Using tags to control access to your Amazon FSx resources - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using tags to control access to your Amazon FSx resources

To control access to Amazon FSx resources and actions, you can use Amazon Identity and Access Management (IAM) policies based on tags. You can provide the control in two ways:

  1. Control access to Amazon FSx resources based on the tags on those resources.

  2. Control what tags can be passed in an IAM request condition.

For information about how to use tags to control access to Amazon resources, see Controlling access using tags in the IAM User Guide. For more information about tagging Amazon FSx resources at creation, see Grant permission to tag resources during creation. For more information about using tags, see Tag your Amazon FSx resources.

Controlling access based on tags on a resource

To control what actions a user or role can perform on an Amazon FSx resource, you can use tags on the resource. For example, you might want to allow or deny specific API operations on a file system resource based on the key-value pair of the tag on the resource.

Example policy – Create a file system on when providing a specific tag

This policy allows the user to create a file system only when they tag it with a specific tag key value pair, in this example, key=Department, value=Finance.

{ "Effect": "Allow", "Action": [ "fsx:CreateFileSystem", "fsx:TagResource" ], "Resource": "arn:aws:fsx:region:account-id:file-system/*", "Condition": { "StringEquals": { "aws:RequestTag/Department": "Finance" } } }

Example policy – Create backups only on file systems with a specific tag

This policy allows users to create backups only on file systems that are tagged with the key value pair key=Department, value=Finance, and the backup will be created with the tag Deparment=Finance.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "fsx:CreateBackup" ], "Resource": "arn:aws:fsx:region:account-id:file-system/*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Finance" } } }, { "Effect": "Allow", "Action": [ "fsx:TagResource", "fsx:CreateBackup" ], "Resource": "arn:aws:fsx:region:account-id:backup/*", "Condition": { "StringEquals": { "aws:RequestTag/Department": "Finance" } } } ] }

Example policy – Create a file system with a specific tag from backups with a specific tag

This policy allows users to create file systems that are tagged with Department=Finance only from backups that are tagged with Department=Finance.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "fsx:CreateFileSystemFromBackup", "fsx:TagResource" ], "Resource": "arn:aws:fsx:region:account-id:file-system/*", "Condition": { "StringEquals": { "aws:RequestTag/Department": "Finance" } } }, { "Effect": "Allow", "Action": [ "fsx:CreateFileSystemFromBackup" ], "Resource": "arn:aws:fsx:region:account-id:backup/*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Finance" } } } ] }

Example policy – Delete file systems with specific tags

This policy allows a user to delete only file systems that are tagged with Department=Finance. If they create a final backup, then it must be tagged with Department=Finance.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "fsx:DeleteFileSystem" ], "Resource": "arn:aws:fsx:region:account-id:file-system/*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Finance" } } }, { "Effect": "Allow", "Action": [ "fsx:TagResource" ], "Resource": "arn:aws:fsx:region:account-id:backup/*", "Condition": { "StringEquals": { "aws:RequestTag/Department": "Finance" } } } ] }