Optional ReadonlyassociatedOptional ReadonlyauthorizationFine-grained authorization policies for the root domain unit. Supports policy types like CREATE_DOMAIN_UNIT, CREATE_GLOSSARY, and CREATE_PROJECT with user/group principals.
Use cases: Permission scoping per domain unit; Policy-driven project creation control
AWS: DataZone authorization policies (CREATE_DOMAIN_UNIT, CREATE_PROJECT, etc.)
Validation: Optional; Record of AuthorizationPolicy objects
Optional ReadonlyauthorizationsSimplified authorizations for the root domain unit. Provides a concise way to grant common permissions by specifying users and groups directly, without constructing full AuthorizationPolicy objects.
Supported fields: projectCreators, projectFromProfileCreators, eligibleProjectMembers, domainUnitCreators, glossaryCreators, environmentCreators.
Use cases: Quick project creation grants; Simple membership pool configuration; Delegated domain unit management; Glossary and environment provisioning
AWS: DataZone authorization policies (CREATE_PROJECT, CREATE_PROJECT_FROM_PROJECT_PROFILE, ADD_TO_PROJECT_MEMBER_POOL, CREATE_DOMAIN_UNIT, CREATE_GLOSSARY, CREATE_ENVIRONMENT)
Validation: Optional; Authorizations object
Optional ReadonlycdkIAM role ARN of the CDK deployment role used in the domain's account. Override this when using a custom CDK bootstrap qualifier instead of the default. If omitted, defaults to the standard CDK bootstrap cfn-exec role (cdk-hnb659fds-cfn-exec-role-ACCOUNT-REGION).
Use cases: Custom CDK bootstrap qualifier; Non-default CDK toolkit stack name
AWS: IAM role for CloudFormation stack operations during CDK deployment
Validation: Optional; valid IAM role ARN with CDK deployment permissions
ReadonlydataIAM role with administrative privileges over the domain. Used for user management, resource configuration, and governance policy administration. Resolved via MDAA role helper.
Use cases: Domain administration; Governance policy management; Resource configuration
AWS: IAM role granted DataZone domain admin permissions
Validation: Required; valid MdaaRoleRef
Optional ReadonlydescriptionHuman-readable description of the domain's purpose and scope.
Use cases: Domain documentation; Organizational context
AWS: DataZone domain description
Validation: Optional; string
Optional ReadonlydomainHierarchical domain units for organizing projects and governance scopes within the domain.
Use cases: Organizational hierarchy; Project grouping; Governance scope isolation
AWS: DataZone domain units
Validation: Optional; valid NamedDomainUnits
Optional ReadonlygroupsNamed groups to be added to the domain. Groups are SSO-only and identified by a friendly name mapped to an SSO group ID.
Use cases: Team-based domain access; SSO group provisioning
AWS: DataZone group profiles (SSO)
Validation: Optional; valid NamedDataZoneGroups
Optional ReadonlyownerAssociated account names granted ownership of the root domain unit, allowing project creation at the domain root. Names must match entries in the domain's associatedAccounts config.
Use cases: Cross-account root ownership; Delegated domain administration
AWS: DataZone root domain unit owner (account)
Validation: Optional; string array; names must match associatedAccounts keys
Optional ReadonlyownerGroup names granted ownership of the root domain unit. Names must match entries in the domain's groups config.
Use cases: Root-level domain administration; Team-based ownership
AWS: DataZone root domain unit owner (group)
Validation: Optional; string array; names must match domain groups keys
Optional ReadonlyownerUser names granted ownership of the root domain unit. Names must match entries in the domain's users config.
Use cases: Root-level domain administration; User-based ownership
AWS: DataZone root domain unit owner (user)
Validation: Optional; string array; names must match domain users keys
Optional ReadonlysingleSSO integration type for domain authentication. DISABLED uses IAM-only authentication; IAM_IDC enables IAM Identity Center federation.
Use cases: Federated authentication; IAM Identity Center integration; IAM-only domains
AWS: DataZone domain SSO configuration
Validation: Optional; 'DISABLED' | 'IAM_IDC'
Optional ReadonlyuserControls how users are assigned to the domain. MANUAL requires explicit assignment; AUTOMATIC assigns users based on organizational policies.
Use cases: User provisioning control; Automated vs. manual user onboarding
AWS: DataZone domain user assignment mode
Validation: Optional; 'MANUAL' | 'AUTOMATIC'
Optional ReadonlyusersNamed users to be added to the domain. Each user is identified by a friendly name and can be IAM-based or SSO-based.
Use cases: Individual domain access; IAM and SSO user provisioning
AWS: DataZone user profiles (IAM or SSO)
Validation: Optional; valid NamedDataZoneUsers
Additional AWS accounts associated with this domain for cross-account data governance and resource sharing. Each account can have its own Glue catalog encryption, LF roles, and CDK deployment configuration.
Use cases: Multi-account data governance; Cross-account catalog sharing; Enterprise domain federation
AWS: DataZone cross-account domain associations
Validation: Optional; valid NamedDataZoneAssociatedAccounts