose a Region and confirm prerequisites<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    1. In the AWS Console, switch to a Region where Amazon DataZone is supported.<\/li>\n
                                                                                                    2. Confirm you can access:\n   – Amazon S3\n   – Amazon Athena\n   – AWS Glue Data Catalog\n   – Amazon DataZone<\/li>\n<\/ol>\n\n\n\n
                                                                                                      Expected outcome:<\/strong> You have selected a supported Region and can open the Amazon DataZone console.<\/p>\n\n\n\n
                                                                                                      \n\n\n\n
                                                                                                      Step 2: Create a small dataset in Amazon S3<\/h3>\n\n\n\n
                                                                                                      Create a bucket (choose a globally unique name):<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                      1. Go to Amazon S3 \u2192 Buckets \u2192 Create bucket<\/strong><\/li>\n
                                                                                                      2. Bucket name: datazone-lab-<yourname>-<region>-<unique><\/code><\/li>\n
                                                                                                      3. Keep defaults (block public access ON).<\/li>\n<\/ol>\n\n\n\n
                                                                                                        Create a small CSV file named customers.csv<\/code>:<\/p>\n\n\n\n
                                                                                                        customer_id,customer_name,segment,signup_date,country\n1,Acme Corp,enterprise,2024-01-10,US\n2,Bluebird Ltd,midmarket,2024-02-12,GB\n3,Cedar GmbH,enterprise,2024-03-05,DE\n4,Delta Co,smb,2024-03-18,US\n<\/code><\/pre>\n\n\n\n
                                                                                                        Upload it to S3:\n– Create a folder prefix: datasets\/customers\/<\/code>\n– Upload customers.csv<\/code> to s3:\/\/<your-bucket>\/datasets\/customers\/customers.csv<\/code><\/p>\n\n\n\n
                                                                                                        Expected outcome:<\/strong> The CSV file is stored in S3 at a stable location.<\/p>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 3: Create an Athena database and external table (Glue Data Catalog)<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        1. Open Amazon Athena<\/strong>.<\/li>\n
                                                                                                        2. \n
                                                                                                          Set a query results location (required):\n   – Athena \u2192 Settings \u2192 Manage \u2192 set query result location to something like:\ns3:\/\/<your-bucket>\/athena-results\/<\/code><\/p>\n<\/li>\n
                                                                                                        3. \n
                                                                                                          In Athena, run:<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                          CREATE DATABASE IF NOT EXISTS datazone_lab;\n<\/code><\/pre>\n\n\n\n
                                                                                                            \n
                                                                                                          1. Create an external table pointing to your CSV:<\/li>\n<\/ol>\n\n\n\n
                                                                                                            CREATE EXTERNAL TABLE IF NOT EXISTS datazone_lab.customers_csv (\n  customer_id int,\n  customer_name string,\n  segment string,\n  signup_date date,\n  country string\n)\nROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.OpenCSVSerde'\nWITH SERDEPROPERTIES (\n  'separatorChar' = ',',\n  'quoteChar'     = '\\\"',\n  'escapeChar'    = '\\\\'\n)\nSTORED AS TEXTFILE\nLOCATION 's3:\/\/<your-bucket>\/datasets\/customers\/'\nTBLPROPERTIES ('skip.header.line.count'='1');\n<\/code><\/pre>\n\n\n\n
                                                                                                              \n
                                                                                                            1. Validate by querying:<\/li>\n<\/ol>\n\n\n\n
                                                                                                              SELECT * FROM datazone_lab.customers_csv LIMIT 10;\n<\/code><\/pre>\n\n\n\n
                                                                                                              Expected outcome:<\/strong> Query returns 4 rows. The table appears in the AWS Glue Data Catalog<\/strong> database datazone_lab<\/code>.<\/p>\n\n\n\n
                                                                                                              \n\n\n\n
                                                                                                              Step 4: Enable IAM Identity Center (if required) and create two users<\/h3>\n\n\n\n
                                                                                                              Amazon DataZone commonly uses IAM Identity Center for portal authentication.<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                              1. Open IAM Identity Center<\/strong> in the same Region (or the Region required by your Identity Center setup).<\/li>\n
                                                                                                              2. If not enabled, enable IAM Identity Center (console will guide you).\n   – If your organization already has it enabled, reuse it.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                Create two users (example):\n– producer.user@yourcompany.com<\/code>\n– consumer.user@yourcompany.com<\/code><\/p>\n\n\n\n
                                                                                                                Optionally create two groups:\n– datazone-producers<\/code>\n– datazone-consumers<\/code><\/p>\n\n\n\n
                                                                                                                Assign the users to groups.<\/p>\n\n\n\n
                                                                                                                Expected outcome:<\/strong> You have two identities you can use to test producer and consumer workflows.<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                                If your organization uses an external IdP (Okta\/Azure AD\/etc.), follow your established process. The goal is simply: two distinct users can sign in to the DataZone portal.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                Step 5: Create an Amazon DataZone domain<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                1. Open Amazon DataZone<\/strong> console.<\/li>\n
                                                                                                                2. Choose Create domain<\/strong>.<\/li>\n
                                                                                                                3. Provide:\n   – Domain name: datazone-lab-domain<\/code>\n   – Description: optional<\/li>\n
                                                                                                                4. Identity configuration:\n   – Select your IAM Identity Center instance as prompted.<\/li>\n
                                                                                                                5. IAM role:\n   – If the console offers to create a domain execution role, allow it (recommended for labs).\n   – If you must specify a role, follow the console guidance and ensure it can access required services.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                  Create the domain.<\/p>\n\n\n\n
                                                                                                                  Expected outcome:<\/strong> Domain is created and you can open the Data portal<\/strong> for that domain.<\/p>\n\n\n\n
                                                                                                                  \n\n\n\n
                                                                                                                  Step 6: Create Producer and Consumer projects<\/h3>\n\n\n\n
                                                                                                                  In the domain:<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Go to Projects \u2192 Create project<\/strong><\/li>\n
                                                                                                                  2. Create:\n   – Project 1: ProducerProject<\/code>\n   – Project 2: ConsumerProject<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                                                                    Assign members:\n– Add producer.user<\/code> to ProducerProject<\/code> with a role that can publish (for example, project owner\/contributor as appropriate).\n– Add consumer.user<\/code> to ConsumerProject<\/code>.<\/p>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Two projects exist, each with the right user assigned.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 7: Configure a data source to ingest Glue Data Catalog metadata<\/h3>\n\n\n\n
                                                                                                                    Now connect Amazon DataZone to the AWS Glue Data Catalog database you created.<\/p>\n\n\n\n
                                                                                                                      \n
                                                                                                                    1. Open the Data portal<\/strong> and switch to ProducerProject<\/code>.<\/li>\n
                                                                                                                    2. Find Data sources<\/strong> (naming may vary slightly) and choose Create data source<\/strong>.<\/li>\n
                                                                                                                    3. Choose a source type that corresponds to AWS Glue Data Catalog<\/strong> (or \u201cData lake catalog\u201d\/Athena\/Glue integration\u2014follow console options).<\/li>\n
                                                                                                                    4. Configure:\n   – Target database: datazone_lab<\/code>\n   – Scope: include the customers_csv<\/code> table\n   – Schedule: \u201crun on demand\u201d for the lab<\/li>\n<\/ol>\n\n\n\n
                                                                                                                      Run the data source ingestion (\u201cRun\u201d \/ \u201cStart run\u201d).<\/p>\n\n\n\n
                                                                                                                      Expected outcome:<\/strong> The ingestion run completes successfully and the customers_csv<\/code> asset appears in the Amazon DataZone catalog for the domain.<\/p>\n\n\n\n
                                                                                                                      \n
                                                                                                                      If the run fails due to permissions:\n– Confirm the domain execution role (or relevant DataZone roles) can read Glue catalog metadata.\n– If Lake Formation is enforcing permissions on the Data Catalog, you may need to grant metadata access. This is common in governed environments\u2014see Troubleshooting below.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Step 8: Create and publish a data product<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. In ProducerProject<\/code>, find the ingested asset customers_csv<\/code>.<\/li>\n
                                                                                                                      2. Add business metadata:\n   – Description: \u201cCustomer master list for analytics training\u201d\n   – Owner: assign yourself or the producer project owner\n   – Add keywords\/tags like customer<\/code>, training<\/code>, demo<\/code><\/li>\n
                                                                                                                      3. Create a Data product<\/strong>:\n   – Name: Customer Master (Lab)<\/code>\n   – Add the asset datazone_lab.customers_csv<\/code>\n   – Add usage guidance: example query and data freshness notes<\/li>\n
                                                                                                                      4. Publish the data product to the catalog.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                        Expected outcome:<\/strong> The product is discoverable in the portal by other users\/projects.<\/p>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Step 9: Request a subscription from the Consumer project<\/h3>\n\n\n\n
                                                                                                                        Sign in as the consumer user (or use portal impersonation if your org allows it):<\/p>\n\n\n\n
                                                                                                                          \n
                                                                                                                        1. Open the Amazon DataZone portal.<\/li>\n
                                                                                                                        2. Switch to ConsumerProject<\/code>.<\/li>\n
                                                                                                                        3. Search for the published data product: Customer Master (Lab)<\/code>.<\/li>\n
                                                                                                                        4. Open it and choose Request subscription<\/strong> (or similar).<\/li>\n
                                                                                                                        5. Provide a reason:\n   – \u201cNeed to build a churn dashboard training exercise\u201d<\/li>\n<\/ol>\n\n\n\n
                                                                                                                          Submit the request.<\/p>\n\n\n\n
                                                                                                                          Expected outcome:<\/strong> Subscription request is created and awaits approval.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 10: Approve the subscription request<\/h3>\n\n\n\n
                                                                                                                          Sign in as the producer (or the designated approver\/owner):<\/p>\n\n\n\n
                                                                                                                            \n
                                                                                                                          1. Open the portal and go to notifications or subscription requests.<\/li>\n
                                                                                                                          2. Review the request details (requester, purpose, product).<\/li>\n
                                                                                                                          3. Approve the request.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                            Expected outcome:<\/strong> Subscription status changes to approved and eventually to fulfilled\/provisioned (wording varies).<\/p>\n\n\n\n
                                                                                                                            \n
                                                                                                                            Provisioning behavior depends on how environments are configured and what source system is used. In some setups, approval triggers automated permissions in Lake Formation\/Redshift; in others, it may require additional steps. Verify your environment blueprint and integration behavior in the docs.<\/strong><\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Validation<\/h3>\n\n\n\n
                                                                                                                            Use the following checks:<\/p>\n\n\n\n
                                                                                                                              \n
                                                                                                                            1. \n
                                                                                                                              Portal visibility<\/strong>\n   – As consumer, confirm the subscription is active and the product appears in your project\u2019s subscribed items.<\/p>\n<\/li>\n
                                                                                                                            2. \n
                                                                                                                              Metadata correctness<\/strong>\n   – Verify the asset schema is visible in the portal.\n   – Verify business description, owner, and tags display.<\/p>\n<\/li>\n
                                                                                                                            3. \n
                                                                                                                              Optional: Validate permissions at the data plane<\/strong>\n   – If using Lake Formation governed access, check Lake Formation \u2192 Permissions<\/strong> for grants related to the dataset and consumer principals\/roles.\n   – If using Athena, attempt to run:\n     sql\n     SELECT COUNT(*) FROM datazone_lab.customers_csv;<\/code>\n     using the consumer\u2019s authorized path (this may require role-based access configuration beyond the portal\u2014verify your organization\u2019s access model).<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                              Expected outcome:<\/strong> Data product is subscribed, and (where configured) access is granted in the underlying system.<\/p>\n\n\n\n
                                                                                                                              \n\n\n\n
                                                                                                                              Troubleshooting<\/h3>\n\n\n\n
                                                                                                                              Common issues and fixes:<\/p>\n\n\n\n
                                                                                                                                \n
                                                                                                                              1. \n
                                                                                                                                \u201cAmazon DataZone is not available in this Region\u201d<\/strong>\n   – Switch to a supported Region.\n   – Verify Region support list: https:\/\/aws.amazon.com\/about-aws\/global-infrastructure\/regional-product-services\/<\/p>\n<\/li>\n
                                                                                                                              2. \n
                                                                                                                                Cannot create domain \/ identity center issues<\/strong>\n   – Confirm IAM Identity Center is enabled and you selected the correct instance.\n   – In AWS Organizations, ensure you are using the correct delegated admin settings for IAM Identity Center (org-specific).<\/p>\n<\/li>\n
                                                                                                                              3. \n
                                                                                                                                Data source run fails with AccessDenied (Glue\/Lake Formation)<\/strong>\n   – Confirm the domain execution role (and\/or the configured DataZone roles) can read Glue metadata.\n   – If Lake Formation is enabled, you may need to grant the role permission to describe databases\/tables and\/or access underlying locations.\n     Validate with Lake Formation administrators. (Exact grants depend on your LF mode\u2014IAM-only vs LF-managed\u2014verify in docs.)<\/p>\n<\/li>\n
                                                                                                                              4. \n
                                                                                                                                Subscription approved but not provisioned<\/strong>\n   – Check whether you configured environments\/environment profiles needed for automated provisioning.\n   – Inspect underlying provisioning services used by your blueprint (often CloudFormation\/Service Catalog patterns\u2014verify for your setup).\n   – Check CloudTrail for failed API calls and relevant service logs.<\/p>\n<\/li>\n
                                                                                                                              5. \n
                                                                                                                                Athena query fails after subscription<\/strong>\n   – Subscription in DataZone does not automatically guarantee your Athena console session has the right IAM\/Lake Formation permissions.\n   – Ensure the querying principal matches the role\/user to which permissions were granted.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                \n\n\n\n
                                                                                                                                Cleanup<\/h3>\n\n\n\n
                                                                                                                                To avoid ongoing charges and leftover resources:<\/p>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                1. \n
                                                                                                                                  Amazon DataZone<\/strong>\n   – Delete subscription requests\/subscriptions (if required by UI).\n   – Delete data products (if required).\n   – Delete data sources.\n   – Delete projects.\n   – Delete the domain.<\/p>\n<\/li>\n
                                                                                                                                2. \n
                                                                                                                                  Athena\/Glue<\/strong>\n   – Drop the table:\n     sql\n     DROP TABLE IF EXISTS datazone_lab.customers_csv;<\/code>\n   – Drop the database:\n     sql\n     DROP DATABASE IF EXISTS datazone_lab;<\/code><\/p>\n<\/li>\n
                                                                                                                                3. \n
                                                                                                                                  S3<\/strong>\n   – Delete uploaded data: datasets\/customers\/customers.csv<\/code>\n   – Delete Athena results prefix: athena-results\/<\/code>\n   – Empty and delete the bucket (if it was created only for this lab).<\/p>\n<\/li>\n
                                                                                                                                4. \n
                                                                                                                                  Identity Center<\/strong>\n   – Delete lab users\/groups if they were created solely for the lab.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                  Expected outcome:<\/strong> No active DataZone domain, no leftover S3 data, and no ongoing costs from lab resources.<\/p>\n\n\n\n
                                                                                                                                  11. Best Practices<\/h2>\n\n\n\n
                                                                                                                                  Architecture best practices<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Start with one domain per governance boundary.<\/strong> Too many domains fragment discovery.<\/li>\n
                                                                                                                                  • Align projects to teams or data domains.<\/strong> Producer projects map to ownership boundaries; consumer projects map to consuming teams\/apps.<\/li>\n
                                                                                                                                  • Standardize environments.<\/strong> Use consistent environment profiles\/blueprints to reduce drift.<\/li>\n
                                                                                                                                  • Treat data products as stable contracts.<\/strong> Include ownership, SLA\/freshness, schema expectations, and change process.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Use groups (Identity Center) not individual users<\/strong> for project membership where possible.<\/li>\n
                                                                                                                                    • Separate producer and consumer roles<\/strong>; avoid letting consumers publish production products.<\/li>\n
                                                                                                                                    • Minimize domain admin count.<\/strong> Domain admins typically have broad powers.<\/li>\n
                                                                                                                                    • Use least privilege for execution\/provisioning roles.<\/strong> Scope to required services, databases, buckets, and LF permissions.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Cost best practices<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Limit portal access to real users<\/strong> who need it; remove inactive accounts.<\/li>\n
                                                                                                                                      • Keep dev\/test domains short-lived<\/strong> if domain-hour pricing applies.<\/li>\n
                                                                                                                                      • Optimize Athena costs<\/strong> (partitioning, Parquet, workgroups, query limits).<\/li>\n
                                                                                                                                      • Schedule metadata refreshes thoughtfully.<\/strong> Avoid overly frequent ingestion runs if they trigger other service costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Performance best practices<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • DataZone performance is mostly about catalog usability:<\/li>\n
                                                                                                                                        • Keep naming consistent and searchable.<\/li>\n
                                                                                                                                        • Use tags\/keywords and strong descriptions.<\/li>\n
                                                                                                                                        • Avoid dumping raw assets without curation\u2014curated products reduce time-to-find.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Treat environment provisioning as infrastructure:<\/li>\n
                                                                                                                                          • Standardize via templates and change control.<\/li>\n
                                                                                                                                          • Monitor provisioning failures and retry patterns.<\/li>\n
                                                                                                                                          • Ensure logging and audit trails are enabled org-wide.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Operations best practices<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Define operational ownership:<\/strong> who maintains data sources, resolves ingestion failures, and manages domain config.<\/li>\n
                                                                                                                                            • Create runbooks:<\/strong> common issues (LF permission issues, failed provisioning, stale metadata).<\/li>\n
                                                                                                                                            • Measure governance:<\/strong> subscription lead time, number of certified products, stale products.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Establish conventions:<\/li>\n
                                                                                                                                              • Product names: Domain - Subject - Level (Bronze\/Silver\/Gold)<\/code><\/li>\n
                                                                                                                                              • Owners: always set owner group + primary contact<\/li>\n
                                                                                                                                              • Tags: pii<\/code>, confidential<\/code>, public<\/code>, finance<\/code>, marketing<\/code>, customer<\/code><\/li>\n
                                                                                                                                              • Add lifecycle metadata: deprecated date, replacement product, update cadence.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                                Identity and access model<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Portal users typically authenticate via AWS IAM Identity Center<\/strong>.<\/li>\n
                                                                                                                                                • Permissions in Amazon DataZone control who can:<\/li>\n
                                                                                                                                                • create\/manage domains<\/li>\n
                                                                                                                                                • create projects<\/li>\n
                                                                                                                                                • publish products<\/li>\n
                                                                                                                                                • approve subscriptions<\/li>\n
                                                                                                                                                • Data access enforcement occurs in underlying systems:<\/li>\n
                                                                                                                                                • Lake Formation<\/strong> for S3\/Glue-based lakes<\/li>\n
                                                                                                                                                • Redshift<\/strong> grants for warehouses (verify integration specifics)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Recommendation:<\/strong> Treat Amazon DataZone as your governance UX and workflow, but validate that the data plane permissions match your compliance requirements.<\/p>\n\n\n\n
                                                                                                                                                  Encryption<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • AWS services typically encrypt data at rest and in transit.<\/li>\n
                                                                                                                                                  • Amazon DataZone metadata storage and integrations may support AWS KMS keys depending on configuration.\nVerify current KMS options in the official docs for your Region.<\/strong><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Network exposure<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Users access the portal via AWS endpoints.<\/li>\n
                                                                                                                                                    • Your data remains in your accounts; network controls (VPC endpoints, private subnets, security groups) apply to Athena\/Redshift\/S3 as configured.<\/li>\n
                                                                                                                                                    • If strict private connectivity is required, verify<\/strong> whether Amazon DataZone supports required VPC endpoint patterns in your Region.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Avoid embedding credentials in code for ingestion.<\/li>\n
                                                                                                                                                      • Prefer IAM roles and service-to-service authorization.<\/li>\n
                                                                                                                                                      • If external systems are integrated, use AWS Secrets Manager where supported by the connector pattern (verify connector requirements).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Enable CloudTrail<\/strong> for Amazon DataZone and related services.<\/li>\n
                                                                                                                                                        • Centralize logs in a dedicated log archive account.<\/li>\n
                                                                                                                                                        • Retain logs per compliance requirements; control access to logs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Map your data classification scheme to product tags and access approval policies.<\/li>\n
                                                                                                                                                          • Enforce separation of duties:<\/li>\n
                                                                                                                                                          • Producers shouldn\u2019t approve their own sensitive access requests (use multi-approver workflows where possible).<\/li>\n
                                                                                                                                                          • Ensure your data retention and deletion policies cover the underlying data plane.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Granting broad Lake Formation \u201csuper\u201d permissions to many users to \u201cmake it work.\u201d<\/li>\n
                                                                                                                                                            • Publishing raw\/unvetted datasets as products without ownership.<\/li>\n
                                                                                                                                                            • Using personal IAM users instead of Identity Center groups for portal membership.<\/li>\n
                                                                                                                                                            • Forgetting to log\/retain subscription approvals and changes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Use a dedicated governance\/shared services account for the domain in multi-account setups.<\/li>\n
                                                                                                                                                              • Use customer-managed KMS keys if required by policy (verify supported configuration).<\/li>\n
                                                                                                                                                              • Build a periodic access review process for subscriptions and underlying grants.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                                Because Amazon DataZone evolves quickly, validate the latest constraints in official docs. Common gotchas include:<\/p>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Region availability:<\/strong> Not all Regions support Amazon DataZone.<\/li>\n
                                                                                                                                                                • Cross-Region patterns:<\/strong> Cataloging and provisioning may be Region-aligned; cross-Region data estates require careful design (verify support).<\/li>\n
                                                                                                                                                                • Identity prerequisites:<\/strong> Portal sign-in often depends on IAM Identity Center; org configurations can add complexity.<\/li>\n
                                                                                                                                                                • Lake Formation interaction:<\/strong> If Lake Formation is enforcing governance, metadata ingestion and access provisioning can fail without correct LF permissions.<\/li>\n
                                                                                                                                                                • \u201cSubscribed\u201d vs \u201cQueryable\u201d:<\/strong> A DataZone subscription may complete, but the consumer still needs the right execution role\/session to query in Athena\/Redshift.<\/li>\n
                                                                                                                                                                • Environment provisioning complexity:<\/strong> If your setup uses blueprints that create resources, failures may occur due to missing IAM permissions, Service Catalog\/CloudFormation limitations, or SCP restrictions.<\/li>\n
                                                                                                                                                                • Naming and sprawl:<\/strong> Without governance, catalogs can become noisy (too many raw assets).<\/li>\n
                                                                                                                                                                • Pricing surprises:<\/strong> Even if DataZone costs are controlled, Athena scans, Redshift usage, and logging can grow rapidly.<\/li>\n
                                                                                                                                                                • Quotas:<\/strong> Domains, projects, environments, and ingestion runs may have quotas; verify in Service Quotas and docs.<\/li>\n
                                                                                                                                                                • Connector\/source limitations:<\/strong> Not every data source type is supported; verify what you can ingest and what you can provision access for.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                  Amazon DataZone is one option in a broader ecosystem of cataloging and governance tools.<\/p>\n\n\n\n
                                                                                                                                                                  Key comparisons (AWS and non-AWS)<\/h3>\n\n\n\n
                                                                                                                                                                  \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                  Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                  Amazon DataZone<\/strong><\/td>\nAWS-centric data catalog + data products + subscriptions<\/td>\nPortal + workflow model; integrates with AWS data governance patterns; designed for producer\/consumer sharing<\/td>\nRegion\/service availability; integrations depend on supported sources\/blueprints; still requires governance processes<\/td>\nYou want AWS-native data product discovery and governed access workflows<\/td>\n<\/tr>\n
                                                                                                                                                                  AWS Glue Data Catalog<\/strong><\/td>\nCentral technical catalog for Athena\/Glue ecosystem<\/td>\nFoundational metadata store; widely integrated in AWS<\/td>\nNot a business portal; limited workflow\/approval experience by itself<\/td>\nYou need a technical metastore but not a full portal\/workflow layer<\/td>\n<\/tr>\n
                                                                                                                                                                  AWS Lake Formation<\/strong><\/td>\nFine-grained governance for S3-based data lakes<\/td>\nStrong permission model and auditing for lake access<\/td>\nNot a discovery portal; user experience is admin-oriented<\/td>\nYou need enforced data lake permissions; use with DataZone for portal\/workflow<\/td>\n<\/tr>\n
                                                                                                                                                                  AWS Data Exchange<\/strong><\/td>\nThird-party\/public data subscriptions<\/td>\nMarketplace-style dataset procurement<\/td>\nNot for internal data mesh governance<\/td>\nYou need to acquire external datasets via AWS marketplace workflows<\/td>\n<\/tr>\n
                                                                                                                                                                  Amazon Redshift (incl. sharing features)<\/strong><\/td>\nWarehouse-centric sharing and governance<\/td>\nStrong SQL warehouse, access controls, performance<\/td>\nNot a cross-system catalog\/portal by itself<\/td>\nYour primary governed sharing is inside Redshift and warehouse analytics<\/td>\n<\/tr>\n
                                                                                                                                                                  Microsoft Purview<\/strong><\/td>\nEnterprise governance across Microsoft ecosystem<\/td>\nBroad governance suite; MS integrations<\/td>\nAWS-native access provisioning differs; connector strategy needed<\/td>\nYour enterprise standard is Microsoft governance tooling<\/td>\n<\/tr>\n
                                                                                                                                                                  Google Cloud Dataplex \/ Data Catalog<\/strong><\/td>\nGCP-centric governance<\/td>\nNative GCP integration<\/td>\nNot AWS-native; cross-cloud adds complexity<\/td>\nYour primary estate is on GCP<\/td>\n<\/tr>\n
                                                                                                                                                                  Collibra \/ Alation \/ Atlan<\/strong><\/td>\nEnterprise data governance & cataloging across platforms<\/td>\nRich governance workflows, lineage, stewardship features<\/td>\nCost\/complexity; requires integration effort<\/td>\nYou need vendor-agnostic governance across many platforms<\/td>\n<\/tr>\n
                                                                                                                                                                  OpenMetadata \/ DataHub \/ Amundsen \/ Apache Atlas<\/strong><\/td>\nSelf-managed catalog<\/td>\nCustomizable; avoids vendor lock-in<\/td>\nOperational burden; integration and security are on you<\/td>\nYou have strong platform engineering and want open-source control<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                  15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                  Enterprise example: Multi-account governed analytics for a regulated company<\/h3>\n\n\n\n
                                                                                                                                                                  Problem<\/strong>\nA financial services company runs analytics across multiple AWS accounts (segregated by department and environment). Data is in S3 and Redshift. Teams struggle with:\n– finding authoritative datasets\n– consistent access approvals\n– audit demands for sensitive datasets<\/p>\n\n\n\n
                                                                                                                                                                  Proposed architecture<\/strong>\n– Governance\/shared services account hosts Amazon DataZone domain<\/strong> and portal.\n– Producer accounts host S3 data lakes governed by Lake Formation<\/strong> and publish metadata via Glue Catalog.\n– Consumer accounts query via Athena\/Redshift with role-based access.\n– CloudTrail centralized to a log archive account.<\/p>\n\n\n\n
                                                                                                                                                                  Why Amazon DataZone was chosen<\/strong>\n– AWS-native portal and workflow model aligned with existing AWS governance stack.\n– Enables self-service discovery without granting broad lake access.\n– Subscription workflow supports auditability and consistent approvals.<\/p>\n\n\n\n
                                                                                                                                                                  Expected outcomes<\/strong>\n– Reduced time-to-access (days \u2192 hours)\n– Improved dataset trust and reuse via data products\n– Clear audit trail for approvals and provisioning events<\/p>\n\n\n\n
                                                                                                                                                                  Startup\/small-team example: Internal data portal for rapid BI and ML iteration<\/h3>\n\n\n\n
                                                                                                                                                                  Problem<\/strong>\nA startup has data in S3 queried by Athena and a small Redshift warehouse. Analysts repeatedly ask engineers where data lives and what columns mean.<\/p>\n\n\n\n
                                                                                                                                                                  Proposed architecture<\/strong>\n– Single Amazon DataZone domain\n– Two projects: DataEngineering<\/code> (producer) and Analytics<\/code> (consumer)\n– Glue Catalog ingestion for core datasets\n– Curated \u201cgold\u201d data products for BI dashboards<\/p>\n\n\n\n
                                                                                                                                                                  Why Amazon DataZone was chosen<\/strong>\n– Quick setup compared to building a custom data portal\n– Standard request flow reduces Slack-based access chaos\n– Improves documentation without heavy process overhead<\/p>\n\n\n\n
                                                                                                                                                                  Expected outcomes<\/strong>\n– Faster analyst onboarding\n– Better dataset documentation\n– More consistent dashboard metrics<\/p>\n\n\n\n
                                                                                                                                                                  16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  1. \n
                                                                                                                                                                    Is Amazon DataZone a data warehouse or data lake?<\/strong>\n   No. Amazon DataZone is a data management and governance service (portal, catalog, workflows). Your data remains in S3\/Redshift\/etc.<\/p>\n<\/li>\n
                                                                                                                                                                  2. \n
                                                                                                                                                                    Does Amazon DataZone move my data into a new storage layer?<\/strong>\n   Typically no. It ingests and manages metadata<\/strong> and orchestrates access workflows.<\/p>\n<\/li>\n
                                                                                                                                                                  3. \n
                                                                                                                                                                    What is a \u201cdomain\u201d in Amazon DataZone?<\/strong>\n   A domain is the top-level governance boundary that contains the portal, catalog, projects, and configurations.<\/p>\n<\/li>\n
                                                                                                                                                                  4. \n
                                                                                                                                                                    What is a \u201cproject\u201d?<\/strong>\n   A project is a collaboration space for a team to publish data products or subscribe to them.<\/p>\n<\/li>\n
                                                                                                                                                                  5. \n
                                                                                                                                                                    What is a \u201cdata product\u201d?<\/strong>\n   A curated package of one or more data assets with business metadata (owner, description, usage guidance) intended for reuse and governed sharing.<\/p>\n<\/li>\n
                                                                                                                                                                  6. \n
                                                                                                                                                                    What is a \u201csubscription\u201d in Amazon DataZone?<\/strong>\n   A request by a consumer project to access a data product, typically involving approval and (where supported) automated permission provisioning.<\/p>\n<\/li>\n
                                                                                                                                                                  7. \n
                                                                                                                                                                    Does Amazon DataZone integrate with AWS Lake Formation?<\/strong>\n   It is commonly used with Lake Formation for governed lake access. Exact integration behavior depends on your blueprint\/source setup\u2014verify in official docs.<\/p>\n<\/li>\n
                                                                                                                                                                  8. \n
                                                                                                                                                                    Can Amazon DataZone manage access in Athena directly?<\/strong>\n   Athena access is controlled via IAM and (often) Lake Formation permissions. DataZone can help orchestrate workflows that result in those permissions\u2014verify your specific configuration.<\/p>\n<\/li>\n
                                                                                                                                                                  9. \n
                                                                                                                                                                    Can I use Amazon DataZone without Lake Formation?<\/strong>\n   Some organizations run in IAM-only modes for the lake, but governance capabilities differ. Validate your requirements and confirm supported modes in the docs.<\/p>\n<\/li>\n
                                                                                                                                                                  10. \n
                                                                                                                                                                    Is Amazon DataZone suitable for a data mesh?<\/strong>\n   Yes, it\u2019s often used to implement domain-based publishing and consumption. Success depends on your organizational processes and ownership model.<\/p>\n<\/li>\n
                                                                                                                                                                  11. \n
                                                                                                                                                                    How do I automate Amazon DataZone setup?<\/strong>\n   Use AWS APIs\/CLI (where available) and standard AWS IaC for dependent resources (S3\/Glue\/LF\/Redshift). Validate API coverage and consider staged rollout.<\/p>\n<\/li>\n
                                                                                                                                                                  12. \n
                                                                                                                                                                    How do I audit who approved access to a dataset?<\/strong>\n   Use the DataZone workflow records plus AWS CloudTrail for API activity. For full auditability, centralize logs and retain them per policy.<\/p>\n<\/li>\n
                                                                                                                                                                  13. \n
                                                                                                                                                                    What are the most common reasons ingestion fails?<\/strong>\n   Missing permissions to read Glue catalog metadata, Lake Formation restrictions, and misconfigured execution roles.<\/p>\n<\/li>\n
                                                                                                                                                                  14. \n
                                                                                                                                                                    How do I prevent the catalog from becoming cluttered?<\/strong>\n   Establish publishing standards: only curated products are \u201crecommended,\u201d tag raw assets as raw, and enforce ownership\/description requirements.<\/p>\n<\/li>\n
                                                                                                                                                                  15. \n
                                                                                                                                                                    Does Amazon DataZone support multi-account architectures?<\/strong>\n   Multi-account usage is common in AWS governance designs, but supported patterns vary by feature and blueprint. Verify in official docs for your target architecture.<\/p>\n<\/li>\n
                                                                                                                                                                  16. \n
                                                                                                                                                                    What\u2019s the difference between AWS Glue Data Catalog and Amazon DataZone?<\/strong>\n   Glue Data Catalog is a technical metastore; Amazon DataZone provides a portal, workflows, business metadata, and data product\/subscription concepts on top.<\/p>\n<\/li>\n
                                                                                                                                                                  17. \n
                                                                                                                                                                    How do I estimate total cost?<\/strong>\n   Model both Amazon DataZone pricing dimensions (domain\/user) and the larger data plane costs (Athena scans, Redshift usage, S3 storage, logging). Use the AWS Pricing Calculator.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                    17. Top Online Resources to Learn Amazon DataZone<\/h2>\n\n\n\n
                                                                                                                                                                    \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                    Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                    Official Documentation<\/td>\nAmazon DataZone Documentation<\/td>\nCanonical reference for concepts, setup, and integrations: https:\/\/docs.aws.amazon.com\/datazone\/<\/td>\n<\/tr>\n
                                                                                                                                                                    Official User Guide<\/td>\nAmazon DataZone User Guide (entry point)<\/td>\nService overview and workflows (start here): https:\/\/docs.aws.amazon.com\/datazone\/latest\/userguide\/what-is-datazone.html<\/td>\n<\/tr>\n
                                                                                                                                                                    Official API Reference<\/td>\nAmazon DataZone API Reference<\/td>\nProgrammatic operations and schemas: https:\/\/docs.aws.amazon.com\/datazone\/latest\/APIReference\/Welcome.html<\/td>\n<\/tr>\n
                                                                                                                                                                    Official CLI Reference<\/td>\nAWS CLI datazone<\/code> command reference<\/td>\nAutomate and script operations (verify coverage): https:\/\/docs.aws.amazon.com\/cli\/latest\/reference\/datazone\/<\/td>\n<\/tr>\n
                                                                                                                                                                    Official Pricing<\/td>\nAmazon DataZone Pricing<\/td>\nCurrent pricing dimensions and rates: https:\/\/aws.amazon.com\/datazone\/pricing\/<\/td>\n<\/tr>\n
                                                                                                                                                                    Pricing Tool<\/td>\nAWS Pricing Calculator<\/td>\nBuild environment-specific estimates: https:\/\/calculator.aws\/#\/<\/td>\n<\/tr>\n
                                                                                                                                                                    Regions<\/td>\nRegional Product & Service Availability<\/td>\nConfirm Region support: https:\/\/aws.amazon.com\/about-aws\/global-infrastructure\/regional-product-services\/<\/td>\n<\/tr>\n
                                                                                                                                                                    AWS Videos<\/td>\nAWS YouTube Channel<\/td>\nSearch for official walkthroughs and re:Invent sessions: https:\/\/www.youtube.com\/@amazonwebservices<\/td>\n<\/tr>\n
                                                                                                                                                                    AWS Samples<\/td>\nAWS Samples on GitHub<\/td>\nFind official\/community labs by searching \u201cdatazone\u201d: https:\/\/github.com\/aws-samples<\/td>\n<\/tr>\n
                                                                                                                                                                    Governance Reference<\/td>\nAWS Lake Formation Documentation<\/td>\nUnderstand the data lake permissions model often used with DataZone: https:\/\/docs.aws.amazon.com\/lake-formation\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                    18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                    \n\n\n\n\n\n\n\n\n
                                                                                                                                                                    Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                    DevOpsSchool.com<\/td>\nCloud engineers, architects, DevOps\/SRE, data platform teams<\/td>\nAWS fundamentals, DevOps + cloud operations, potentially governance patterns<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                    ScmGalaxy.com<\/td>\nEngineers and managers seeking process + tooling skills<\/td>\nSCM\/DevOps practices, platform enablement concepts<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                    CLoudOpsNow.in<\/td>\nCloud operations and platform teams<\/td>\nCloudOps practices, monitoring, cost, security operations<\/td>\nCheck website<\/td>\nhttps:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                    SreSchool.com<\/td>\nSREs, reliability engineers, platform owners<\/td>\nSRE practices, observability, reliability engineering<\/td>\nCheck website<\/td>\nhttps:\/\/sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                    AiOpsSchool.com<\/td>\nOps, SRE, and IT teams adopting automation<\/td>\nAIOps concepts, automation for operations and incident response<\/td>\nCheck website<\/td>\nhttps:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                    19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                    \n\n\n\n\n\n\n\n
                                                                                                                                                                    Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                    RajeshKumar.xyz<\/td>\nCloud\/DevOps training content (verify current offerings)<\/td>\nBeginners to intermediate engineers<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                                    devopstrainer.in<\/td>\nDevOps and cloud training (verify course catalog)<\/td>\nDevOps engineers, platform teams<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                    devopsfreelancer.com<\/td>\nFreelance DevOps guidance and services (verify offerings)<\/td>\nTeams seeking practical help and coaching<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                    devopssupport.in<\/td>\nSupport\/training style resources (verify current focus)<\/td>\nOps\/DevOps teams needing hands-on assistance<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                    20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                    \n\n\n\n\n\n\n
                                                                                                                                                                    Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                    cotocus.com<\/td>\nCloud\/DevOps\/IT services (verify service lines)<\/td>\nPlatform engineering, cloud adoption, operations<\/td>\nData platform setup, IAM\/landing zone design, automation<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                    DevOpsSchool.com<\/td>\nTraining + consulting (verify offerings)<\/td>\nEnablement, DevOps practices, cloud skills uplift<\/td>\nGovernance operating model workshops, DevOps pipelines for data platforms<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                    DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify portfolio)<\/td>\nCI\/CD, cloud operations, reliability, security<\/td>\nMulti-account AWS setup, cost optimization, operational readiness<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                    21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                    What to learn before Amazon DataZone<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • AWS fundamentals: IAM, S3, networking basics<\/li>\n
                                                                                                                                                                    • Analytics basics: Athena, Glue Data Catalog, partitioning and file formats<\/li>\n
                                                                                                                                                                    • Data governance basics: RBAC\/ABAC, least privilege, audit logging<\/li>\n
                                                                                                                                                                    • Lake Formation fundamentals if you manage S3-based data lakes<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      What to learn after Amazon DataZone<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Lake Formation advanced permissions and cross-account sharing<\/li>\n
                                                                                                                                                                      • Redshift governance and workload management<\/li>\n
                                                                                                                                                                      • Data engineering pipelines (Glue\/EMR\/managed orchestration)<\/li>\n
                                                                                                                                                                      • Data quality and observability tooling (AWS-native or third-party)<\/li>\n
                                                                                                                                                                      • Enterprise logging and compliance patterns on AWS<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Data platform engineer<\/li>\n
                                                                                                                                                                        • Cloud solutions architect (analytics)<\/li>\n
                                                                                                                                                                        • Data governance engineer\/steward (technical)<\/li>\n
                                                                                                                                                                        • Security engineer focused on data access governance<\/li>\n
                                                                                                                                                                        • Analytics engineer \/ BI platform engineer<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          Certification path (AWS)<\/h3>\n\n\n\n
                                                                                                                                                                          AWS certifications are role-based rather than service-specific. Relevant tracks:\n– AWS Certified Solutions Architect \u2013 Associate\/Professional\n– AWS Certified Data Engineer \u2013 Associate (if available in your region\/timeframe; verify current AWS certification catalog)\n– AWS Certified Security \u2013 Specialty<\/p>\n\n\n\n
                                                                                                                                                                          Verify current AWS certifications: https:\/\/aws.amazon.com\/certification\/<\/p>\n\n\n\n
                                                                                                                                                                          Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Build a \u201ccertified metrics\u201d program: publish 10 curated data products with glossary definitions.<\/li>\n
                                                                                                                                                                          • Implement multi-account data mesh: one governance domain, 3 producer accounts, 2 consumer accounts.<\/li>\n
                                                                                                                                                                          • Automate onboarding: script creation of projects and metadata standards checks using APIs\/CLI (verify available operations).<\/li>\n
                                                                                                                                                                          • Governance dashboards: track subscription lead time and product adoption using exported events\/logs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                            22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • Amazon DataZone Domain:<\/strong> Top-level construct that hosts portal, catalog, and governance configuration.<\/li>\n
                                                                                                                                                                            • Data portal:<\/strong> Web UI for discovery, publishing, and access requests.<\/li>\n
                                                                                                                                                                            • Project:<\/strong> Workspace for a producer or consumer team.<\/li>\n
                                                                                                                                                                            • Data asset:<\/strong> Catalog entry representing a dataset (table\/view\/etc., depending on source).<\/li>\n
                                                                                                                                                                            • Data product:<\/strong> Curated package of assets with business metadata and ownership for sharing.<\/li>\n
                                                                                                                                                                            • Subscription:<\/strong> Request\/approval workflow for access to a data product.<\/li>\n
                                                                                                                                                                            • AWS Glue Data Catalog:<\/strong> Metadata store for tables and databases used by Athena\/Glue and often lake architectures.<\/li>\n
                                                                                                                                                                            • AWS Lake Formation:<\/strong> Service to manage fine-grained permissions for data lakes on S3 with Glue catalog integration.<\/li>\n
                                                                                                                                                                            • Amazon Athena:<\/strong> Serverless query engine for S3 data.<\/li>\n
                                                                                                                                                                            • Amazon Redshift:<\/strong> Managed data warehouse.<\/li>\n
                                                                                                                                                                            • IAM Identity Center:<\/strong> AWS workforce identity and SSO service used to authenticate portal users.<\/li>\n
                                                                                                                                                                            • Control plane:<\/strong> Management layer (metadata, workflows).<\/li>\n
                                                                                                                                                                            • Data plane:<\/strong> Where data is stored and queried (S3\/Redshift\/Athena).<\/li>\n
                                                                                                                                                                            • Least privilege:<\/strong> Security principle of granting only the permissions needed.<\/li>\n
                                                                                                                                                                            • CloudTrail:<\/strong> AWS service for auditing API calls across AWS services.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                              Amazon DataZone is an AWS Analytics service that provides a governed data portal, catalog, data product model, and subscription workflows<\/strong> so teams can discover and share data reliably across an AWS data estate.<\/p>\n\n\n\n
                                                                                                                                                                              It matters because analytics programs fail when data is hard to find, poorly documented, and access is slow or unsafe. Amazon DataZone addresses those gaps by combining metadata ingestion, business context, ownership, and request\/approval workflows\u2014integrating with AWS services like Glue Data Catalog and (often) Lake Formation for enforceable access.<\/p>\n\n\n\n
                                                                                                                                                                              Cost planning should cover both Amazon DataZone\u2019s own pricing dimensions (verify on the official pricing page) and the larger indirect costs of your data plane (Athena scans, Redshift usage, S3 storage, logging). Security planning should focus on identity (IAM Identity Center), least privilege roles, Lake Formation\/Redshift permissions, and audit logging.<\/p>\n\n\n\n
                                                                                                                                                                              Use Amazon DataZone when you need an AWS-native governance layer for data discovery and controlled sharing. Next step: read the official user guide and validate supported sources\/blueprints for your environment, then run a pilot domain with 1\u20132 producer teams and a small set of curated data products: https:\/\/docs.aws.amazon.com\/datazone\/latest\/userguide\/what-is-datazone.html<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                              Analytics<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,20],"tags":[],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-analytics","category-aws"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}