How to Set Access Control (IAM) for a Glacier Vault
An AWS account has full permission to perform all actions on the Amazon Glacier Vault that are part of the account. However, the AWS Identity and Access Management (IAM) users don’t have any permission by default. You can control access by setting vault-level access policies using the AWS IAM service.
With AWS IAM you can create a policy for a specific user or group. This guide shows you how to set an access level policy for a vault.
Open your AWS UI console and enter the IAM
1. Enter to an existing Galcier vault or create a new vault and write down the ARN ID of the vault.
2. Enter the IAM console and create couple of groups which will have different access to the vault. Initially do not set any policy / permission for the group.
3. As seen above, there are three separate groups and none of the groups has any policy assigned to it. We will create a separate IAM policy for each group.
[Usage Configuration and Policy Analysis - Newvem S3 analytics helps you define, configure, implement and validate your storage policies. Use Newvem to validate your S3 storage structure and policies. Learn More]
4. To create a policy, first select a group and then set the policy for the group as explained here. You will need to provide the ARN ID of the vault.
5. Below, a confirmation that the policy was created for the selected group.
6. Below, a sample policy for upload access.
{
"Statement":[{
"Effect":"Allow",
"Resource":[
"arn:aws:glacier:us-west-2: :vaults/valut_IAM_AccessPolicy",
],
"Action":[
"glacier:UploadArchive",
"glacier:InitiateMultipartUpload",
"glacier:UploadMultipartPart",
"glacier:UploadPart",
"glacier:ListParts",
"glacier:ListMultipartUploads",
"glacier:CompleteMultipartUpload",
]}]}
7. Here, a sample policy for vault full access.
{
"Statement":[{
"Effect":"Allow",
"Resource":[
"arn:aws:glacier:us-west-2: :vaults/valut_IAM_AccessPolicy",
],
"Action":["glacier:*"]
}]}
Amazon Glacier supports policies at vault-level only. You can specify permissions either for an individual vault or for all vaults in a specific region or for vaults having similar naming pattern.
Some examples of ARN:
| Resource | ARN to be specified on the IAM Policy |
| Single Vault: Vault_IAM_AccessPolicy | arn:aws:glacier:us-west-2:564523135741:vaults/Vault_IAM_AccessPolicy |
| Vault Name Starting with ‘AWS’ | arn:aws:glacier:us-west-2: 564523135741:vaults/AWS* |
| All Vaults of US West-2 Region | arn:aws:glacier:us-west-2: 564523135741:vaults/ * |
To get a full list of actions, refer to the APIs provided by Amazon Glacier.
[Reduced Redundancy Storage (RRS) and Glacier Opportunities - Newvem S3 analysis helps identify storage migration opportunities and supports migration actions. Learn More]
Keywords: Amazon web services, Amazon AWS console, AWS S3, Amazon Cloud Services, AWS Management Console, AWS Glacier, S3 Standard Storage, IAM, S3 Usage, Access Policy
There is 1 comment .