IAM permissions for EBS direct APIs - Amazon Elastic Compute Cloud

IAM permissions for EBS direct APIs

An AWS Identity and Access Management (IAM) user must have the following policies to use the EBS direct APIs. For more information, see Changing Permissions for an IAM User.

For more information about the EBS direct APIs resources, actions, and condition context keys for use in IAM permission policies, see Actions, resources, and condition keys for Amazon Elastic Block Store in the Service Authorization Reference.

Important

Be cautious when assigning the following policies to IAM users. By assigning these policies, you might give access to a user who is denied access to the same resource through the Amazon EC2 APIs, such as the CopySnapshot or CreateVolume actions.

The following policy allows the read EBS direct APIs to be used on all snapshots in a specific AWS Region. In the policy, replace <Region> with the Region of the snapshot.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", "ebs:GetSnapshotBlock" ], "Resource": "arn:aws:ec2:<Region>::snapshot/*" } ] }

The following policy allows the read EBS direct APIs to be used on snapshots with a specific key-value tag. In the policy, replace <Key> with the key value of the tag, and <Value> with the value of the tag.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", "ebs:GetSnapshotBlock" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEqualsIgnoreCase": { "aws:ResourceTag/<Key>": "<Value>" } } } ] }

The following policy allows all of the read EBS direct APIs to be used on all snapshots in the account only within a specific time range. This policy authorizes use of the EBS direct APIs based on the aws:CurrentTime global condition key. In the policy, be sure to replace the date and time range shown with the date and time range for your policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", "ebs:GetSnapshotBlock" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2018-05-29T00:00:00Z" }, "DateLessThan": { "aws:CurrentTime": "2020-05-29T23:59:59Z" } } } ] }

For more information, see Changing Permissions for an IAM User in the IAM User Guide.

The following policy allows the write EBS direct APIs to be used on all snapshots in a specific AWS Region. In the policy, replace <Region> with the Region of the snapshot.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:StartSnapshot", "ebs:PutSnapshotBlock", "ebs:CompleteSnapshot" ], "Resource": "arn:aws:ec2:<Region>::snapshot/*" } ] }

The following policy allows the write EBS direct APIs to be used on snapshots with a specific key-value tag. In the policy, replace <Key> with the key value of the tag, and <Value> with the value of the tag.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:StartSnapshot", "ebs:PutSnapshotBlock", "ebs:CompleteSnapshot" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEqualsIgnoreCase": { "aws:ResourceTag/<Key>": "<Value>" } } } ] }

The following policy allows all of the EBS direct APIs to be used. It also allows the StartSnapshot action only if a parent snapshot ID is specified. Therefore, this policy blocks the ability to start new snapshots without using a parent snapshot.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ebs:*", "Resource": "*", "Condition": { "StringEquals": { "ebs:ParentSnapshot": "arn:aws:ec2:*::snapshot/*" } } } ] }

The following policy allows all of the EBS direct APIs to be used. It also allows only the user tag key to be created for a new snapshot. This policy also ensures that the user has access to create tags. The StartSnapshot action is the only action that can specify tags.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ebs:*", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": "user" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*" } ] }

The following policy allows all of the write EBS direct APIs to be used on all snapshots in the account only within a specific time range. This policy authorizes use of the EBS direct APIs based on the aws:CurrentTime global condition key. In the policy, be sure to replace the date and time range shown with the date and time range for your policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:StartSnapshot", "ebs:PutSnapshotBlock", "ebs:CompleteSnapshot" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2018-05-29T00:00:00Z" }, "DateLessThan": { "aws:CurrentTime": "2020-05-29T23:59:59Z" } } } ] }

For more information, see Changing Permissions for an IAM User in the IAM User Guide.

The following policy grants permission to decrypt an encrypted snapshot using a specific KMS key. It also grants permission to encrypt new snapshots using the default KMS key for EBS encryption. In the policy, replace <Region> with the Region of the KMS key, <AccountId> with the ID of the AWS account of the KMS key, and <KeyId> with the ID of the KMS key.

Note

By default, all principals in the account have access to the default AWS managed KMS key for Amazon EBS encryption, and they can use it for EBS encryption and decryption operations. If you are using a customer managed key, you must create a new key policy or modify the existing key policy for the customer managed key to grant the principal access to the customer managed key. For more information, see Key policies in AWS KMS in the AWS Key Management Service Developer Guide.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncrypt*", "kms:CreateGrant", "ec2:CreateTags", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<Region>:<AccountId>:key/<KeyId>" } ] }

For more information, see Changing Permissions for an IAM User in the IAM User Guide.