EFS Restore IAM Permissions

In this article

    To perform EFS restore operations, IAM roles or IAM users must have specific permissions.

    IAM Role Permissions

    To perform restore operations, IAM roles must meet the following requirements:

    1. The AWS Backup service must have permissions to assume an IAM role.

    To allow the AWS Backup service to assume the role, configure trusted relationships for the role and add the following statement to the trusted policy. To learn how to configure trusted relationships, see Appendix B. Creating IAM Roles.

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Effect": "Allow",

         "Action": "sts:AssumeRole",

         "Principal": {

           "Service": "backup.amazonaws.com"

         }

       }

     ]

    }

    1. The IAM role must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "iam:SimulatePrincipalPolicy",

                   "iam:GetContextKeysForPrincipalPolicy",

                   "iam:GetRole",

                   "iam:ListAccountAliases",

                   "elasticfilesystem:DeleteAccessPoint",

                   "backup:ListTags",

                   "elasticfilesystem:UntagResource",

                   "elasticfilesystem:CreateFileSystem",

                   "ec2:DescribeRegions",

                   "backup:DescribeCopyJob",

                   "kms:GenerateDataKeyWithoutPlaintext",

                   "backup:CopyIntoBackupVault",

                   "ec2:DescribeAvailabilityZones",

                   "elasticfilesystem:DescribeLifecycleConfiguration",

                   "backup:StartRestoreJob",

                   "elasticfilesystem:DescribeFileSystemPolicy",

                   "ec2:DescribeAccountAttributes",

                   "kms:DescribeKey",

                   "elasticfilesystem:PutLifecycleConfiguration",

                   "backup:StartCopyJob",

                   "elasticfilesystem:DescribeFileSystems",

                   "elasticfilesystem:DeleteMountTarget",

                   "kms:CreateGrant",

                   "elasticfilesystem:CreateAccessPoint",

                   "elasticfilesystem:PutFileSystemPolicy",

                   "elasticfilesystem:DescribeMountTargets",

                   "elasticfilesystem:Restore",

                   "backup:DeleteBackupVault",

                   "backup:DescribeRestoreJob",

                   "backup:DeleteRecoveryPoint",

                   "elasticfilesystem:DescribeAccessPoints",

                   "ec2:DescribeSecurityGroups",

                   "backup:CreateBackupVault",

                   "backup-storage:MountCapsule",

                   "elasticfilesystem:TagResource",

                   "backup:DescribeRecoveryPoint",

                   "kms:ListKeys",

                   "elasticfilesystem:CreateMountTarget",

                   "ec2:DescribeVpcs",

                   "kms:ListAliases",

                   "elasticfilesystem:PutBackupPolicy",

                   "ec2:DescribeSubnets",

                   "elasticfilesystem:DeleteFileSystem",

                   "elasticfilesystem:DescribeMountTargetSecurityGroups",

                   "elasticfilesystem:UpdateFileSystem",

                   "iam:PassRole",

                   "backup:CopyFromBackupVault",

                   "backup:TagResource"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }

    IAM User Permissions

    To perform restore operations, an IAM user whose one-time access keys you specify in the restore settings must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "iam:UpdateAssumeRolePolicy",

                   "backup:CopyFromBackupVault",

                   "elasticfilesystem:DeleteAccessPoint",

                   "backup:ListTags",

                   "backup:DescribeCopyJob",

                   "iam:CreateRole",

                   "backup:CopyIntoBackupVault",

                   "iam:PutRolePolicy",

                   "iam:ListAttachedRolePolicies",

                   "backup:StartRestoreJob",

                   "ec2:DescribeAccountAttributes",

                   "iam:ListRolePolicies",

                   "elasticfilesystem:PutFileSystemPolicy",

                   "iam:DeleteRole",

                   "backup-storage:MountCapsule",

                   "backup:CreateBackupVault",

                   "elasticfilesystem:CreateMountTarget",

                   "ec2:DescribeSubnets",

                   "elasticfilesystem:DeleteFileSystem",

                   "backup:TagResource",

                   "elasticfilesystem:UntagResource",

                   "elasticfilesystem:CreateFileSystem",

                   "ec2:DescribeRegions",

                   "kms:GenerateDataKeyWithoutPlaintext",

                   "iam:ListInstanceProfilesForRole",

                   "iam:PassRole",

                   "ec2:DescribeAvailabilityZones",

                   "iam:DeleteRolePolicy",

                   "elasticfilesystem:DescribeLifecycleConfiguration",

                   "elasticfilesystem:DescribeFileSystemPolicy",

                   "elasticfilesystem:PutLifecycleConfiguration",

                   "kms:DescribeKey",

                   "backup:StartCopyJob",

                   "elasticfilesystem:DescribeFileSystems",

                   "elasticfilesystem:DeleteMountTarget",

                   "elasticfilesystem:CreateAccessPoint",

                   "kms:CreateGrant",

                   "elasticfilesystem:DescribeMountTargets",

                   "elasticfilesystem:Restore",

                   "backup:DeleteBackupVault",

                   "backup:DescribeRestoreJob",

                   "backup:DeleteRecoveryPoint",

                   "elasticfilesystem:DescribeAccessPoints",

                   "ec2:DescribeSecurityGroups",

                   "elasticfilesystem:TagResource",

                   "backup:DescribeRecoveryPoint",

                   "kms:ListKeys",

                   "ec2:DescribeVpcs",

                   "kms:ListAliases",

                   "elasticfilesystem:PutBackupPolicy",

                   "elasticfilesystem:DescribeMountTargetSecurityGroups",

                   "elasticfilesystem:UpdateFileSystem"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }