How do I generate an IAM policy for making snapshots?

Question

I have volumes mounted on EC2 instances of which I would like to make snapshots.

I created a new IAM user with the following policy:

{
  "Statement": [
    {
      "Sid": "...",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:DeleteSnapshot",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeSnapshots",
        "ec2:DescribeTags",
        "ec2:DescribeVolumeAttribute",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes"
      ],
      "Resource": [
        "arn:aws:ec2:eu-west-1:MY_USER_ID"
      ]
    }
  ]
}

I have added the access key and secret to my ~/.bashrc and sourced it. When I run ec2-describe-snapshots I get this response: Client.UnauthorizedOperation: You are not authorized to perform this operation.

When my "Resource" was just "*" I was able to list all types of Amazon's snapshots. I am looking to create snapshots owned by/visible to just me in the eu-west-1 region.

score 7 · Accepted Answer · edited May 23 '17 at 11:33

7

As wisely posted at How can I limit EC2 describe images permissions, resource level permissions are not implemented at all on ec2:Describe* actions.

In Reality you need to limit access based on other things and not the resource ARN.

edited May 23 '17 at 11:33

Community

1

answered Jun 10 '14 at 12:26

zeridon

760
3
6

1

I see! Well I tried directly just creating a snapshot with the same policy but I still encountered an error. I changed my `Resource` to `*` again and I was able to create the snapshot. Can I assume that the snapshots will always be created as private to my account? – juuga Jun 10 '14 at 12:42
By default yes. The snapshots are private unless set to public – zeridon Jun 10 '14 at 12:57

How do I generate an IAM policy for making snapshots?

1 Answers1