Menu
AWS Import/Export
Developer Guide

Automatic Resource Policy Updates

When you create an AWS Import/Export job for Amazon S3, the related resource-based policies will be updated automatically by the AWS Import/Export service. These resource-based policy updates have associated expiration dates set for seven months after the job was created or updated.

If you change the resource-based policies while your job is in progress, your import or export may fail. We highly recommend that you review the following policy updates that will be implemented on the buckets involved in your AWS Import/Export job. There are no automatic Amazon EBS related updates for your resources, so you'll need to ensure the Amazon EBS policies and permissions are correct for resources.

Automatically Updated Log Bucket Policy

For all import and export jobs, that have an Amazon S3 bucket for logging, the following policy will be automatically applied to the log bucket.

Example Amazon S3 Log Bucket Policy

Copy
"Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "importexport-disk.amazonaws.com" } }, { "Sid":"AddCannedAcl", "Effect":"Allow", "Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]}, "Action":["s3:GetBucketLocation","s3:PutObject","s3:AbortMultipartUpload","s3:ListMultipartUploadParts","s3:ListBucketMultipartUploads"], "Resource":["arn:aws:s3:::examplebucket/*"] } ] }

Automatically Updated Import Bucket Policy

For importing data into Amazon S3, the following policy will automatically applied to the import bucket:

Example Amazon S3 Import Bucket Policy

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport-disk.amazonaws.com" }, "Action": [ "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", ], "Resource": [ "arn:aws:s3:::examplebucket/*" ] "Condition": { "DateLessThan": { "aws:CurrentTime": "<7 months from when the job is created/updated>" } } }, { "Effect": "Allow", "Principal": { "Service": "importexport-disk.amazonaws.com" }, "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::examplebucket" ], "Condition": { "DateLessThan": { "aws:CurrentTime": "<7 months from when the job is created/updated>" } } } ] }

Automatically Updated Export Bucket Policy

For exporting data from Amazon S3, the following policy will automatically applied to the export bucket:

Example Amazon S3 Export Bucket Policy

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport-disk.amazonaws.com" }, "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::examplebucket/>*" ], "Condition": { "DateLessThan": { "aws:CurrentTime": "<7 months from when the job is created/updated>" } } }, { "Effect": "Allow", "Principal": { "Service": "importexport-disk.amazonaws.com" }, "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::examplebucket" ], "Condition": { "DateLessThan": { "aws:CurrentTime": "<7 months from when the job is created/updated>" } } } ] }

Amazon EBS Polices and Permisions

The only permissions required for import to Amazon EBS are the previously listed permissions for the Amazon S3 log bucket.

For more information, go to:

Related Topics

For more information, on Amazon S3 policies, see Using IAM Policies in the Amazon Simple Storage Service Developer Guide.