AWS Storage Gateway User Guide
Using Identity-Based Policies (IAM Policies)
• Resource – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which
the policy applies. For Storage Gateway resources, you always use the wildcard character (*) in IAM
policies. For more information, see AWS Storage Gateway Resources and Operations (p. 296).
• Action – You use action keywords to identify resource operations that you want to allow or deny. For
example, depending on the specified Effect, the storagegateway:ActivateGateway permission
allows or denies the user permissions to perform the Storage Gateway ActivateGateway operation.
• Effect – You specify the effect when the user requests the specific action—this can be either allow or
deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also
explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even
if a different policy grants access.
• Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the
implicit principal. For resource-based policies, you specify the user, account, service, or other entity
that you want to receive permissions (applies to resource-based policies only). Storage Gateway
doesn't support resource-based policies.
To learn more about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User
Guide.
For a table showing all of the Storage Gateway API actions, see Storage Gateway API Permissions:
Actions, Resources, and Conditions Reference (p. 309).
Specifying Conditions in a Policy
When you grant permissions, you can use the IAM policy language to specify the conditions when a
policy should take effect when granting permissions. For example, you might want a policy to be applied
only after a specific date. For more information about specifying conditions in a policy language, see
Condition in the IAM User Guide.
To express conditions, you use predefined condition keys. There are no condition keys specific to Storage
Gateway. However, there are AWS-wide condition keys that you can use as appropriate. For a complete
list of AWS-wide keys, see Available Keys in the IAM User Guide.
Using Identity-Based Policies (IAM Policies) for
Storage Gateway
This topic provides examples of identity-based policies in which an account administrator can attach
permissions policies to IAM identities (that is, users, groups, and roles).
Important
We recommend that you first review the introductory topics that explain the basic concepts
and options available for you to manage access to your Storage Gateway resources. For
more information, see Overview of Managing Access Permissions to Your AWS Storage
Gateway (p. 296).
The sections in this topic cover the following:
• Permissions Required to Use the Storage Gateway Console (p. 300)
• AWS Managed Policies for Storage Gateway (p. 301)
• Customer Managed Policy Examples (p. 301)
The following shows an example of a permissions policy.
{
"Version": "2012-10-17",
API Version 2013-06-30
299
To Next Page
Loading...