0

There are similar questions around but none seem to quite answer me directly (or I'm too new with AWS to connect the dots myself.) Apologies if this was easily searchable. I've been trying for many days now.

I want to create a policy that I can assign to IAM users for my Glacier that will allow any IAM user the right to create a vault and then allow them access to most rights for the vaults that they've created. (basically all but delete)

The use case/scenario is this: I have multiple Synology NASes spread at multiple sites. I presently have them all backing up to the glacier account each using their own IAM creds. So far so good. The problem becomes when they need to do a restore (or even just a list vaults) they see all vaults in the account. I do not want them to see other NAS's vaults/backups as it can be confusing and is irrelevant to that site. So far I'm simply doing all Glacier ops myself but this will not scale for us. (We intend to add about 25 more NASes/sites, presently running about 8-10)

My assumption is that I should be able to do this somehow with a condition statement and some variant of vaults/${userid} but not quite finding/getting it.

I can't affect anything at vault creation (like adding a tag) because it's the Synology Glacier app creating the vault so no way to mod that.

I've seen some solutions for like EC2 that use post-hoc tagging. I'd prefer not to go that route if I can avoid it as it involves other services we don't use and I know little to nothing about (CloudStream(?), CloudWatch(?) and Lambda I think).

I've also thought of multiple and linked accounts which, if it's the only way then I will, but with no ability to move vaults to the new account - meaning gotta start over for these 8 - it's a less attractive option.

Seems like a policy for this should be easy enough. Hoping it is and it's just a few clicks over my current Policy writing skills.

JoelAZ
  • 3,875
  • 1
  • 11
  • 15
  • The reason you won't find this is that everything a user does is on behalf of, and with the permission of, the AWS account that owns the user. All of the resources are owned by the account, and who created what isn't something that generally has any meaning to the system, later. Can your platform specify name patterns for the vaults? If so, you *might* be able to grant permissions based on vault name prefix matching. Docs seem unclear. – Michael - sqlbot Feb 09 '18 at 00:40
  • @Michael-sqlbot Thanks Michael. I can't control anything about the platform's naming of the vaults as it's a proprietary app on the Synology NAS's OS. The naming is basically the NAS's name, a string of random numbers and an increment. I have been digging further and I see that what I *thought* was the random string may be the IAM user ID but until I can verify that that's speculation. I can't verify that in web ui and I've never touched AWS' CLI so trying to get that set up shortly and see if it is the case. It's a shame they ignore the creator. It's not useless, as in this case.. – JoelAZ Feb 09 '18 at 03:10

0 Answers0