Resource Administration Access Control with IAM for Amazon FSx - Amazon FSx for Windows File Server

Resource Administration Access Control with IAM for Amazon FSx

Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to AWS Identity and Access Management (IAM) identities (that is, users, groups, and roles). Some services (such as AWS Lambda) also support attaching permissions policies to resources.

Note

An account administrator (or administrator user) is a user with administrator privileges. For more information, see IAM Best Practices in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.

Amazon FSx for Windows File Server Resources and Operations

In Amazon FSx for Windows File Server, the primary resources are a file system and a backup. Amazon FSx for Windows File Server also supports additional resource types being file share and tags. However, for Amazon FSx, you can create file shares and tags only in the context of an existing file system. File shares and tags are referred to as subresources.

These resources and subresources have unique Amazon Resource Names (ARNs) associated with them as shown in the following table.

Resource Type ARN Format

File system

arn:aws:fsx:region:account-id:file-system/filesystem-id

Backup

arn:aws:fsx:region:account-id:backup/backup-id

Amazon FSx provides a set of operations to work with Amazon FSx resources. For a list of available operations, see the Amazon FSx API Reference.

Understanding Resource Ownership

The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the principal entity (that is, the root account, an IAM user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works:

  • If you use the root account credentials of your AWS account to create a file system, your AWS account is the owner of the resource (in Amazon FSx, the resource is the file system).

  • If you create an IAM user in your AWS account and grant permissions to create a file system to that user, the user can create a file system. However, your AWS account, to which the user belongs, owns the file system resource.

  • If you create an IAM role in your AWS account with permissions to create a file system, anyone who can assume the role can create a file system. Your AWS account, to which the role belongs, owns the file system resource.