| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Access Control Using AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) helps you securely control access to Amazon Web Services and your account resources. With IAM, you can create multiple IAM users under the umbrella of your AWS account. To learn more about IAM and its features, go to What Is IAM?
Every user you create in the IAM system starts with no permissions. In other words, by default, users can do nothing. A permission is a general term we use to mean the ability to perform an action against a resource. The AWS Storage Gateway API (see API Reference for AWS Storage Gateway) enables a list of actions you can perform. However, unless you explicitly grant a user permissions, that user cannot perform any of these actions. You grant a permission to a user with a policy. A policy is a document that formally states one or more permissions. For more information about IAM policies, go to Overview of Policies.
You write a policy using the access policy language that IAM uses. You then attach the policy to a user or a group in your AWS account. For more information about the policy language, go to The Access Policy Language in Using AWS Identity and Access Management.
The Element Descriptions section of Using AWS Identity and Access Management describes elements you can use in a policy. The following information about some of the policy elements is specific to AWS Storage Gateway:
Resource—The object or objects the policy covers. You identify resources using the following Amazon Resource Name (ARN) format.
arn:aws:
<vendor>:<region>:<namespace>:<relative-id>In this format,
vendoris the product name "storagegateway" andnamespaceis the account ID. In AWS Storage Gateway, there are three types of resources,gateway,volume, andiSCSITarget. For each type of resource, the following table shows example ARNs.Resource Description Gateway ARN
arn:aws:storagegateway:us-east-1:111122223333:gateway/mygateway
Volume ARN arn:aws:storagegateway:us-east-1:111122223333:gateway/mygateway/volume/vol-1122AABB
Target ARN (name of an iSCSI target) arn:aws:storagegateway:us-east-1:111122223333:gateway/mygateway/target/iqn.1997-05.com.amazon:myvolume
Action—The specific type or types of action allowed or denied. For a complete list of AWS Storage Gateway actions, see Operations in AWS Storage Gateway .
Note
The Amazon EBS snapshots generated from AWS Storage Gateway are managed as Amazon EC2 resources and corresponding EC2 actions.
This section provides example IAM policies that illustrate how to grant a user permission to perform specific AWS Storage Gateway actions. You can then attach these policies to a user for whom you want to grant access permissions.
Example Policies
Example 1: Allow all actions
The following policy allows a user to perform all the AWS Storage Gateway actions. The policy also allows the user to perform Amazon EC2 actions (DescribeSnapshots and DeleteSnapshot) on the Amazon EBS snapshots generated from AWS Storage Gateway.
{
"Statement":[
{
"Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeSnapshots",
"ec2:DeleteSnapshot"
],
"Effect": "Allow",
"Resource": "*"
}
]
}Example 2: Allow read-only access to a gateway
The following policy allows all List* and Describe* actions on
all resources. Note that these actions are read actions. So the policy does not
allow the user to change state of any resources—that is, the policy does not
allow the user to perform the actions such as DeleteGateway,
ActivateGateway, and ShutdownGateway.
The policy also allows the DescribeSnapshots Amazon EC2 action. For more
information, go to DescribeSnapshots in the Amazon Elastic Compute Cloud API Reference.
{
"Statement": [
{
"Action": [
"storagegateway:List*",
"storagegateway:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeSnapshots"
],
"Effect": "Allow",
"Resource": "*"
}
]
}In the preceding policy, instead of a using a wild card, you could scope resources covered by the policy to a specific gateway. The policy would then allow the actions only on the specific gateway.
"Resource": "arn:aws:storagegateway:us-east-1:111122223333:gateway/[Gateway Name]/*"
Within a gateway, you can further restrict the scope of the resources to only the gateway volumes.
"Resource": "arn:aws:storagegateway:us-east-1:111122223333:gateway/[Gateway Name]/volume/*"
Example 3: Allow access to a specific gateway
The following policy allows all actions on a specific gateway. That is, the user is restricted from accessing other gateways you might have deployed.
{
"Statement": [
{
"Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:[AWS Region]:[AWS Account]:gateway/[Gateway Name]/*"
}
]
}The preceding policy works if the user to whom the policy is attached uses either the API
or an AWS SDK to access the gateway. However, if this user plans to use the AWS
Storage Gateway console, you must also grant permission to the
ListGateways action.
{
"Statement": [
{
"Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:[AWS Region]:[AWS Account]:gateway/[Gateway Name]/*"
},
{
"Action": [
"storagegateway:ListGateways"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Additionally, if the user plans to activate the specific gateway, you must also grant
permission to the ActivateGateway action.
{
"Statement": [
{
"Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:[AWS Region]:[AWS Account]:gateway/[Gateway Name]/*"
},
{
"Action": [
"storagegateway:ListGateways",
"storagegateway:ActivateGateway"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Example 4: Grant permissions to access a specific volume
The following policy allows a user all actions to a specific volume on a gateway. Because a user does not get any permissions by default, the policy restricts the user to accessing only a specific volume.
{
"Statement": [
{
"Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:[AWS Region]:[AWS Account]:gateway/[Gateway Name]/volume/[Volume Name]"
}
]
}The preceding policy works if the user to whom the policy is attached uses either the API or
an AWS SDK to access the volume. However, if this user plans to use the AWS Storage
Gateway console, you must also grant permission to the ListGateways
action.
{
"Statement": [
{
"Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:[AWS Region]:[AWS Account]:gateway/[Gateway Name]/volume/[Volume Name]"
},
{
"Action": [
"storagegateway:ListGateways"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Example 5: Allow all actions on gateways with a specific prefix
The following policy allows a user to perform all action on gateways whose name starts with
"DeptX". The policy also allows the DescribeSnapshots Amazon EC2
action.
{
"Statement": [
{
"Action": [
"storagegateway:*"
],
"Effect": "Allow",
"Resource": "arn:aws:storagegateway:[AWS Region]:[AWS Account]:gateway/[Gateway Name Prefix]*"
},
{
"Action": [
"ec2:DescribeSnapshots"
],
"Effect": "Allow",
"Resource": "*"
}
]
}The preceding policy works if the user to whom the policy is attached uses either the API or an AWS SDK to access the gateway. However, if this user plans to use the AWS Storage Gateway console, you must grant additional permissions as described in 3: Allow access to a specific gateway.
