Required IAM permissions
By default, users don't have permission to work with Recycle Bin, retention rules, or with resources that are in the Recycle Bin. To allow users to work with these resources, you must create IAM policies that grant permission to use specific resources and API actions. Once the policies are created, you must add permissions to your users, groups, or roles.
Topics
Permissions for working with Recycle Bin and retention rules
To work with Recycle Bin and retention rules, users need the following permissions.
-
rbin:CreateRule -
rbin:UpdateRule -
rbin:GetRule -
rbin:ListRules -
rbin:DeleteRule -
rbin:TagResource -
rbin:UntagResource -
rbin:ListTagsForResource -
rbin:LockRule -
rbin:UnlockRule
To use the Recycle Bin console, users need the tag:GetResources
permission.
The following is an example IAM policy that includes the tag:GetResources permission
for console users. If some permissions are not needed, you can remove them from the policy.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "rbin:CreateRule", "rbin:UpdateRule", "rbin:GetRule", "rbin:ListRules", "rbin:DeleteRule", "rbin:TagResource", "rbin:UntagResource", "rbin:ListTagsForResource", "rbin:LockRule", "rbin:UnlockRule", "tag:GetResources" ], "Resource": "*" }] }
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Permissions for working with resources in the Recycle Bin
For more information about the IAM permissions needed to work with resources in the Recycle Bin, see the following: