Control access to Recycle Bin with IAM permissions - Amazon EBS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Control access to Recycle Bin with IAM permissions

By default, users don't have permission to work with Recycle Bin, retention rules, or with resources that are in the Recycle Bin. To allow users to work with these resources, you must create IAM policies that grant permission to use specific resources and API actions. After the policies are created, you must add permissions to your users, groups, or roles.

Permissions for working with Recycle Bin and retention rules

To work with Recycle Bin and retention rules, users need the following permissions.

  • rbin:CreateRule

  • rbin:UpdateRule

  • rbin:GetRule

  • rbin:ListRules

  • rbin:DeleteRule

  • rbin:TagResource

  • rbin:UntagResource

  • rbin:ListTagsForResource

  • rbin:LockRule

  • rbin:UnlockRule

To use the Recycle Bin console, users need the tag:GetResources permission.

The following is an example IAM policy that includes the tag:GetResources permission for console users. If some permissions are not needed, you can remove them from the policy.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "rbin:CreateRule", "rbin:UpdateRule", "rbin:GetRule", "rbin:ListRules", "rbin:DeleteRule", "rbin:TagResource", "rbin:UntagResource", "rbin:ListTagsForResource", "rbin:LockRule", "rbin:UnlockRule", "tag:GetResources" ], "Resource": "*" }] }

To provide access, add permissions to your users, groups, or roles:

Permissions for working with resources in the Recycle Bin

For more information about the IAM permissions needed to work with resources in the Recycle Bin, see the following:

Condition keys for Recycle Bin

Recycle Bin defines the following condition keys that you can use in the Condition element of an IAM policy to control the conditions under which the policy statement applies. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

rbin:Request/ResourceType condition key

The rbin:Request/ResourceType condition key can be used to filter access on CreateRule and ListRules requests based on the value specified for the ResourceType request parameter.

Example 1 - CreateRule

The following sample IAM policy allows IAM principals to make CreateRule requests only if the value specified for the ResourceType request parameter is EBS_SNAPSHOT or EC2_IMAGE. This allows the principal to create new retention rules for snapshots and AMIs only.

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:CreateRule" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Request/ResourceType" : ["EBS_SNAPSHOT", "EC2_IMAGE"] } } } ] }
Example 2 - ListRules

The following sample IAM policy allows IAM principals to make ListRules requests only if the value specified for the ResourceType request parameter is EBS_SNAPSHOT. This allows the principal to list retention rules for snapshots only, and it prevents them from listing retention rules for any other resource type.

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:ListRules" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Request/ResourceType" : "EBS_SNAPSHOT" } } } ] }

rbin:Attribute/ResourceType condition key

The rbin:Attribute/ResourceType condition key can be used to filter access on DeleteRule, GetRule, UpdateRule, LockRule, UnlockRule, TagResource, UntagResource, and ListTagsForResource requests based on the value of the retention rule's ResourceType attribute.

Example 1 - UpdateRule

The following sample IAM policy allows IAM principals to make UpdateRule requests only if the ResourceType attribute of the requested retention rule is EBS_SNAPSHOT or EC2_IMAGE. This allows the principal to update retention rules for snapshots and AMIs only.

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:UpdateRule" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Attribute/ResourceType" : ["EBS_SNAPSHOT", "EC2_IMAGE"] } } } ] }
Example 2 - DeleteRule

The following sample IAM policy allows IAM principals to make DeleteRule requests only if the ResourceType attribute of the requested retention rule is EBS_SNAPSHOT. This allows the principal to delete retention rules for snapshots only.

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:DeleteRule" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Attribute/ResourceType" : "EBS_SNAPSHOT" } } } ] }