This is an archive version of the document. To get the most up-to-date information, see the current version.EC2 Restore IAM Permissions
To perform EC2 restore operations, IAM roles and IAM users specified in the restore settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AttachVolume", "ec2:CopySnapshot", "ec2:CreateKeyPair", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteKeyPair", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeKeyPairs", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:GetEbsDefaultKmsKeyId", "ec2:ImportImage", "ec2:ModifyInstanceAttribute", "ec2:ModifySnapshotAttribute", "ec2:ModifyVolume", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetContextKeysForPrincipalPolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "kms:CreateGrant", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "s3:GetBucketLocation", "servicequotas:ListServiceQuotas" ], "Resource": "*", "Effect": "Allow" } ] } |