Managing access to Amazon FSx resources - FSx for Lustre

Managing access to Amazon FSx resources

A permissions policy describes who has access to what. The following section explains the available options for creating permissions policies.

Note

This section discusses using IAM in the context of Amazon FSx for Lustre. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User Guide.

Policies attached to an IAM identity are referred to as identity-based policies (IAM policies) and policies attached to a resource are referred to as resource-based policies. Amazon FSx for Lustre supports only identity-based policies (IAM policies).

Amazon FSx for Lustre API permissions: actions, resources, and conditions reference

When you are setting up access control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table includes each Amazon FSx for Lustre API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your Amazon FSx for Lustre policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

To specify an action, use the fsx: prefix followed by the API operation name (for example, fsx:CreateFileSystem). Each action applies to either a single Amazon FSx for Lustre file system, to all Amazon FSx for Lustre file systems owned by an AWS account, to a single backup, or to all backups owned by an AWS account.

This section only includes the Amazon FSx permissions required for these actions. Additional permissions from othe AWS services are required for some of these actions.

Amazon FSx for Lustre API and required permissions for actions
Amazon FSx for Lustre API operation Required permissions (API actions) Resource

CancelDataRepositoryTask

fsx:CancelDataRepositoryTask

arn:aws:fsx:region:account-id:file-system/file-system-id

CopyBackup

fsx:CopyBackup

fsx:CopyBackup

fsx:TagResource

arn:aws:fsx:region:account-id:backup/source-backup-id – the source backup

arn:aws:fsx:region:account-id:backup/* – the destination region

arn:aws:fsx:region:account-id:backup/* – required to copy or create tags on the backup copy

CreateBackup

fsx:CreateBackup

fsx:CreateBackup

fsx:TagResource

arn:aws:fsx:region:account-id:backup/*

arn:aws:fsx:region:account-id:file-system/file-system-id

arn:aws:fsx:region:account-id:backup/* – required to create tags on the new backup

CreateDataRepositoryTask

fsx:CreateDataRepositoryTask

fsx:CreateDataRepositoryTask

fsx:TagResource

arn:aws:fsx:region:account-id:file-system/file-system-id

arn:aws:fsx:region:account-id:task/*

arn:aws:fsx:region:account-id:task/* – required to create tags on the task

CreateFileSystem

fsx:CreateFileSystem

fsx:TagResource

arn:aws:fsx:region:account-id:file-system/*

arn:aws:fsx:region:account-id:file-system/* – to create tags on the file system

CreateFileSystemFromBackup

fsx:CreateFileSystemFromBackup

fsx:CreateFileSystemFromBackup

fsx:TagResource

arn:aws:fsx:region:account-id:file-system/*

arn:aws:fsx:region:account-id:backup/*

arn:aws:fsx:region:account-id:file-system/* – to create tags on the file system

DeleteBackup

fsx:DeleteBackup

arn:aws:fsx:region:account-id:backup/backup-id

DeleteFileSystem

fsx:DeleteFileSystem

fsx:TagResource

fsx:CreateBackup

arn:aws:fsx:region:account-id:file-system/filesystem-id

arn:aws:fsx:region:account-id:backup/* – required to create tags on a final backup if created

arn:aws:fsx:region:account-id:backup/* – For Lustre file systems, required to create a final backup.

DescribeBackups

fsx:DescribeBackups

arn:aws:fsx:region:account-id:backup/*

DescribeDataRepositoryTasks

fsx:DescribeDataRepositoryTasks

arn:aws:fsx:region:account-id:task/*

DescribeFileSystems

fsx:DescribeFileSystems

arn:aws:fsx:region:account-id:file-system/*

ListTagsForResource

fsx:ListTagsForResource

arn:aws:fsx:region:account-id:backup/backup-id

arn:aws:fsx:region:account-id:file-system/filesystem-id

arn:aws:fsx:region:account-id:task/task-id

TagResource

fsx:TagResource

arn:aws:fsx:region:account-id:backup/backup-id

arn:aws:fsx:region:account-id:file-system/filesystem-id

arn:aws:fsx:region:account-id:task/task-id

UntagResource

fsx:UntagResource

arn:aws:fsx:region:account-id:backup/backup-id

arn:aws:fsx:region:account-id:file-system/filesystem-id

arn:aws:fsx:region:account-id:task/task-id

UpdateFileSystem

fsx:UpdateFileSystem

arn:aws:fsx:region:account-id:file-system/filesystem-id