Legacy policy (no longer supported)
The legacy policy that grants permission for VSS-enabled snapshots includes the IAM
permissions that were recommended prior to the release of the
AWSEC2VssSnapshotPolicy
managed policy.
If you've configured an instance role with the legacy policy, you can continue using it.
However, to ensure that your policy stays current with the latest IAM best practices and
scopes policy statements accordingly, we recommend that you replace the legacy policy with
the AWSEC2VssSnapshotPolicy
managed policy.
Policy example
The following policy example uses the ec2:DescribeInstanceAttribute
that's
supported in AwsVssComponents
package versions 2.2.1 and later. If you have
an older version of the AwsVssComponents
package installed, you should replace
that with the ec2:DescribeInstances
action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*::image/*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceAttribute", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:CreateImage", "ec2:DescribeImages", "ec2:DescribeSnapshots" ], "Resource": "*" } ] }
For more information about IAM managed policies, see Amazon managed policies in the IAM User Guide.