DataSync API permissions: Actions and resources

When creating AWS Identity and Access Management (IAM) policies, this page can help you understand the relationship between AWS DataSync API operations, the corresponding actions that you can grant permissions to perform, and the AWS resources for which you can grant the permissions.

In general, here's how you add DataSync permissions to your policy:

Specify an action in the Action element. The value includes a datasync: prefix and the API operation name. For example, datasync:CreateTask.
Specify an AWS resource related to the action in the Resource element.

You can also use AWS condition keys in your DataSync policies. For a complete list of AWS keys, see Available keys in the IAM User Guide.

For a list of DataSync resources and their Amazon Resource Name (ARN) formats, see DataSync resources and operations.

DataSync API operations and corresponding actions

AddStorageSystem

Action: datasync:AddStorageSystem

Resource: None

Actions:

kms:Decrypt
iam:CreateServiceLinkedRole

Resource: *

Action: secretsmanager:CreateSecret

Resource: arn:aws:secretsmanager:region:account-id:secret:datasync!*

CancelTaskExecution

Action: datasync:CancelTaskExecution

Resource: arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

CreateAgent

Action: datasync:CreateAgent

Resource: None

CreateLocationAzureBlob

Action: dataSync:CreateLocationAzureBlob

Resource: arn:aws:datasync:region:account-id:agent/agent-id

CreateLocationEfs

Action: datasync:CreateLocationEfs

Resource: None

CreateLocationFsxLustre

Action: datasync:CreateLocationFsxLustre

Resource: None

CreateLocationFsxOntap

Action: datasync:CreateLocationFsxOntap

Resource: None

CreateLocationFsxOpenZfs

Action: datasync:CreateLocationFsxOpenZfs

Resource: None

CreateLocationFsxWindows

Action: datasync:CreateLocationFsxWindows

Resource: None

CreateLocationHdfs

Action: dataSync:CreateLocationHdfs

Resource: arn:aws:datasync:region:account-id:agent/agent-id

CreateLocationNfs

Action: datasync:CreateLocationNfs

Resource: arn:aws:datasync:region:account-id:agent/agent-id

CreateLocationObjectStorage

Action: dataSync:CreateLocationObjectStorage

Resource: arn:aws:datasync:region:account-id:agent/agent-id

CreateLocationS3

Action: datasync:CreateLocationS3

Resource: arn:aws:datasync:region:account-id:agent/agent-id (only for Amazon S3 on Outposts)

CreateLocationSmb

Action: datasync:CreateLocationSmb

Resource: arn:aws:datasync:region:account-id:agent/agent-id

CreateTask

Action: datasync:CreateTask

Resources:

arn:aws:datasync:region:account-id:location/source-location-id
arn:aws:datasync:region:account-id:location/destination-location-id

DeleteAgent

Action: datasync:DeleteAgent

Resource: arn:aws:datasync:region:account-id:agent/agent-id

DeleteLocation

Action: datasync:DeleteLocation

Resource: arn:aws:datasync:region:account-id:location/location-id

DeleteTask

Action: datasync:DeleteTask

Resource: arn:aws:datasync:region:account-id:task/task-id

DescribeAgent

Action: datasync:DescribeAgent

Resource: arn:aws:datasync:region:account-id:agent/agent-id

DescribeDiscoveryJob

Action: datasync:DescribeDiscoveryJob

Resource: arn:aws:datasync:region:account-id:system/storage-system-id/job/discovery-job-id

DescribeLocationAzureBlob

Action: datasync:DescribeLocationAzureBlob

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationEfs

Action: datasync:DescribeLocationEfs

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationFsxLustre

Action: datasync:DescribeLocationFsxLustre

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationFsxOntap

Action: datasync:DescribeLocationFsxOntap

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationFsxOpenZfs

Action: datasync:DescribeLocationFsxOpenZfs

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationFsxWindows

Action: datasync:DescribeLocationFsxWindows

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationHdfs

Action: datasync:DescribeLocationHdfs

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationNfs

Action: datasync:DescribeLocationNfs

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationObjectStorage

Action: datasync:DescribeLocationObjectStorage

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationS3

Action: datasync:DescribeLocationS3

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeLocationSmb

Action: datasync:DescribeLocationSmb

Resource: arn:aws:datasync:region:account-id:location/location-id

DescribeStorageSystem

Action: datasync:DescribeStorageSystem

Resource: arn:aws:datasync:region:account-id:system/storage-system-id

Action: secretsmanager:DescribeSecret

Resource: arn:aws:secretsmanager:region:account-id:secret:datasync!*

DescribeStorageSystemResourceMetrics

Action: datasync:DescribeStorageSystemResourceMetrics

Resource: arn:aws:datasync:region:account-id:system/storage-system-id/job/discovery-job-id

DescribeStorageSystemResources

Action: datasync:DescribeStorageSystemResources

Resource: arn:aws:datasync:region:account-id:system/storage-system-id/job/discovery-job-id

DescribeTask

Action: datasync:DescribeTask

Resource: arn:aws:datasync:region:account-id:task/task-id

DescribeTaskExecution

Action: datasync:DescribeTaskExecution

Resource: arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

GenerateRecommendations

Action: datasync:GenerateRecommendations

Resource: arn:aws:datasync:region:account-id:system/storage-system-id/job/discovery-job-id

ListAgents

Action: datasync:ListAgents

Resource: None

ListDiscoveryJobs

Action: datasync:ListDiscoveryJobs

Resource: arn:aws:datasync:region:account-id:system/storage-system-id

ListLocations

Action: datasync:ListLocations

Resource: None

ListTagsForResource

Action: datasync:ListTagsForResource

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:task/task-id
arn:aws:datasync:region:account-id:location/location-id

ListTaskExecutions

Action: datasync:ListTaskExecutions

Resource: arn:aws:datasync:region:account-id:task/task-id

ListTasks

Action: datasync:ListTasks

Resource: None

RemoveStorageSystem

Action: datasync:RemoveStorageSystem

Resource: arn:aws:datasync:region:account-id:system/storage-system-id

Action: secretsmanager:DeleteSecret

Resource: arn:aws:secretsmanager:region:account-id:secret:datasync!*

StartDiscoveryJob

Action: datasync:StartDiscoveryJob

Resource: arn:aws:datasync:region:account-id:system/storage-system-id

StopDiscoveryJob

Action: datasync:StopDiscoveryJob

Resource: arn:aws:datasync:region:account-id:system/storage-system-id/job/discovery-job-id

StartTaskExecution

Action: datasync:StartTaskExecution

Resource: arn:aws:datasync:region:account-id:task/task-id

TagResource

Action: datasync:TagResource

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:task/task-id
arn:aws:datasync:region:account-id:location/location-id

UntagResource

Action: datasync:UntagResource

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:task/task-id
arn:aws:datasync:region:account-id:location/location-id

UpdateAgent

Action: datasync:UpdateAgent

Resource: arn:aws:datasync:region:account-id:agent/agent-id

UpdateDiscoveryJob

Action: datasync:UpdateDiscoveryJob

Resource: arn:aws:datasync:region:account-id:system/storage-system-id/job/discovery-job-id

UpdateLocationAzureBlob

Action: datasync:UpdateLocationAzureBlob

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:location/location-id

UpdateLocationHdfs

Action: datasync:UpdateLocationHdfs

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:location/location-id

UpdateLocationNfs

Action: datasync:UpdateLocationNfs

Resource: arn:aws:datasync:region:account-id:location/location-id

UpdateLocationObjectStorage

Action: datasync:UpdateLocationObjectStorage

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:location/location-id

UpdateLocationSmb

Action: datasync:UpdateLocationSmb

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:location/location-id

UpdateStorageSystem

Action: datasync:UpdateStorageSystem

Resources:

arn:aws:datasync:region:account-id:agent/agent-id
arn:aws:datasync:region:account-id:system/storage-system-id

UpdateTask

Action: datasync:UpdateTask

Resource: arn:aws:datasync:region:account-id:task/task-id

UpdateTaskExecution

Action: datasync:UpdateTaskExecution

Resource: arn:aws:datasync:region:account-id:task/task-id/execution/exec-id

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cross-service confused deputy prevention

Compliance validation