IAM customer managed policies for Amazon DataSync - Amazon DataSync
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

IAM customer managed policies for Amazon DataSync

In addition to Amazon managed policies, you also can create your own identity-based policies for Amazon DataSync API operations and attach them to the Amazon Identity and Access Management (IAM) identities that require those permissions. These are known as customer managed policies, which are standalone policies that you administer in your own Amazon Web Services account.


Before you begin, we recommend that you learn about the basic concepts and options for managing access to your DataSync resources. For more information, see Overview of managing access permissions for DataSync.

Overview of custom policies

The following example is a policy that grants permissions to use certain DataSync operations.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsSpecifiedActionsOnAllTasks", "Effect": "Allow", "Action": [ "datasync:DescribeTask", "datasync:ListTasks" ], "Resource": "arn:aws-cn:datasync:us-east-2:111222333444:task/*" }, }

The policy has one statement (note the Action and Resource elements in the statement) that does the following:

  • Grants permissions to perform two DataSync actions (datasync:DescribeTask and datasync:ListTasks) on certain task resources by using an Amazon Resource Name (ARN).

  • Specifies a wildcard character (*) in the task ARN because the IAM user, group, or role is allowed to perform the two actions on all tasks. To limit permissions for the actions to a specific task, specify the task ID instead of the wildcard character in that statement.

Examples of custom policies

The following example user policies grant permissions for various DataSync operations. The policies work if you're using the Amazon SDKs or Amazon Command Line Interface (Amazon CLI). To use these policies in the console, you must also use the managed policy AWSDataSyncFullAccess.

Example 1: Create a trust relationship that allows DataSync to access your Amazon S3 bucket

The following is an example of a trust policy that allows DataSync to assume an IAM role. This role allows DataSync to access an Amazon S3 bucket. To prevent the cross-service confused deputy problem, we recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in the policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "datasync.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "StringLike": { "aws:SourceArn": "arn:aws-cn:datasync:us-east-2:123456789012:*" } } } ] }

Example 2: Allow DataSync to read and write to your Amazon S3 bucket

The following example policy grants DataSync the minimum permissions to read and write data to your S3 bucket.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads" ], "Effect": "Allow", "Resource": "YourS3BucketArn" }, { "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:GetObject", "s3:ListMultipartUploadParts", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:PutObject" ], "Effect": "Allow", "Resource": "YourS3BucketArn/*" } ] }

Example 3: Allow DataSync to upload logs to CloudWatch log groups

DataSync requires permissions to be able to upload logs to your Amazon CloudWatch log groups. You can use CloudWatch log groups to monitor and debug your tasks.

For an example of an IAM policy that grants such permissions, see Allowing DataSync to upload logs to Amazon CloudWatch log groups.