AWS IAM User Permissions

To restore to Amazon EC2, it is recommended that the IAM user whose credentials you plan to use to connect to AWS has administrative permissions — access to all AWS actions and resources.

If you do not want to provide full access to AWS, you can grant to the IAM user a minimal set of permissions that will be sufficient for restore. To do that, create the following policy in the JSON format and attach it to the IAM user.


The ec2: CreateRole permission is required if you want to perform restore without helper appliances. This permission is used to create a service role named vmimport required for import to Amazon EC2. If you plan to restore workloads using helper appliances, you can omit the ec2: CreateRole permission. However, restore without helper appliances will fail.


 "Version": "2012-10-17",

 "Statement": [{

  "Action": [

























































  "Effect": "Allow",

  "Resource": "*"



Alternatively, you can attach the created policy to the IAM group or role to which the IAM user is assigned.

For information on how to create and attach a policy to an IAM user, see the Creating IAM Policies and Adding and Removing IAM Identity Permissions sections in the AWS IAM User Guide.

Page updated 1/25/2024

Page content applies to build