Amazon managed policies for Amazon FSx
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
AmazonFSxServiceRolePolicy
Allows Amazon FSx to manage Amazon resources on your behalf. See Using service-linked roles for Amazon FSx to learn more.
Amazon managed policy: AmazonFSxDeleteServiceLinkedRoleAccess
You can't attach AmazonFSxDeleteServiceLinkedRoleAccess
to your IAM entities. This policy is linked to a service and used
only with the service-linked role for that service. You cannot attach, detach, modify, or delete this policy. For more
information, see Using service-linked roles for
Amazon FSx.
This policy grants administrative permissions that allow Amazon FSx to delete its Service Linked Role for Amazon S3 access, used only by Amazon FSx for Lustre.
Permissions details
This policy includes permissions in iam
to allow Amazon FSx to view, delete, and view the deletion status for the FSx Service Linked Role for Amazon S3 access.
To view the permissions for this policy, see AmazonFSxDeleteServiceLinkedRoleAccess in the Amazon Managed Policy Reference Guide.
Amazon managed policy: AmazonFSxFullAccess
You can attach AmazonFSxFullAccess to your IAM entities. Amazon FSx also attaches this policy to a service role that allows Amazon FSx to perform actions on your behalf.
Provides full access to Amazon FSx and access to related Amazon services.
Permissions details
This policy includes the following permissions.
-
fsx
– Allows principals full access to perform all Amazon FSx actions, except forBypassSnaplockEnterpriseRetention
. -
ds
– Allows principals to view information about the Amazon Directory Service directories. ec2
Allows principals to create tags under the specified conditions.
To provide enhanced security group validation of all security groups that can be used with a VPC.
iam
– Allows principles to create an Amazon FSx service linked role on the user's behalf. This is required so that Amazon FSx can manage Amazon resources on the user's behalf.-
logs
– Allows principals to create log groups, log streams, and write events to log streams. This is required so that users can monitor FSx for Windows File Server file system access by sending audit access logs to CloudWatch Logs. firehose
– Allows principals to write records to a Amazon Data Firehose. This is required so that users can monitor FSx for Windows File Server file system access by sending audit access logs to Firehose.
To view the permissions for this policy, see AmazonFSxFullAccess in the Amazon Managed Policy Reference Guide.
Amazon managed policy: AmazonFSxConsoleFullAccess
You can attach the AmazonFSxConsoleFullAccess
policy to your IAM identities.
This policy grants administrative permissions that allow full access to Amazon FSx and access to related Amazon services via the Amazon Web Services Management Console.
Permissions details
This policy includes the following permissions.
-
fsx
– Allows principals to perform all actions in the Amazon FSx management console, except forBypassSnaplockEnterpriseRetention
. -
cloudwatch
– Allows principals to view CloudWatch Alarms and metrics in the Amazon FSx management console. -
ds
– Allows principals to list information about an Amazon Directory Service directory. ec2
Allows principals to create tags on route tables, list network interfaces, route tables, security groups, subnets and the VPC associated with an Amazon FSx file system.
Allows principals to To provide enhanced security group validation of all security groups that can be used with a VPC.
-
kms
– Allows principals to list aliases for Amazon Key Management Service keys. -
s3
– Allows principals to list some or all of the objects in an Amazon S3 bucket (up to 1000). -
iam
– Grants permission to create a service linked role that allows Amazon FSx to perform actions on the user's behalf.
To view the permissions for this policy, see AmazonFSxConsoleFullAccess in the Amazon Managed Policy Reference Guide.
Amazon managed policy: AmazonFSxConsoleReadOnlyAccess
You can attach the AmazonFSxConsoleReadOnlyAccess
policy to your IAM identities.
This policy grants read-only permissions to Amazon FSx and related Amazon services so that users can view information about these services in the Amazon Web Services Management Console.
Permissions details
This policy includes the following permissions.
-
fsx
– Allows principals to view information about Amazon FSx file systems, including all tags, in the Amazon FSx Management Console. -
cloudwatch
– Allows principals to view CloudWatch Alarms and metrics in the Amazon FSx Management Console. -
ds
– Allows principals to view information about an Amazon Directory Service directory in the Amazon FSx Management Console. ec2
Allows principals to view network interfaces, security groups, subnets and the VPC associated with an Amazon FSx file system in the Amazon FSx Management Console.
To provide enhanced security group validation of all security groups that can be used with a VPC.
-
kms
– Allows principals to view aliases for Amazon Key Management Service keys in the Amazon FSx Management Console. -
log
– Allows principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system. -
firehose
– Allows principals to describe the Amazon Data Firehose delivery streams associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system.
To view the permissions for this policy, see AmazonFSxConsoleReadOnlyAccess in the Amazon Managed Policy Reference Guide.
Amazon managed policy: AmazonFSxReadOnlyAccess
You can attach the AmazonFSxReadOnlyAccess
policy to your IAM identities.
This policy includes the following permissions.
-
fsx
– Allows principals to view information about Amazon FSx file systems, including all tags, in the Amazon FSx Management Console. ec2
– To provide enhanced security group validation of all security groups that can be used with a VPC.
To view the permissions for this policy, see AmazonFSxReadOnlyAccess in the Amazon Managed Policy Reference Guide.
Amazon FSx updates to Amazon managed policies
View details about updates to Amazon managed policies for Amazon FSx since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon FSx Document history page.
Change | Description | Date |
---|---|---|
AmazonFSxServiceRolePolicy – Update to an existing policy |
Amazon FSx added new permission, |
January 09, 2024 |
AmazonFSxReadOnlyAccess – Update to an existing policy |
Amazon FSx added new permission, |
January 09, 2024 |
AmazonFSxConsoleReadOnlyAccess – Update to an existing policy |
Amazon FSx added new permission, |
January 09, 2024 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added new permission, |
January 09, 2024 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permission, |
January 09, 2024 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added new permission to enable users to perform cross-region and cross-account data replication for FSx for OpenZFS file systems. |
December 20, 2023 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permission to enable users to perform cross-region and cross-account data replication for FSx for OpenZFS file systems. |
December 20, 2023 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added a new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems. |
November 26, 2023 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added a new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems. |
November 26, 2023 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added new permissions to enable users to view, enable, and disable shared VPC support for FSx for ONTAP Multi-AZ file systems. |
November 14, 2023 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permissions to enable users to view, enable, and disable shared VPC support for FSx for ONTAP Multi-AZ file systems. |
November 14, 2023 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow Amazon FSx to manage network configurations for FSx for OpenZFS Multi-AZ file systems. |
August 9, 2023 |
Amazon managed policy: AmazonFSxServiceRolePolicy – Update to an existing policy |
Amazon FSx modified the existing |
July 24, 2023 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx updated the policy to remove the |
July 13, 2023 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx updated the policy to remove the |
July 13, 2023 |
AmazonFSxConsoleReadOnlyAccess – Update to an existing policy |
Amazon FSx added new permissions to enable users to view enhanced performance metrics and recommended actions for FSx for Windows File Server file systems in the Amazon FSx console. |
September 21, 2022 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permissions to enable users to view enhanced performance metrics and recommended actions for FSx for Windows File Server file systems in the Amazon FSx console. |
September 21, 2022 |
AmazonFSxReadOnlyAccess – Started tracking policy |
This policy grants read-only access to all Amazon FSx resources and any tags associated with them. |
February 4, 2022 |
AmazonFSxDeleteServiceLinkedRoleAccess – Started tracking policy |
This policy grants administrative permissions that allow Amazon FSx to delete its Service Linked Role for Amazon S3 access. |
January 7, 2022 |
AmazonFSxServiceRolePolicy – Update to an existing policy |
Amazon FSx added new permissions to allow Amazon FSx to manage network configurations for Amazon FSx for NetApp ONTAP file systems. |
September 2, 2021 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow Amazon FSx to create tags on EC2 route tables for scoped down calls. |
September 2, 2021 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow Amazon FSx to create Amazon FSx for NetApp ONTAP Multi-AZ file systems. |
September 2, 2021 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow Amazon FSx to create tags on EC2 route tables for scoped down calls. |
September 2, 2021 |
AmazonFSxServiceRolePolicy – Update to an existing policy |
Amazon FSx added new permissions to allow Amazon FSx to describe and write to CloudWatch Logs log streams. This is required so that users can view file access audit logs for FSx for Windows File Server file systems using CloudWatch Logs. |
June 8, 2021 |
AmazonFSxServiceRolePolicy – Update to an existing policy |
Amazon FSx added new permissions to allow Amazon FSx to describe and write to Amazon Data Firehose delivery streams. This is required so that users can view file access audit logs for an FSx for Windows File Server file system using Amazon Data Firehose. |
June 8, 2021 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow principals to describe and create CloudWatch Logs log groups, log streams, and write events to log streams. This is required so that principals can view file access audit logs for FSx for Windows File Server file systems using CloudWatch Logs. |
June 8, 2021 |
AmazonFSxFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow principals to describe and write records to a Amazon Data Firehose. This is required so that users can view file access audit logs for an FSx for Windows File Server file system using Amazon Data Firehose. |
June 8, 2021 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request. This is required so that principals can choose an existing CloudWatch Logs log group when configuring file access auditing for an FSx for Windows File Server file system. |
June 8, 2021 |
AmazonFSxConsoleFullAccess – Update to an existing policy |
Amazon FSx added new permissions to allow principals to describe the Amazon Data Firehose delivery streams associated with the account making the request. This is required so that principals can choose an existing Firehose delivery stream when configuring file access auditing for an FSx for Windows File Server file system. |
June 8, 2021 |
AmazonFSxConsoleReadOnlyAccess – Update to an existing policy |
Amazon FSx added new permissions to allow principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system. |
June 8, 2021 |
AmazonFSxConsoleReadOnlyAccess – Update to an existing policy |
Amazon FSx added new permissions to allow principals to describe the Amazon Data Firehose delivery streams associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system. |
June 8, 2021 |
Amazon FSx started tracking changes |
Amazon FSx started tracking changes for its Amazon managed policies. |
June 8, 2021 |