Using Identity-Based Policies (IAM Policies) for DataSync
Account administrator can attach identity-based policies to IAM identities, users, groups, roles, services, and resources.
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your DataSync resources. For more information, see Overview of Managing Access Permissions for DataSync.
The sections in this topic cover the following:
The following shows an example of a permissions policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsSpecifiedActionsOnAllTasks", "Effect": "Allow", "Action": [ "datasync:DescribeTask", "datasync:ListTasks" ], "Resource": "arn:aws:datasync:us-east-2:111222333444:task/*" }, }
The policy has one statement (note the Action and Resource
elements in the statements):
-
The statement grants permissions for two DataSync actions (
datasync:DescribeTaskanddatasync:ListTasks) on a task resource using the Amazon Resource Name (ARN) for the task. The ARN specifies a wildcard character (*) because user is allowed to perform the two actions on tasks. To limit permissions for the actions to a specific task, create a separate statement for that action in the policy and specify the task ID instead of the wildcard in that statement.
AWS Managed Policies for DataSync
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information about AWS managed policies, see AWS Managed Policies in the IAM User Guide.
The managed policies that are created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users, groups, and roles, based on the access that they need to DataSync:
The following AWS managed policies, which you can attach to users in your account, are specific to DataSync:
-
AWSDataSyncReadOnlyAccess
– Provides read-only access to AWS DataSync. -
AWSDataSyncFullAccess
– Provides full access to AWS DataSync and minimal access to its dependencies.
You can review these permissions policies by signing in to the IAM console and searching for specific policies there.
You can also create your own custom IAM policies to allow permissions for AWS DataSync API actions. You can attach these custom policies to the IAM users or groups that require those permissions. For more information about AWS managed policies, see AWS Managed Policies in the IAM User Guide.
Permissions Required to Use the DataSync Console
To use the DataSync console, you requires AWSDataSyncFullAccess permissions.
The following is an example policy that grants these permissions. This is an AWS managed policy that provides read-only access to DataSync.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datasync:*", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:ModifyNetworkInterfaceAttribute", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "iam:GetRole", "iam:ListRoles", "logs:CreateLogGroup", "logs:DescribeLogGroups", "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "datasync.amazonaws.com" ] } } } ] }
Customer Managed Policy Examples
In this section, you can find example user policies that grant permissions for various DataSync actions. These policies work when you are using AWS SDKs and the AWS CLI. When you are using the console, you need to grant additional permissions specific to the console, which is discussed in Permissions Required to Use the DataSync Console.
All examples use the US West (Oregon) Region (us-west-2) and contain
fictitious account IDs and resource IDs.
Topics
Example 1: Create a Trust Relationship That Allows DataSync to Access Your Amazon S3 Bucket
The following is an example of a trust policy that allows DataSync to assume an IAM role. This role allows DataSync to access an S3 bucket.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "datasync.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Example 2: Allow DataSync to Read and Write to Your Amazon S3 Bucket
You provide the required policy that grants DataSync the minimal permissions to read and write data to your S3 bucket.
For an example of such a policy, see the following.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:HeadBucket" ], "Effect": "Allow", "Resource": "YourS3BucketArn" }, { "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:GetObject", "s3:ListMultipartUploadParts", "s3-outposts:PutObjectTagging", "s3-outposts:GetObjectTagging", "s3:PutObject" ], "Effect": "Allow", "Resource": "YourS3BucketArn/*" } ] }
Example 3: Allow DataSync to Upload Logs to Amazon CloudWatch Log Groups
Data Sync requires permissions to be able to upload logs to your CloudWatch Log Groups. You can use CloudWatch Log Groups to monitor and debug your tasks.
For an example a IAM policy that grants such permissions, see Allowing DataSync to Upload Logs to Amazon CloudWatch Log Groups.
