Resource-level Permissions in an IAM Policy

Describes various resource-level permissions that can be allowed or denied in an IAM policy.

You can configure the resource-level permissions at the following levels:

  • Fabric level
  • Bucket level
  • Volume level
The following sections describe permissions at each of the aforementioned levels.

Fabric-level Permissions

You can configure the following permissions in an IAM policy for fabrics, external S3 servers, or external NFS servers.

Permission Description
ViewClusterConfig Permission to view cluster configuration.
ManageClusterServices Permission to manage various fabric-level services.
ManageClusterOperations Permission to manage cluster operations.
ManageClusterSettings Permission to manage various cluster settings.
ManageIamRoleOperations Permission to manage operations related to user-defined roles.
ManageClusterACE Permission to manage fabric ACE.
ManageStartStopService Permission to start and stop fabric services
ManageClusterVolume Permission to manage volumes on a fabric.

Volume-level Permissions

The following permissions can be granted in an IAM policy for volumes.

Permission Description
ReadVolume Permission to read a volume.
WriteVolume Permission to write a volume.
DeleteVolume Permission to delete a volume.
MountVolume Permission to mount a volume.
MirrorVolume Permission to mirror a volume.
ManageVolumeConfig Permission to manage volume configuration.
ManageVolumeACE Permission to manage volume ACE.
VolumeFullControl Permission to perform all allowable operations on a volume.

Bucket-level Permissions

The following permissions can be granted in an IAM policy for Data Fabric S3 buckets.

Permission Description
AbortMultiPartUpload Permission to abort multi-part upload of an object to S3 bucket
DeleteBucket Permission to delete an S3 bucket
ForceDeleteBucket Permission to force an S3 bucket deletion
DeleteBucketPolicy Permission to delete an S3 bucket policy
DeleteObject Permission to delete object from an S3 bucket
GetBucketLocation Permission to get location or region for an S3 bucket
GetBucketNotification Permission to get notification for an S3 bucket
GetBucketPolicy Permission to get the policy of an S3 bucket.
GetObject Permission to retrieve an object from S3 server/bucket.
HeadBucket Permission to access S3 bucket to check for its existence and contents
ListAllMyBuckets Permission to retrieve a list of S3 buckets owned by the sender of the request
ListBucket Permission to retrieve a list of S3 buckets
ListBucketVersions Permission to retrieve a list of S3 bucket versions
ListBucketMultiPartUploads Permission to retrieve a list of the multi part uploads for an S3 bucket.
ListMultiPartUploadParts Permission to retrieve list of parts in a multi-part upload into an S3 bucket
PutBucketLifeCycle Permission to create a new lifecycle configuration for S3 bucket or replaces an existing lifecycle configuration.
GetBucketLifeCycle Permission to retrieve lifecycle configuration for S3 bucket
PutBucketNotification Permission to enable notifications for specified events related to S3 bucket.
PutBucketEncryption Permission to configure encryption and keys on an S3 bucket
DeleteObjectTagging Permission to delete object tagging
PutBucketPolicy Permission to apply bucket policy to an S3 bucket
PutObject Permission to add object to S3 bucket
PutObjectRetention Permission to configure object retention settings on an object
GetObjectRetention Permission to retrieve object retention configuration on an object
GetObjectLegalHold Permission to retrieve the legal hold status for an object
PutObjectLegalHold Permission to configure legal hold for an object.
GetBucketObjectLockConfiguration Permission to retrieve the object lock configuration for an S3 bucket
PutBucketObjectLockConfiguration Permission to configure the object lock settings for an S3 bucket
GetBucketTagging Permission to retrieve the tags associated with an S3 bucket
PutBucketTagging Permission to set tags for an S3 bucket
GetObjectVersion Permission to access a specific version of an object
GetObjectVersionTagging Permission to retrieve tag of an object version
DeleteObjectVersion Permission to delete an object version
DeleteObjectVersionTagging Permission to delete an object version tagging
PutObjectVersionTagging Permission to set a tag for an object version
GettObjectTagging Permission to retrieve the set of tags for an object
PutObjectTagging Permission to set the tags for an object
GetBucketEncryption Permission to retrieve the encryption settings for an S3 bucket
PutBucketVersioning Permission to set the versioning state for an S3 bucket
GetBucketVersioning Permission to retrieve the versioning state for an S3 bucket
GetReplicationConfiguration Permission to retrieve replication configuration
PutReplicationConfiguration Permission to set replication configuration