Permissions for IAM users - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Permissions for IAM users

An IAM user must have the following permissions to use Amazon Data Lifecycle Manager.

  • The ec2:DescribeAvailabilityZones, ec2:DescribeRegions, kms:ListAliases, and kms:DescribeKey permissions are required for console users only. If console access is not required, you can remove the permissions.

  • The ARN format of the AWSDataLifecycleManagerDefaultRole role differs depending on whether it was created using the console or the Amazon CLI. If the role was created using the console, the ARN format is arn:aws:iam::account_id:role/service-role/AWSDataLifecycleManagerDefaultRole. If the role was created using the Amazon CLI, the ARN format is arn:aws:iam::account_id:role/AWSDataLifecycleManagerDefaultRole The following policy assumes the role was created using the Amazon CLI.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dlm:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::accound_id:role/service-role/AWSDataLifecycleManagerDefaultRole", "arn:aws:iam::accound_id:role/service-role/AWSDataLifecycleManagerDefaultRoleForAMIManagement" ] }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions", "kms:ListAliases", "kms:DescribeKey" ], "Resource": "*" } ] }

For more information, see Changing Permissions for an IAM User in the IAM User Guide.