Amazon FSx for Windows File Server
Windows User Guide

Resource Administration Access Control with IAM for Amazon FSx

Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to AWS Identity and Access Management (IAM) identities (that is, users, groups, and roles). Some services (such as AWS Lambda) also support attaching permissions policies to resources.

Note

An account administrator (or administrator user) is a user with administrator privileges. For more information, see IAM Best Practices in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.

Amazon FSx for Windows File Server Resources and Operations

In Amazon FSx for Windows File Server, the primary resources are a file system and a backup. Amazon FSx for Windows File Server also supports additional resource types being file share and tags. However, for Amazon FSx, you can create file shares and tags only in the context of an existing file system. File shares and tags are referred to as subresources.

These resources and subresources have unique Amazon Resource Names (ARNs) associated with them as shown in the following table.

Resource Type ARN Format

File system

arn:aws:fsx:region:account-id:file-system/filesystem-id

Backup

arn:aws:fsx:region:account-id:backup/backup-id

Amazon FSx provides a set of operations to work with Amazon FSx resources. For a list of available operations, see the Amazon FSx API Reference.

Understanding Resource Ownership

The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the principal entity (that is, the root account, an IAM user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works:

  • If you use the root account credentials of your AWS account to create a file system, your AWS account is the owner of the resource (in Amazon FSx, the resource is the file system).

  • If you create an IAM user in your AWS account and grant permissions to create a file system to that user, the user can create a file system. However, your AWS account, to which the user belongs, owns the file system resource.

  • If you create an IAM role in your AWS account with permissions to create a file system, anyone who can assume the role can create a file system. Your AWS account, to which the role belongs, owns the file system resource.

Managing Access to Resources

A permissions policy describes who has access to what. The following section explains the available options for creating permissions policies.

Note

This section discusses using IAM in the context of Amazon FSx for Windows File Server. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User Guide.

Policies attached to an IAM identity are referred to as identity-based policies (IAM policies) and policies attached to a resource are referred to as resource-based policies. Amazon FSx for Windows File Server supports only identity-based policies (IAM policies).

Topics