Required IAM permissions for archiving Amazon EBS snapshots - Amazon EBS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Required IAM permissions for archiving Amazon EBS snapshots

By default, users don't have permission to use snapshot archiving. To allow users to use snapshot archiving, you must create IAM policies that grant permission to use specific resources and API actions. For more information, see Creating IAM policies in the IAM User Guide.

To use snapshot archiving, users need the following permissions.

  • ec2:DescribeSnapshotTierStatus

  • ec2:ModifySnapshotTier

  • ec2:RestoreSnapshotTier

Console users might need additional permissions such as ec2:DescribeSnapshots.

To archive and restore encrypted snapshots, the following additional Amazon KMS permissions are required.

  • kms:CreateGrant

  • kms:Decrypt

  • kms:DescribeKey

The following is an example IAM policy that gives IAM users permission to archive, restore, and view encrypted and unencrypted snapshots. It includes the ec2:DescribeSnapshots permission for console users. If some permissions are not needed, you can remove them from the policy.

Tip

To follow the principle of least privilege, do not allow full access to kms:CreateGrant. Instead, use the kms:GrantIsForAWSResource condition key to allow the user to create grants on the KMS key only when the grant is created on the user's behalf by an Amazon service, as shown in the following example.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSnapshotTierStatus", "ec2:ModifySnapshotTier", "ec2:RestoreSnapshotTier", "ec2:DescribeSnapshots", "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } }] }

To provide access, add permissions to your users, groups, or roles: