How do I generate an IAM policy for making snapshots?

amazon-ec2 amazon-web-services amazon-iam
13,168

As wisely posted at How can I limit EC2 describe images permissions, resource level permissions are not implemented at all on ec2:Describe* actions.

In Reality you need to limit access based on other things and not the resource ARN.

Share:
13,168

Related videos on Youtube

juuga
Author by

juuga

Updated on September 18, 2022

Comments

  • juuga
    juuga over 1 year

    I have volumes mounted on EC2 instances of which I would like to make snapshots.

    I created a new IAM user with the following policy: 

    {
  "Statement": [
    {
      "Sid": "...",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:DeleteSnapshot",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeSnapshots",
        "ec2:DescribeTags",
        "ec2:DescribeVolumeAttribute",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes"
      ],
      "Resource": [
        "arn:aws:ec2:eu-west-1:MY_USER_ID"
      ]
    }
  ]
}

    I have added the access key and secret to my ~/.bashrc and sourced it. When I run ec2-describe-snapshots I get this response: Client.UnauthorizedOperation: You are not authorized to perform this operation.

    When my "Resource" was just "*" I was able to list all types of Amazon's snapshots. I am looking to create snapshots owned by/visible to just me in the eu-west-1 region.

  • juuga
    juuga almost 10 years
    I see! Well I tried directly just creating a snapshot with the same policy but I still encountered an error. I changed my Resource to * again and I was able to create the snapshot. Can I assume that the snapshots will always be created as private to my account?
  • zeridon
    zeridon almost 10 years
    By default yes. The snapshots are private unless set to public

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cross Account EC2 Role Access to Read S3 Bucket
AWS - Allowing user to start and stop an EC2 instance
Ansible AWS dynamic inventory: `./ec2.py --list` unauthorized
Give EC2 IAM role read access to S3 bucket
Which permissions/policies for IAM role to be used with CloudWatch monitoring script
Use IAM to Allow User to Edit AWS / EC2 Security Groups?
How to assign IAM role to users or groups
Proper access policy for Amazon Elastic Search Cluster
AWS Console Session Timeout
Within IAM, can I restrict a group of users to access/launch/terminate only certain EC2 AMIs or instances?