AWS Import/Export
Developer Guide

Controlling Access to AWS Import/Export Jobs

AWS Import/Export integrates with AWS Identity and Access Management (IAM), which allows you to control which actions a user can perform.

By default, IAM users have no access to AWS Import/Export actions. If you want IAM users to be able to work with AWS Import/Export, you must grant them permissions. You do this by creating an IAM policy that defines which Import/Export actions the IAM user is allowed to perform. You then attach the policy to the IAM user or to an IAM group that the user is in.

You can give IAM users of your AWS account access to all AWS Import/Export actions or to a subset of them. For more information on the different AWS Import/Export actions, see Actions.

Example IAM User Policies for AWS Import/Export

This section shows three simple policies for controlling access to AWS Import/Export. AWS Import/Export does not support resource-level permissions, so in policies for Import/Export, the "Resource" element is always "*", which means all resources.

Allow read-only access to the jobs created under the AWS account

The following policy only allows access to the ListJobs and GetStatus actions, which are read-only actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "importexport:ListJobs", "importexport:GetStatus" ], "Resource": "*" } ] }

Allow full access to all AWS Import/Export jobs created under the AWS account

The following policy allows access to all AWS Import/Export actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "importexport:*", "Resource": "*" } ] }

Deny a set of actions from an IAM user

By default, all permissions are denied; if you do not explicitly grant access to Import/Export actions, users are not allowed to perform those actions. It's also possible to explicitly deny access to specific actions. This might be useful if one policy (or statement in a policy) grants access to a set of actions, but you want to exclude one or more individual actions.

The following policy contains two statements. The first statement allows access to all the AWS Import/Export actions. The second statement explicitly denies access to UpdateJob. If new actions are added to AWS Import/Export, this policy automatically grants permission for those new actions because of the first statement. However, the user will always be denied access to the UpdateJob action, even if that action is explicitly allowed in another policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect":"Allow", "Action":"importexport:*" }, { "Effect":"Deny", "Action":"importexport:UpdateJob", "Resource": "*" } ] }