Amazon managed policies for Amazon FSx - FSx for Lustre
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon FSx

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

AmazonFSxServiceRolePolicy

Allows Amazon FSx to manage Amazon resources on your behalf. See Using service-linked roles for Amazon FSx to learn more.

Amazon managed policy: AmazonFSxDeleteServiceLinkedRoleAccess

You can't attach AmazonFSxDeleteServiceLinkedRoleAccess to your IAM entities. This policy is linked to a service and used only with the service-linked role for that service. You cannot attach, detach, modify, or delete this policy. For more information, see Using service-linked roles for Amazon FSx.

This policy grants administrative permissions that allow Amazon FSx to delete its Service Linked Role for Amazon S3 access, used only by Amazon FSx for Lustre.

Permissions details

This policy includes permissions in iam to allow Amazon FSx to view, delete, and view the deletion status for the FSx Service Linked Role for Amazon S3 access.

To view the permissions for this policy, see AmazonFSxDeleteServiceLinkedRoleAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy: AmazonFSxFullAccess

You can attach AmazonFSxFullAccess to your IAM entities. Amazon FSx also attaches this policy to a service role that allows Amazon FSx to perform actions on your behalf.

Provides full access to Amazon FSx and access to related Amazon services.

Permissions details

This policy includes the following permissions.

  • fsx – Allows principals full access to perform all Amazon FSx actions, except for BypassSnaplockEnterpriseRetention.

  • ds – Allows principals to view information about the Amazon Directory Service directories.

  • ec2

    • Allows principals to create tags under the specified conditions.

    • To provide enhanced security group validation of all security groups that can be used with a VPC.

  • iam – Allows principles to create an Amazon FSx service linked role on the user's behalf. This is required so that Amazon FSx can manage Amazon resources on the user's behalf.

  • logs – Allows principals to create log groups, log streams, and write events to log streams. This is required so that users can monitor FSx for Windows File Server file system access by sending audit access logs to CloudWatch Logs.

  • firehose – Allows principals to write records to a Amazon Data Firehose. This is required so that users can monitor FSx for Windows File Server file system access by sending audit access logs to Firehose.

To view the permissions for this policy, see AmazonFSxFullAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy: AmazonFSxConsoleFullAccess

You can attach the AmazonFSxConsoleFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow full access to Amazon FSx and access to related Amazon services via the Amazon Web Services Management Console.

Permissions details

This policy includes the following permissions.

  • fsx – Allows principals to perform all actions in the Amazon FSx management console, except for BypassSnaplockEnterpriseRetention.

  • cloudwatch – Allows principals to view CloudWatch Alarms and metrics in the Amazon FSx management console.

  • ds – Allows principals to list information about an Amazon Directory Service directory.

  • ec2

    • Allows principals to create tags on route tables, list network interfaces, route tables, security groups, subnets and the VPC associated with an Amazon FSx file system.

    • Allows principals to To provide enhanced security group validation of all security groups that can be used with a VPC.

  • kms – Allows principals to list aliases for Amazon Key Management Service keys.

  • s3 – Allows principals to list some or all of the objects in an Amazon S3 bucket (up to 1000).

  • iam – Grants permission to create a service linked role that allows Amazon FSx to perform actions on the user's behalf.

To view the permissions for this policy, see AmazonFSxConsoleFullAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy: AmazonFSxConsoleReadOnlyAccess

You can attach the AmazonFSxConsoleReadOnlyAccess policy to your IAM identities.

This policy grants read-only permissions to Amazon FSx and related Amazon services so that users can view information about these services in the Amazon Web Services Management Console.

Permissions details

This policy includes the following permissions.

  • fsx – Allows principals to view information about Amazon FSx file systems, including all tags, in the Amazon FSx Management Console.

  • cloudwatch – Allows principals to view CloudWatch Alarms and metrics in the Amazon FSx Management Console.

  • ds – Allows principals to view information about an Amazon Directory Service directory in the Amazon FSx Management Console.

  • ec2

    • Allows principals to view network interfaces, security groups, subnets and the VPC associated with an Amazon FSx file system in the Amazon FSx Management Console.

    • To provide enhanced security group validation of all security groups that can be used with a VPC.

  • kms – Allows principals to view aliases for Amazon Key Management Service keys in the Amazon FSx Management Console.

  • log – Allows principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system.

  • firehose – Allows principals to describe the Amazon Data Firehose delivery streams associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system.

To view the permissions for this policy, see AmazonFSxConsoleReadOnlyAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy: AmazonFSxReadOnlyAccess

You can attach the AmazonFSxReadOnlyAccess policy to your IAM identities.

This policy includes the following permissions.

  • fsx – Allows principals to view information about Amazon FSx file systems, including all tags, in the Amazon FSx Management Console.

  • ec2 – To provide enhanced security group validation of all security groups that can be used with a VPC.

To view the permissions for this policy, see AmazonFSxReadOnlyAccess in the Amazon Managed Policy Reference Guide.

Amazon FSx updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon FSx since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon FSx Document history page.

Change Description Date

AmazonFSxServiceRolePolicy – Update to an existing policy

Amazon FSx added new permission, ec2:GetSecurityGroupsForVpc that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC.

January 09, 2024

AmazonFSxReadOnlyAccess – Update to an existing policy

Amazon FSx added new permission, ec2:GetSecurityGroupsForVpc that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC.

January 09, 2024

AmazonFSxConsoleReadOnlyAccess – Update to an existing policy

Amazon FSx added new permission, ec2:GetSecurityGroupsForVpc that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC.

January 09, 2024

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added new permission, ec2:GetSecurityGroupsForVpc that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC.

January 09, 2024

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permission, ec2:GetSecurityGroupsForVpc that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC.

January 09, 2024

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added new permission to enable users to perform cross-region and cross-account data replication for FSx for OpenZFS file systems.

December 20, 2023

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permission to enable users to perform cross-region and cross-account data replication for FSx for OpenZFS file systems.

December 20, 2023

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added a new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems.

November 26, 2023

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added a new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems.

November 26, 2023

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added new permissions to enable users to view, enable, and disable shared VPC support for FSx for ONTAP Multi-AZ file systems.

November 14, 2023

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permissions to enable users to view, enable, and disable shared VPC support for FSx for ONTAP Multi-AZ file systems.

November 14, 2023

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow Amazon FSx to manage network configurations for FSx for OpenZFS Multi-AZ file systems.

August 9, 2023

Amazon managed policy: AmazonFSxServiceRolePolicy – Update to an existing policy

Amazon FSx modified the existing cloudwatch:PutMetricData permission so that Amazon FSx publishes CloudWatch metrics to the Amazon/FSx namespace.

July 24, 2023

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx updated the policy to remove the fsx:* permission and add specific fsx actions.

July 13, 2023

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx updated the policy to remove the fsx:* permission and add specific fsx actions.

July 13, 2023

AmazonFSxConsoleReadOnlyAccess – Update to an existing policy

Amazon FSx added new permissions to enable users to view enhanced performance metrics and recommended actions for FSx for Windows File Server file systems in the Amazon FSx console.

September 21, 2022

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permissions to enable users to view enhanced performance metrics and recommended actions for FSx for Windows File Server file systems in the Amazon FSx console.

September 21, 2022

AmazonFSxReadOnlyAccess – Started tracking policy

This policy grants read-only access to all Amazon FSx resources and any tags associated with them.

February 4, 2022

AmazonFSxDeleteServiceLinkedRoleAccess – Started tracking policy

This policy grants administrative permissions that allow Amazon FSx to delete its Service Linked Role for Amazon S3 access.

January 7, 2022

AmazonFSxServiceRolePolicy – Update to an existing policy

Amazon FSx added new permissions to allow Amazon FSx to manage network configurations for Amazon FSx for NetApp ONTAP file systems.

September 2, 2021

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow Amazon FSx to create tags on EC2 route tables for scoped down calls.

September 2, 2021

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow Amazon FSx to create Amazon FSx for NetApp ONTAP Multi-AZ file systems.

September 2, 2021

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow Amazon FSx to create tags on EC2 route tables for scoped down calls.

September 2, 2021

AmazonFSxServiceRolePolicy – Update to an existing policy

Amazon FSx added new permissions to allow Amazon FSx to describe and write to CloudWatch Logs log streams.

This is required so that users can view file access audit logs for FSx for Windows File Server file systems using CloudWatch Logs.

June 8, 2021

AmazonFSxServiceRolePolicy – Update to an existing policy

Amazon FSx added new permissions to allow Amazon FSx to describe and write to Amazon Data Firehose delivery streams.

This is required so that users can view file access audit logs for an FSx for Windows File Server file system using Amazon Data Firehose.

June 8, 2021

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow principals to describe and create CloudWatch Logs log groups, log streams, and write events to log streams.

This is required so that principals can view file access audit logs for FSx for Windows File Server file systems using CloudWatch Logs.

June 8, 2021

AmazonFSxFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow principals to describe and write records to a Amazon Data Firehose.

This is required so that users can view file access audit logs for an FSx for Windows File Server file system using Amazon Data Firehose.

June 8, 2021

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request.

This is required so that principals can choose an existing CloudWatch Logs log group when configuring file access auditing for an FSx for Windows File Server file system.

June 8, 2021

AmazonFSxConsoleFullAccess – Update to an existing policy

Amazon FSx added new permissions to allow principals to describe the Amazon Data Firehose delivery streams associated with the account making the request.

This is required so that principals can choose an existing Firehose delivery stream when configuring file access auditing for an FSx for Windows File Server file system.

June 8, 2021

AmazonFSxConsoleReadOnlyAccess – Update to an existing policy

Amazon FSx added new permissions to allow principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request.

This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system.

June 8, 2021

AmazonFSxConsoleReadOnlyAccess – Update to an existing policy

Amazon FSx added new permissions to allow principals to describe the Amazon Data Firehose delivery streams associated with the account making the request.

This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system.

June 8, 2021

Amazon FSx started tracking changes

Amazon FSx started tracking changes for its Amazon managed policies.

June 8, 2021