Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deduplication Guide
  3. S3 Interface for MSDP
  4. Identity and Access Management (IAM) for S3 interface for MSDP
  5. IAM policy document syntax
NetBackup™ Deduplication Guide

IAM policy document syntax

A policy document is a JSON format document that contains Version and Statement objects. For example,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Supported Version in policy document:

Only "2012-10-17" is supported.

Supported Action:

Table: Supported Action

Action

Description

Permissive APIs

s3:*

Any S3 and IAM operations. This is an administrator permission.

All S3 and IAM APIs.

Note:

CreateBucket API requires this permission.

The permission s3:BypassGovernanceRetention is only applied to the action s3:*.

s3:Put*

S3 write operations.

UploadPart

CompleteMultipartUpload

CreateMultipartUpload

AbortMultipartUpload

PutObject

DeleteObject

DeleteObjects

PutBucketVersioning

DeleteBucket

CopyObject

PutObjectLockConfiguration

PutObjectRetention

s3:Get*

S3 read operations.

HeadObject

GetObject

GetBucketVersioning

GetBucketLocation

GetBucketEncryption

HeadBucket

CopyObject

GetObjectLockConfiguration

GetObjectRetention

s3:List*

S3 list operations.

ListBuckets

ListObjects

ListObjectsV2

ListObjectVersions

ListMultipartUploads

Supported Effect:

Only "Allow" effect is supported.

Note:

root user has embedded administrator permission, so you cannot attach a policy to root user.

Supported Resource patterns:

Table: Supported Resource patterns

Resource pattern

Description

arn:aws:s3:::*

All S3 resources.

Note:

If this resource pattern is used with action s3:*, it means that the user has all permissions for all S3 resources, which are same as a root user.

The permission s3:BypassGovernanceRetention is only applied to the action s3:*.

arn:aws:s3:::<BUCKET_NAME>/*

All objects within <BUCKET_NAME>. And the bucket itself.

The permission s3:BypassGovernanceRetention is not applied to the current resource.

Feedback

Was this page helpful?
Previous

Data Types

Next

S3 Object Lock In Flex WORM

Feedback

Was this page helpful?