Required IAM permissions
By default, users don't have permission to use snapshot archiving. To allow users to use snapshot archiving, you must create IAM policies that grant permission to use specific resources and API actions. For more information, see Creating IAM policies in the IAM User Guide.
To use snapshot archiving, users need the following permissions.
-
ec2:DescribeSnapshotTierStatus -
ec2:ModifySnapshotTier -
ec2:RestoreSnapshotTier
Console users might need additional permissions such as ec2:DescribeSnapshots.
To archive and restore encrypted snapshots, the following additional AWS KMS permissions are required.
-
kms:CreateGrant -
kms:Decrypt -
kms:DescribeKey
The following is an example IAM policy that gives IAM users permission to archive,
restore, and view encrypted and unencrypted snapshots. It includes the ec2:DescribeSnapshots
permission for console users. If some permissions are not needed, you can remove them from
the policy.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSnapshotTierStatus", "ec2:ModifySnapshotTier", "ec2:RestoreSnapshotTier", "ec2:DescribeSnapshots", "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" }] }
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center (successor to AWS Single Sign-On):
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
