Control access to Recycle Bin with IAM permissions
By default, users don't have permission to work with Recycle Bin, retention rules, or with resources that are in the Recycle Bin. To allow users to work with these resources, you must create IAM policies that grant permission to use specific resources and API actions. After the policies are created, you must add permissions to your users, groups, or roles.
Topics
Permissions for working with Recycle Bin and retention rules
To work with Recycle Bin and retention rules, users need the following permissions.
-
rbin:CreateRule -
rbin:UpdateRule -
rbin:GetRule -
rbin:ListRules -
rbin:DeleteRule -
rbin:TagResource -
rbin:UntagResource -
rbin:ListTagsForResource -
rbin:LockRule -
rbin:UnlockRule
To use the Recycle Bin console, users need the tag:GetResources
permission.
The following is an example IAM policy that includes the tag:GetResources permission
for console users. If some permissions are not needed, you can remove them from the policy.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "rbin:CreateRule", "rbin:UpdateRule", "rbin:GetRule", "rbin:ListRules", "rbin:DeleteRule", "rbin:TagResource", "rbin:UntagResource", "rbin:ListTagsForResource", "rbin:LockRule", "rbin:UnlockRule", "tag:GetResources" ], "Resource": "*" }] }
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Permissions for working with resources in the Recycle Bin
For more information about the IAM permissions needed to work with resources in the Recycle Bin, see the following:
Condition keys for Recycle Bin
Recycle Bin defines the following condition keys that you can use in the Condition
element of an IAM policy to control the conditions under which the policy statement applies. For
more information, see
IAM JSON policy elements: Condition in the IAM User Guide.
rbin:Request/ResourceType condition key
The rbin:Request/ResourceType condition key can be used to filter access on
CreateRule and
ListRules requests based on the value specified for the ResourceType
request parameter.
Example 1 - CreateRule
The following sample IAM policy allows IAM principals to make CreateRule
requests only if the value specified for the ResourceType request parameter is
EBS_SNAPSHOT or EC2_IMAGE. This allows the principal to create new
retention rules for snapshots and AMIs only.
{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:CreateRule" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Request/ResourceType" : ["EBS_SNAPSHOT", "EC2_IMAGE"] } } } ] }
Example 2 - ListRules
The following sample IAM policy allows IAM principals to make ListRules
requests only if the value specified for the ResourceType request parameter is
EBS_SNAPSHOT. This allows the principal to list retention rules for snapshots
only, and it prevents them from listing retention rules for any other resource type.
{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:ListRules" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Request/ResourceType" : "EBS_SNAPSHOT" } } } ] }
rbin:Attribute/ResourceType condition key
The rbin:Attribute/ResourceType condition key can be used to filter access
on DeleteRule,
GetRule,
UpdateRule,
LockRule,
UnlockRule,
TagResource,
UntagResource,
and
ListTagsForResource requests based on the value of the retention rule's ResourceType
attribute.
Example 1 - UpdateRule
The following sample IAM policy allows IAM principals to make UpdateRule
requests only if the ResourceType attribute of the requested retention rule is
EBS_SNAPSHOT or EC2_IMAGE. This allows the principal to update
retention rules for snapshots and AMIs only.
{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:UpdateRule" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Attribute/ResourceType" : ["EBS_SNAPSHOT", "EC2_IMAGE"] } } } ] }
Example 2 - DeleteRule
The following sample IAM policy allows IAM principals to make DeleteRule
requests only if the ResourceType attribute of the requested retention
rule is EBS_SNAPSHOT. This allows the principal to delete retention
rules for snapshots only.
{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" :[ "rbin:DeleteRule" ], "Resource" : "*", "Condition" : { "StringEquals" : { "rbin:Attribute/ResourceType" : "EBS_SNAPSHOT" } } } ] }