Legacy policy (no longer supported) - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Legacy policy (no longer supported)

The legacy policy that grants permission for VSS-enabled snapshots includes the IAM permissions that were recommended prior to the release of the AWSEC2VssSnapshotPolicy managed policy.

If you've configured an instance role with the legacy policy, you can continue using it. However, to ensure that your policy stays current with the latest IAM best practices and scopes policy statements accordingly, we recommend that you replace the legacy policy with the AWSEC2VssSnapshotPolicy managed policy.

Policy example

The following policy example uses the ec2:DescribeInstanceAttribute that's supported in AwsVssComponents package versions 2.2.1 and later. If you have an older version of the AwsVssComponents package installed, you should replace that with the ec2:DescribeInstances action.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "ec2:CreateTags",
			"Resource": [
				"arn:aws:ec2:*::snapshot/*",
				"arn:aws:ec2:*::image/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"ec2:DescribeInstanceAttribute",
				"ec2:CreateSnapshot",
				"ec2:CreateSnapshots",
				"ec2:CreateImage",
				"ec2:DescribeImages",
				"ec2:DescribeSnapshots"
			],
			"Resource": "*"
		}
	]
}

For more information about IAM managed policies, see Amazon managed policies in the IAM User Guide.