How do I generate an IAM policy for making snapshots?
13,168
As wisely posted at How can I limit EC2 describe images permissions, resource level permissions are not implemented at all on ec2:Describe*
actions.
In Reality you need to limit access based on other things and not the resource ARN.
Related videos on Youtube
Author by
juuga
Updated on September 18, 2022Comments
-
juuga over 1 year
I have volumes mounted on EC2 instances of which I would like to make snapshots.
I created a new IAM user with the following policy:
{ "Statement": [ { "Sid": "...", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteSnapshot", "ec2:DescribeAvailabilityZones", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes" ], "Resource": [ "arn:aws:ec2:eu-west-1:MY_USER_ID" ] } ] }
I have added the access key and secret to my
~/.bashrc
and sourced it. When I runec2-describe-snapshots
I get this response:Client.UnauthorizedOperation: You are not authorized to perform this operation.
When my
"Resource"
was just"*"
I was able to list all types of Amazon's snapshots. I am looking to create snapshots owned by/visible to just me in theeu-west-1
region. -
juuga almost 10 yearsI see! Well I tried directly just creating a snapshot with the same policy but I still encountered an error. I changed my
Resource
to*
again and I was able to create the snapshot. Can I assume that the snapshots will always be created as private to my account? -
zeridon almost 10 yearsBy default yes. The snapshots are private unless set to public