DataSync API Permissions: Actions, Resources - AWS DataSync

DataSync API Permissions: Actions, Resources

When you are setting up Permissions and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following as a reference. We list each AWS DataSync API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your DataSync policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the datasync: prefix followed by the API operation name (for example, datasync:CreateTask).

For a list of DataSync resources with the ARN format, see DataSync Resources and Operations.

DataSync API Operations and Required Permissions for Actions

CancelTaskExecution

Action(s): datasync:CancelTaskExecution

Resource: arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

CreateAgent

Action(s): datasync:CreateAgent

Resource: None

CreateLocationEfs

Action(s): datasync:CreateLocationEfs

Resource: arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id

and

arn:aws:ec2:region:account-id:subnet/subnet-id and arn:aws:ec2:region:account-id:security-group/security-group-id

CreateLocationFSxWindows

Action(s): datasync:CreateLocationFSxWindows

Resource: arn:aws:fsx:region:account-id:file-system/file-system-id

and

arn:aws:ec2:region:account-id:subnet/subnet-id and arn:aws:ec2:region:account-id:security-group/security-group-id

CreateLocationNfs

Action(s): datasync:CreateLocationNfs

Resource: arn:aws:datasync:region:account-id:agent/agent-id

CreateLocationS3

Action(s): datasync:CreateLocationS3

Resource: arn:aws:s3:::bucket-name and arn:aws:iam::account-id:role/role-name

CreateLocationSmb

Action(s): datasync:CreateLocationSmb

Resource: arn:aws:datasync:region:account-id:agent/agent-id

CreateTask

Action(s): datasync:CreateTask

Resource: arn:aws:datasync:region:account-id:location/location-id

DeleteAgent

Action(s): datasync:DeleteAgent

Resource: arn:aws:datasync:region:account-id:agent/agent-id

DeleteLocation

Action(s): datasync:DeleteLocation

Resource: arn:aws:datasync:region:account-id:location/location-id

DeleteTask

Action(s): datasync:DeleteTask

Resource: arn:aws:datasync:region:account-id:task/task-id

DescribeAgent

Action(s): datasync:DescribeAgent

Resource: arn:aws:datasync:region:account-id:agent/agent-id

DescribeLocationEfs

Action(s): datasync:DescribeLocationEfs

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationNfs

Action(s): datasync:DescribeLocationNfs

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationS3

Action(s): datasync:DescribeLocationS3

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationSmb

Action(s): datasync:DescribeLocationSmb

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeTask

Action(s): datasync:DescribeTask

Resource: arn:aws:datasync:region:account-id:task/task-id

DescribeTaskExecution

Action(s): datasync:DescribeTaskExecution

Resource: arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

ListAgents

Action(s): datasync:ListAgents

Resource: None

ListLocations

Action(s): datasync:ListLocations

Resource: None

ListTagsForResource

Action(s): datasync:ListTagsForResource

Resource: arn:aws:datasync:region:account-id:task/task-id

or

arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

or

arn:aws:datasync:region:account-id:agent/agent-id

or

arn:aws:datasync:region:account-id:location/location-id

ListTaskExecutions

Action(s): datasync:ListTaskExecutions

Resource: None

ListTasks

Action(s): datasync:ListTasks

Resource: None

StartTaskExecution

Action(s): datasync:StartTaskExecution

Resource: arn:aws:datasync:region:account-id:task/task-id

TagResource

Action(s): datasync:TagResource

Resource: arn:aws:datasync:region:account-id:task/task-id

or

arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

or

arn:aws:datasync:region:account-id:agent/agent-id

or

arn:aws:datasync:region:account-id:location/location-id

UntagResource

Action(s): datasync:UntagResource

Resource: arn:aws:datasync:region:account-id:task/task-id

or

arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

or

arn:aws:datasync:region:account-id:agent/agent-id

or

arn:aws:datasync:region:account-id:location/location-id

UpdateAgent

Action(s): datasync:UpdateAgent

Resource: arn:aws:datasync:region:account-id:agent/agent-id

UpdateTask

Action(s): datasync:UpdateTask

Resource: arn:aws:datasync:region:account-id:task/task-id

Related Topics