AWS Storage Gateway User Guide
Storage Gateway API Permissions Reference
Limits on Using Windows ACLs
Keep the following limits in mind when using Windows ACLs to control access to SMB file shares:
• Windows ACLs are only supported on file shares that are enabled for Active Directory when you use
Windows SMB clients to access the file shares.
• File gateways support a maximum of 10 ACL entries for each file and directory.
• File gateways don't support Audit and Alarm entries, which are system access-control list (SACL)
entries. File gateways support Allow and Deny entries, which are discretionary access control list
(DACL) entries.
• The root ACL settings of SMB file shares are only on the gateway, and the settings are persisted across
gateway updates and restarts.
Note
If you configure the ACLs on the root instead of the parent folder under the root, the ACL
permissions aren't persisted in Amazon S3.
Given these conditions, make sure to do the following:
• If you configure multiple gateways to access the same Amazon S3 bucket, configure the root ACL on
each of the gateways to keep the permissions consistent.
• If you delete a file share and recreate it on the same Amazon S3 bucket, make sure that you use the
same set of root ACLs.
Storage Gateway API Permissions: Actions, Resources,
and Conditions Reference
When you set up access control (p. 295) and write permissions policies that you can attach to an IAM
identity (identity-based policies), you can use the following table as a reference. The table lists each
Storage Gateway API operation, the corresponding actions for which you can grant permissions to
perform the action, and the AWS resource for which you can grant the permissions. You specify the
actions in the policy's Action field, and you specify the resource value in the policy's Resource field.
You can use AWS-wide condition keys in your Storage Gateway policies to express conditions. For a
complete list of AWS-wide keys, see Available Keys in the IAM User Guide.
Note
To specify an action, use the storagegateway: prefix followed by the API operation name (for
example, storagegateway:ActivateGateway). For each Storage Gateway action, you can
specify a wildcard character (*) as the resource.
For a list of Storage Gateway resources with their ARN formats, see AWS Storage Gateway Resources and
Operations (p. 296).
The Storage Gateway API and required permissions for actions are as follows.
ActivateGateway
Action(s): storagegateway:ActivateGateway
Resource: *
AddCache
Action(s): storagegateway:AddCache
Resource: arn:aws:storagegateway:region:account-id:gateway/gateway-id
API Version 2013-06-30
309
To Next Page
Loading...