Permissions for users

A user must have the following permissions to use Amazon Data Lifecycle Manager.

Note

The ec2:DescribeAvailabilityZones, ec2:DescribeRegions, kms:ListAliases, and kms:DescribeKey permissions are required for console users only. If console access is not required, you can remove the permissions.
The ARN format of the AWSDataLifecycleManagerDefaultRole role differs depending on whether it was created using the console or the Amazon CLI. If the role was created using the console, the ARN format is arn:aws:iam::account_id:role/service-role/AWSDataLifecycleManagerDefaultRole. If the role was created using the Amazon CLI, the ARN format is arn:aws:iam::account_id:role/AWSDataLifecycleManagerDefaultRole The following policy assumes the role was created using the Amazon CLI.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dlm:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::accound_id:role/service-role/AWSDataLifecycleManagerDefaultRole",
                "arn:aws:iam::accound_id:role/service-role/AWSDataLifecycleManagerDefaultRoleForAMIManagement"
                ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeRegions",
                "kms:ListAliases",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

For more information, see Changing permissions for a user in the IAM User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

IAM service roles

Permissions for encryption