Resource administration access control with IAM for Amazon FSx - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Resource administration access control with IAM for Amazon FSx

Every Amazon resource is owned by an Amazon Web Services account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to Amazon Identity and Access Management (IAM) identities (that is, users, groups, and roles). Some services (such as Amazon Lambda) also support attaching permissions policies to resources.

Note

An account administrator (or administrator user) is a user with administrator privileges. For more information, see IAM Best Practices in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.

Amazon FSx for Windows File Server resources and operations

In Amazon FSx for Windows File Server, the primary resource is a file system. Amazon FSx for Windows File Server also supports the additional subresource type backup. You can create backups only in the context of an existing file system, or by copying an existing backup.

These resources and subresources have unique Amazon Resource Names (ARNs) associated with them as shown in the following table.

Resource type ARN format

File system

arn:aws:fsx:region:account-id:file-system/filesystem-id

Backup

arn:aws:fsx:region:account-id:backup/backup-id

Amazon FSx provides a set of operations to work with Amazon FSx resources. For a list of available operations, see the Amazon FSx API Reference.

Understanding resource ownership

The Amazon account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the Amazon account of the principal entity (that is, the root account, an IAM user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works:

  • If you use the root account credentials of your Amazon account to create a file system, your Amazon account is the owner of the resource (in Amazon FSx, the resource is the file system).

  • If you create an IAM user in your Amazon account and grant permissions to create a file system to that user, the user can create a file system. However, your Amazon account, to which the user belongs, owns the file system resource.

  • If you create an IAM role in your Amazon account with permissions to create a file system, anyone who can assume the role can create a file system. Your Amazon account, to which the role belongs, owns the file system resource.