Identity and access management for Amazon AppFlow - Amazon AppFlow

Identity and access management for Amazon AppFlow

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. Amazon AppFlow integrates with the IAM service so that you can control who in your organization has access to Amazon AppFlow.

As an AWS root user or an IAM user with administrator access, you can add one or more users to your AWS account. You can also grant different levels of access to new and existing users. You can grant access using predefined identity-based policies, or you can create your own custom policy.

Using predefined AWS managed policies

This topic explains the predefined access policies managed by AWS. These policies grant the required permissions for common use cases.

As an account administrator or root user, you can attach these policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Amazon AppFlow. Alternatively, you can create your own custom access policy for Amazon AppFlow.

To learn more about AWS managed policies, see AWS Managed Policies in the IAM User Guide.

For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.

Permission name Description

AmazonAppFlowFullAccess

  • Grants the highest level of access to all Amazon AppFlow resources.

  • Allows the user to view, create, update, run, and delete flows.

  • Allows the user to list, create, and delete connections.

  • Grants automatic read and write access to other AWS services that can be used in flow creation, such as Amazon Simple Storage Service (Amazon S3) and Amazon Redshift.

  • Provides access to AWS KMS to allow use of customer-managed CMKs for encryption.

  • Does not grant the ability to add other users.

Note

Users are automatically granted read and write permissions to Amazon S3 buckets with an “appflow-” prefix only. The user will not have access rights to any other Amazon S3 buckets without this prefix. For an example policy, see Example 1: Allow IAM users full access to Amazon AppFlow.

AmazonAppFlowReadOnlyAccess

  • Grants the user the ability to view flows and connections in an AWS account.

  • Does not allow the user to create or delete flows and connections.

  • Does not grant the user the ability to add other users or grant access to other AWS services.

Adding a new user

This topic explains the procedure for adding a new user to Amazon AppFlow, and granting a permission policy to the new user.

To add a new user

  1. Open the Amazon AppFlow console at https://console.aws.amazon.com/appflow/.

  2. From the navigation pane, choose Users and Create user. This takes you directly to the User page on the IAM console.

  3. Choose Add user.

  4. Enter a username for the new user.

  5. Choose AWS Management Console Access. This will allow the user to log in based on the password you assign.

  6. Choose an auto-generated or custom password.

    Tip

    We recommend that you select the option that requires the user to reset the password.

  7. Choose Next: Permissions.

  8. Under Set permissions, choose Attach existing policies directly.

  9. Search for one of the predefined Amazon AppFlow policies.

    • Alternatively, you can create your own policy.

    • You can also attach policies for other AWS services at this time, if needed. For example, enter S3 in the search box to see available policies for accessing Amazon S3.

  10. Choose Next: Tags. Adding tags is optional.

  11. Choose Next: Review and review your choices.

  12. Choose Create user to create the user and view their security credentials, which you can now download. This is the last time these credentials will be available to download. However, you can create new credentials at any time.

  13. Choose the Send email link to send login instructions to the new user.

    Tip

    We recommend that you send the password in a separate email.

Granting access for existing users

This topic explains the procedure for granting Amazon AppFlow access to an existing IAM user.

To grant access

  1. Open the Amazon AppFlow console at https://console.aws.amazon.com/appflow/.

  2. From the navigation pane, choose Users and Create user. This takes you directly to the User page on the IAM console.

  3. Choose the user who requires Amazon AppFlow permissions.

  4. Choose Add permissions.

  5. Under Set permissions, choose Attach existing policies directly.

  6. Search for one of predefined Amazon AppFlow policies.

  7. Choose Next: Review to review the permissions you have added.

  8. Choose Add permissions.

Changing access levels

This topic explains the procedure for changing the Amazon AppFlow access level of an existing IAM user.

To change access levels for existing users

  1. Open the Amazon AppFlow console at https://console.aws.amazon.com/appflow/.

  2. From the navigation pane, choose Users and Create user. This takes you directly to the User page on the IAM console.

  3. Choose the user whose Amazon AppFlow access you wish to change.

  4. Choose X next to the existing policy that you would like to delete.

  5. Choose Detach.

  6. Choose Add permissions to add a new policy.

  7. Under Set permissions, choose Attach existing policies directly.

  8. Search for one of predefined Amazon AppFlow policies.

  9. Choose Next: Review to review the permissions you have added.

  10. Choose Add permissions.

Creating custom access policies

This topic explains the procedure for creating a custom IAM policy that you can assign to a user, group, or role.

In the action Action of your custom policy statement, you can specify the desired permissible actions for Amazon AppFlow. For a full list of actions defined by Amazon AppFlow see Actions defined by Amazon AppFlow.

To learn more about the Amazon AppFlow-specific resources, actions, and condition context keys used in IAM permission policies, see Actions, Resources, and Condition Keys for Amazon AppFlow in the IAM User Guide.

To create a custom access policy

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Policies.

  3. Choose Create policy.

  4. In the visual editor, choose Amazon AppFlow as the service and follow the instructions to add specific permissions to the policy you create.

API actions for Amazon AppFlow

In an IAM policy statement, you can specify any API action from any service that supports IAM. The API for Amazon AppFlow is not public, but Amazon AppFlow supports IAM. Therefore, IAM users cannot use Amazon AppFlow unless they have access to the Amazon AppFlow API.

For Amazon AppFlow, use the following prefix with the name of the API action: appflow:. For example, appflow:RunFlow.

To specify multiple actions in a single policy statement, separate them with commas.

"Action": ["appflow:RunFlow", "appflow:UpdateFlow"]

You can also specify multiple actions using wildcards. For example, you can specify all Amazon AppFlow API actions whose name begins with the word "Describe".

"Action": "appflow:Describe*"

To specify all Amazon AppFlow API actions, use the * wildcard.

"Action": "appflow:*"

List of actions defined by Amazon AppFlow

You can specify the following actions in the Action element of a custom IAM policy statement for Amazon AppFlow.

To learn more about the Amazon AppFlow-specific resources, actions, and condition context keys used in IAM permission policies, see Actions, Resources, and Condition Keys for Amazon AppFlow in the IAM User Guide.

Action Description

CreateConnectorProfile

Grants permission to create a login profile to be used with Amazon AppFlow flows

CreateFlow

Grants permission to create an Amazon AppFlow flow

DeleteConnectorProfile

Grants permission to delete a login profile set up for use with Amazon AppFlow

DeleteFlow

Grants permission to delete an Amazon AppFlow flow

DescribeConnectorFields

Grants permission to describe all fields supported by Amazon AppFlow

DescribeConnectorProfiles

Grants permission to describe all login profiles configured in Amazon AppFlow

DescribeConnectors

Grants permission to describe all connectors supported by Amazon AppFlow

DescribeFlowExecution

Grants permission to describe all flow runs for a flow configured in Amazon AppFlow

DescribeFlows

Grants permission to describe all flows configured in Amazon AppFlow

ListConnectorFields

Grants permission to list all fields supported by Amazon AppFlow

ListTagsForResource

Grants permission to list tags for a flow

RunFlow

Grants permission to run a flow configured in Amazon AppFlow

TagResource

Grants permission to tag a flow

UntagResource

Grants permission to untag a flow

UpdateFlow

Grants permission to update an Amazon AppFlow flow

Amazon AppFlow policy examples

This topic contains example policies that you can attach to your IAM user or group to control access to Amazon AppFlow resources.

Example 1: Allow IAM users full access to Amazon AppFlow

This policy example provides full access to Amazon AppFlow, to all AWS services that are available as flow sources or destinations, and to AWS Key Management Service (AWS KMS).

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "appflow:*", "Resource": "*" }, { "Sid": "ListRolesForRedshift", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "KMSListAccess", "Action": [ "kms:ListKeys", "kms:DescribeKey", "kms:ListAliases" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "KMSGrantAccess", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "appflow.*.amazonaws.com" }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Sid": "KMSListGrantAccess", "Effect": "Allow", "Action": [ "kms:ListGrants" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "appflow.*.amazonaws.com" } } }, { "Sid": "S3ReadAccess", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketPolicy" ], "Resource": "*" }, { "Sid": "S3PutBucketPolicyAccess", "Effect": "Allow", "Action": [ "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::appflow-*" } ] }

Example 2: Allow IAM users read-only access to Amazon AppFlow

This policy example provides read-only access to Amazon AppFlow.

For definitions of each action, see Actions defined by Amazon AppFlow.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appflow:DescribeConnectors", "appflow:DescribeConnectorProfiles", "appflow:DescribeFlows", "appflow:DescribeFlowExecution", "appflow:DescribeConnectorFields", "appflow:ListConnectorFields", "appflow:ListTagsForResource" ], "Resource": "*" } ] }

Other required permissions

Since Amazon AppFlow always encrypts data at rest and in motion, ensure that the user creating and executing a flow has the following AWS KMS permissions.

Required AWS KMS Permission Description

kms:ListKeys

Controls permission to view the key ID and Amazon Resource Name (ARN) of all customer master keys in the account.

kms:DescribeKey

Controls permission to view detailed information about a customer master key.

kms:ListAliases

Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with customer master keys.

kms:CreateGrant

Controls permission to add a grant to a customer master key. You can use grants to add permissions without changing the key policy or IAM policy.

kms:ListGrants

Controls permission to view all grants for a customer master key.

For more information about AWS Key Management Service, see What is AWS KMS in the AWS Key Management Service Developer Guide.

For the complete list of AWS services that are integrated with AWS KMS, see AWS Service Integration.