Using tags to control access to your gateway and resources - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon FSx File Gateway is no longer available to new customers. Existing customers of FSx File Gateway can continue to use the service normally. For capabilities similar to FSx File Gateway, visit this blog post.

Using tags to control access to your gateway and resources

To control access to gateway resources and actions, you can use Amazon Identity and Access Management (IAM) policies based on tags. You can provide the control in two ways:

  1. Control access to gateway resources based on the tags on those resources.

  2. Control what tags can be passed in an IAM request condition.

For information about how to use tags to control access, see Controlling Access Using Tags.

Controlling Access Based on Tags on a Resource

To control what actions a user or role can perform on a gateway resource, you can use tags on the gateway resource. For example, you might want to allow or deny specific API operations on a file gateway resource based on the key-value pair of the tag on the resource.

The following example allows a user or a role to perform the ListTagsForResource, ListFileShares, and DescribeNFSFileShares actions on all resources. The policy applies only if the tag on the resource has its key set to allowListAndDescribe and the value set to yes.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "storagegateway:ListTagsForResource", "storagegateway:ListFileShares", "storagegateway:DescribeNFSFileShares" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/allowListAndDescribe": "yes" } } }, { "Effect": "Allow", "Action": [ "storagegateway:*" ], "Resource": "arn:aws:storagegateway:region:account-id:*/*" } ] }

Controlling Access Based on Tags in an IAM Request

To control what an user can do on a gateway resource, you can use conditions in an IAM policy based on tags. For example, you can write a policy that allows or denies an user the ability to perform specific API operations based on the tag they provided when they created the resource.

In the following example, the first statement allows a user to create a gateway only if the key-value pair of the tag they provided when creating the gateway is Department and Finance. When using the API operation, you add this tag to the activation request.

The second statement allows the user to create an Network File System (NFS) or Server Message Block (SMB) file share on a gateway only if the key-value pair of the tag on the gateway matches Departmentand Finance. Additionally, the user must add a tag to the file share, and the key-value pair of the tag must be Department and Finance. You add tags to a file share when creating the file share. There aren't permissions for the AddTagsToResource or RemoveTagsFromResource operations, so the user can't perform these operations on the gateway or the file share.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:ActivateGateway" ], "Resource":"*", "Condition":{ "StringEquals":{ "aws:RequestTag/Department":"Finance" } } }, { "Effect":"Allow", "Action":[ "storagegateway:CreateNFSFileShare", "storagegateway:CreateSMBFileShare" ], "Resource":"*", "Condition":{ "StringEquals":{ "aws:ResourceTag/Department":"Finance", "aws:RequestTag/Department":"Finance" } } } ] }