EasyManua.ls Logo

AWS Storage Gateway - Page 313

AWS Storage Gateway
438 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
AWS Storage Gateway User Guide
Using Tags to Control Access to File Gateway Resources
Controlling Access Based on Tags on a Resource
You can use the tags on a file gateway resource to control what actions a user or role can perform on the
resource. For example, you might want to allow or deny specific API actions on a file gateway resource
based on the key-value pair of the tag on the resource.
The following example allows a user or a role to perform the ListTagsForResource,
ListFileShares and the DescribeNFSFileShares actions on all resources. The policy applies only if
the tag on the resource has its key set to allowListAndDescribe and the value set to yes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"storagegateway:ListTagsForResource",
"storagegateway:ListFileShares",
"storagegateway:DescribeNFSFileShares"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/allowListAndDescribe": "yes"
}
}
},
{
"Effect": "Allow",
"Action": [
"storagegateway:*"
],
"Resource": "arn:aws:storagegateway:region:account-id:*/*"
}
]
}
Controlling Access Based on Tags in an IAM Request
You can use conditions in an IAM policy to control what an IAM user can do based on tags on a file
gateway resource. For example, you can write a policy that allows or denies an IAM user the ability to
perform specific API operations based on the tag they provided when they were creating the resource.
In the following example, the first statement allows a user to create a gateway only if the key-value pair
of the tag they provided when creating the gateway is Department and Finance. When using the API,
you add this tag to the activation request.
The second statement allows the user to create an Network File System (NFS) or Server Message
Block (SMB) file share on a gateway only if the key-value pair of the tag on the gateway matches
Departmentand Finance. Additionally, the user must add a tag to the file share, and the key-value pair
the tag of must be Department and Finance. You add tags to a file share when creating the file share.
There aren't permissions for the AddTagsToResource or RemoveTagsFromResource operations, so
the user can't perform these operations on the gateway or the file share.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
API Version 2013-06-30
306

Table of Contents