In addition to AWS managed policies, you also can create your own identity-based policies for AWS DataSync and attach them to the AWS Identity and Access Management (IAM) identities that require those permissions. These are known as customer managed policies, which are standalone policies that you administer in your own AWS account.
ImportantBefore you begin, we recommend that you learn about the basic concepts and options for managing access to your DataSync resources. For more information, see Access management for AWS DataSync.
When creating a customer managed policy, you include statements about DataSync operations that can be used on certain AWS resources. The following example policy has two statements (note the Action and Resource elements in each statement):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsSpecifiedActionsOnAllTasks",
"Effect": "Allow",
"Action": [
"datasync:DescribeTask",
],
"Resource": "arn:aws:datasync:us-east-2:111222333444:task/*"
},
{
"Sid": "ListAllTasks",
"Effect": "Allow",
"Action": [
"datasync:ListTasks"
],
"Resource": "*"
},
}The policy's statements do the following:
The first statement grants permissions to perform the datasync:DescribeTask action on certain transfer task resources by specifying an Amazon Resource Name (ARN) with a wildcard character (*).
The second statement grants permissions to perform the datasync:ListTasks action on all tasks by specifying just a wildcard character (*) .
The following example customer managed policies grant permissions for various DataSync operations. The policies work if you're using the AWS Command Line Interface (AWS CLI) or an AWS SDK. To use these policies in the console, you must also use the managed policy AWSDataSyncFullAccess.
The following is an example of a trust policy that allows DataSync to assume an IAM role. This role allows DataSync to access an Amazon S3 bucket. To prevent the cross-service confused deputy problem, we recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in the policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datasync.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111111111111"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:datasync:us-east-1:111111111111:*"
}
}
}
]
}
The following example policy grants DataSync the minimum permissions to read and write data to an S3 bucket that's used as a destination location.
NoteThe value for aws:ResourceAccount should be the account ID that owns the Amazon S3 bucket specified in the policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "123456789012"
}
}
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "123456789012"
}
}
}
]
}DataSync requires permissions to be able to upload logs to your Amazon CloudWatch log groups. You can use CloudWatch log groups to monitor and debug your tasks.
For an example of an IAM policy that grants such permissions, see Allowing DataSync to upload logs to a CloudWatch log group.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4