Menu
Amazon Glacier
Developer Guide (API Version 2012-06-01)

Amazon Glacier Access Control with Vault Access Policies

An Amazon Glacier vault access policy is a resource-based policy that you can use to manage permissions to your vault. For information about the different permissions policy options available, see Managing Access to Resources.

You can create one vault access policy for each vault to manage permissions. You can modify permissions in a vault access policy at any time. Amazon Glacier also supports a Vault Lock policy on each vault that, after you lock it, cannot be altered. For more information about working with Vault Lock policies, see Amazon Glacier Access Control with Vault Lock Policies.

You can use the Amazon Glacier API, AWS SDKs, AWS CLI, or the Amazon Glacier console to create and manage vault access policies. For a list of Amazon Glacier operations allowed for vault access resource-based policies, see Amazon Glacier API Permissions: Actions, Resources, and Conditions Reference.

Example 1: Grant Cross-Account Permissions for Specific Amazon Glacier Actions

The following example policy grants cross-account permissions to two AWS accounts for a set of Amazon Glacier operations on a vault named examplevault.

Note

The account that owns the vault is billed for all costs associated with the vault. All requests, data transfer, and retrieval costs made by allowed external accounts are billed to the account that owns the vault.

{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Sid":"cross-account-upload",
          "Principal": {
             "AWS": [
                "arn:aws:iam::123456789012:root",
                "arn:aws:iam::444455556666:root"
             ]
          },
          "Effect":"Allow",
          "Action": [
             "glacier:UploadArchive",
             "glacier:InitiateMultipartUpload",
             "glacier:AbortMultipartUpload",
             "glacier:CompleteMultipartUpload"
          ],
          "Resource": [
             "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault"                                           
          ]
       }
    ]
}

Example 2: Grant Read-Only Permissions to All AWS Accounts

The following example policy grants permissions that allow all AWS accounts to perform Amazon Glacier operations to retrieve any archive in a vault named examplevault. The retrieved archives will be read-only for these accounts.

{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Sid": "add-read-only-perm",
          "Principal": "*",
          "Effect": "Allow",
          "Action": [
             "glacier:InitiateJob",
             "glacier:GetJobOutput"
          ],
          "Resource": [
             "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault"
          ]
       }
    ]
}

Example 3: Grant Cross-Account Permissions for MFA Delete Operations

You can use multi-factor authentication (MFA) to protect your Amazon Glacier resources. To provide an extra level of security, MFA requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information about configuring MFA access, see Configuring MFA-Protected API Access in the IAM User Guide.

The example policy grants an AWS account permission to delete archives from a vault named examplevault provided the request is authenticated with an MFA device. The policy uses the aws:MultiFactorAuthPresent condition key to specify this additional requirement.

{
    "Version": "2012-10-17",
    "Statement": [
       {
          "Sid": "add-mfa-delete-requirement",
          "Principal": {
             "AWS": [
                "arn:aws:iam::123456789012:root"
             ]
          },
          "Effect": "Allow",
          "Action": [ 
             "glacier:Delete*" 
          ],
          "Resource": [
             "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault"
          ]
          "Condition": {
             "Bool": {
                "aws:MultiFactorAuthPresent": "true"
             }
          }
       }
    ]
}