This page is only for existing customers of the S3 Glacier service using Vaults and the original REST API from 2012.
If you're looking for archival storage solutions we suggest using the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see S3 Glacier storage classes
Vault Access Policies
An Amazon S3 Glacier vault access policy is a resource-based policy that you can use to manage permissions to your vault.
You can create one vault access policy for each vault to manage permissions. You can modify permissions in a vault access policy at any time. S3 Glacier also supports a Vault Lock policy on each vault that, after you lock it, cannot be altered. For more information about working with Vault Lock policies, see Vault Lock Policies.
Examples
Example 1: Grant Cross-Account Permissions for Specific Amazon S3 Glacier Actions
The following example policy grants cross-account permissions to two
AWS accounts for a set of S3 Glacier operations on a vault named
examplevault
.
Note
The account that owns the vault is billed for all costs associated with the vault. All requests, data transfer, and retrieval costs made by allowed external accounts are billed to the account that owns the vault.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"cross-account-upload", "Principal": { "AWS": [ "arn:aws:iam::123456789012:root", "arn:aws:iam::444455556666:root" ] }, "Effect":"Allow", "Action": [ "glacier:UploadArchive", "glacier:InitiateMultipartUpload", "glacier:AbortMultipartUpload", "glacier:CompleteMultipartUpload" ], "Resource": [ "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault" ] } ] }
Example 2: Grant Cross-Account Permissions for MFA Delete Operations
You can use multi-factor authentication (MFA) to protect your S3 Glacier resources. To provide an extra level of security, MFA requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information about configuring MFA access, see Configuring MFA-Protected API Access in the IAM User Guide.
The example policy grants an AWS account with temporary credentials permission
to delete archives from a vault named examplevault, provided the request is
authenticated with an MFA device. The policy uses the
aws:MultiFactorAuthPresent
condition key to specify this additional
requirement. For more information, see Available Keys
for Conditions in the IAM User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "add-mfa-delete-requirement", "Principal": { "AWS": [ "arn:aws:iam::123456789012:root" ] }, "Effect": "Allow", "Action": [ "glacier:Delete*" ], "Resource": [ "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": true } } } ] }