AWS IAM 用户权限

要还原到 Amazon EC2，建议 IAM 用户（您打算使用该用户的凭据连接到 AWS）具有管理权限 — 访问所有 AWS 操作和资源的权限。

如果您不想提供 AWS 的完全访问权限，则可以向 IAM 用户授予还原所需的最小权限集。为此，请以 JSON 格式创建以下策略，并将其附加到 IAM 用户：

{

“ Version”：“ 2012-10-17”，

“声明”：[{

“ Action”：[

"ec2:DescribeInstances",

"ec2:RunInstances",

"ec2:TerminateInstances",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:ModifyInstanceAttribute",

"ec2:DescribeImages",

"ec2:ImportImage",

"ec2:DeregisterImage",

"ec2:DescribeVolumes",

"ec2:CreateVolume",

"ec2:ModifyVolume",

"ec2:ImportVolume",

"ec2:DeleteVolume",

"ec2:AttachVolume",

"ec2:DetachVolume",

"ec2:CreateSnapshot",

"ec2:DescribeSnapshots",

"ec2:DeleteSnapshot",

"ec2:DescribeSubnets",

"ec2:DescribeNetworkInterfaces",

"ec2:DescribeSecurityGroups",

"ec2:DescribeKeyPairs",

"ec2:CreateKeyPair",

"ec2:DeleteKeyPair",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeVpcs",

"ec2:DescribeConversionTasks",

"ec2:DescribeImportImageTasks",

"ec2:DescribeVolumesModifications",

"ec2:CancelImportTask",

"ec2:CancelConversionTask",

"ec2:CreateTags",

"ec2:DescribeAccountAttributes",

"ec2:DescribeDhcpOptions",

"ec2:DescribeVpcAttribute",

“ iam：GetRole”，

“ iam：CreateRole”，

“ iam：PutRolePolicy”，

“ iam：DeleteRolePolicy”，

"s3:CreateBucket",

"s3:ListBucket",

"s3:ListAllMyBuckets",

"s3:DeleteBucket",

"s3:PutObject",

"s3:DeleteObject",

"s3:GetBucketLocation",

"s3:PutLifeCycleConfiguration",

"s3:GetObject",

"s3:RestoreObject",

"s3:AbortMultiPartUpload",

"s3:ListBucketMultiPartUploads",

"s3:ListMultipartUploadParts"

“ Effect”：“ Allow”，

“ Resource”：“*”

}]

}

或者，您可以将创建的策略附加到 IAM 用户所分配到的 IAM 组或角色。

有关如何创建策略并将其附加到 IAM 用户的信息，请参见《AWS IAM 用户指南》中的创建 IAM 策略与添加和删除 IAM 身份权限部分。