Data Governance with Amazon DataZone - Data Discovery, Sharing, and Access Control

Learn how to build a domain-based data catalog and implement data discovery, sharing, and access control through subscription workflows.

DataZone Overview

DataZone is a service that unifies data discovery, sharing, and governance within an organization, capable of managing thousands of data assets and hundreds of users. Data producers publish data assets to the catalog, and data consumers search the catalog for needed data and submit subscription requests. After approval, consumers can access data directly from Athena or Redshift. DataZone provides a portal UI that allows even non-technical business users to search and browse data assets from a browser. Its primary purpose is to visualize the full landscape of an organization's data assets and enable cross-functional utilization of siloed data.

Domains and Subscriptions

Domains are logical groups corresponding to business units or teams, clarifying data ownership and management responsibility. Each domain can have a designated data owner who is delegated authority for asset publication and subscription approval within that domain. Projects are the working unit within a domain where users consume data, managing connections to analytics environments (Athena/Redshift). In the subscription workflow, consumers request access to data assets, and producers or administrators approve the requests. After approval, Lake Formation permissions are automatically granted, and consumers can execute queries from Athena. Auto-approval rules can be configured to instantly approve requests meeting certain conditions (such as within the same domain) without manual intervention. Subscriptions can have expiration dates, after which access rights automatically revoke, preventing unnecessary long-term data sharing.

Data Quality and Catalog Management

DataZone's data quality rules automatically validate the quality of published data assets. Define rules for completeness (percentage of NULL values), uniqueness (duplicate records), and freshness (last update date), and display quality scores in the catalog. The business glossary manages organization-wide term definitions, and by tagging data assets, you can search for data by business meaning rather than just technical table names. Metadata forms define custom attributes such as data owner, update frequency, and sensitivity level, attaching governance-relevant information to data assets. Integration with the Glue Data Catalog enables automatic import of existing table definitions into DataZone. Redshift tables can also be registered in the catalog. The search feature supports natural language queries, allowing users to discover target assets with vague searches like "sales-related data" without knowing exact table names. For a comprehensive understanding of DataZone design patterns, refer to technical books (Amazon).

DataZone Pricing

DataZone pricing consists of the number of data assets registered in the catalog and metadata API call volume. Data assets cost approximately $0.10 per asset per month, and metadata API calls cost approximately $4.25 per million requests. Subscription approval and management are available at no additional charge. In large organizations where data assets can reach thousands, manage costs through regular inventory of unnecessary assets. Leveraging existing metadata through Glue Data Catalog integration avoids duplicate catalog management and reduces operational costs.

Integration with Lake Formation and Glue - Design Patterns

DataZone integrates deeply with Lake Formation. Permission grants during subscription approval are implemented via Lake Formation's table and column-level access controls. This enables column-level security where different consumers see different columns while referencing the same data on S3. DataZone synchronizes bidirectionally with the Glue Data Catalog - when new tables are detected in Glue, they are automatically reflected in the DataZone catalog. For multi-account configurations, a Hub-Spoke pattern is recommended where the DataZone domain is placed in a central governance account and Glue catalogs from workload accounts are federated. This configuration centralizes governance policy management while keeping data physically distributed across accounts. Environment settings link Athena workgroups or Redshift clusters, auto-provisioning a query-ready state for consumers immediately after approval.

Deployment Pitfalls and Operational Best Practices

There are common failure patterns when deploying DataZone. If domain design is too coarse (e.g., a single domain for the entire company), approval flows become centralized bottlenecks; if too granular (e.g., a domain per table), management becomes burdensome. Domains scoped to business units or product lines provide a practical balance. Starting operations without preparing a business glossary results in poor catalog search accuracy, preventing users from finding target data. It's recommended to prepare 50-100 term definitions for major data domains before DataZone deployment. Setting data quality rules too strictly from the start prevents existing tables with low quality scores from being published, blocking practical adoption. A realistic approach is to start with relaxed thresholds and improve quality in parallel. To prevent catalog staleness, assign quarterly inventory responsibility to data owners with operational rules to unpublish unused assets.

Summary

DataZone is a service that unifies data discovery, sharing, and governance to maximize data value across the organization. Domain-based ownership management clarifies data responsibility, and subscription workflows enable approval-based data sharing. Integration with Lake Formation provides column-level security and multi-account support for enterprise-scale governance requirements. Data quality rules and business glossaries improve catalog reliability and searchability.