This is an archive version of the document. To get the most up-to-date information, see the current version.EC2 Restore IAM Permissions
To perform EC2 restore operations, IAM roles and IAM users specified in the restore settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:CopySnapshot", "ec2:CreateKeyPair", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteKeyPair", "ec2:DeleteNetworkInterface", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeKeyPairs", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:DisassociateAddress", "ec2:GetEbsDefaultKmsKeyId", "ec2:ImportImage", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySnapshotAttribute", "ec2:ModifyVolume", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetContextKeysForPrincipalPolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListAccountAliases", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "kms:CreateGrant", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKeyWithoutPlaintext", "s3:GetBucketLocation", "servicequotas:ListServiceQuotas" ], "Resource": "*", "Effect": "Allow" } ] } |
To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.
Permissions Required to Deploy Worker Instances in Production Account
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:DescribeAccountAttributes", "ec2:DescribeKeyPairs", "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:PassRole", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "ssm:GetCommandInvocation", "ssm:GetParameter", "ssm:SendCommand" ], "Resource": "*", "Effect": "Allow" } ] } |
