EFS Restore IAM Permissions

In this article

    To perform EFS restore operations, IAM roles and IAM users must be granted specific permissions.

    IAM Role Permissions

    IAM roles specified in the restore settings must meet the following requirements:

    1. The AWS Backup service must be granted permissions to assume the IAM roles.

    To allow the AWS Backup service to assume an IAM role, configure trusted relationships for the role and add the following statement to the trusted policy.

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Effect": "Allow",

         "Action": "sts:AssumeRole",

         "Principal": {

           "Service": "backup.amazonaws.com"

         }

       }

     ]

    }

    To learn how to configure trusted relationships, see Appendix A. Creating IAM Roles in AWS.

    1. The IAM roles must be granted the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "backup:CopyFromBackupVault",

                   "backup:CopyIntoBackupVault",

                   "backup:CreateBackupVault",

                   "backup:DeleteBackupVault",

                   "backup:DeleteRecoveryPoint",

                   "backup:DescribeCopyJob",

                   "backup:DescribeRecoveryPoint",

                   "backup:DescribeRestoreJob",

                   "backup:ListTags",

                   "backup:StartCopyJob",

                   "backup:StartRestoreJob",

                   "backup:TagResource",

                   "backup-storage:MountCapsule",

                   "ec2:DescribeAccountAttributes",

                   "ec2:DescribeAvailabilityZones",

                   "ec2:DescribeRegions",

                   "ec2:DescribeSecurityGroups",

                   "ec2:DescribeSubnets",

                   "ec2:DescribeVpcs",

                   "elasticfilesystem:CreateAccessPoint",

                   "elasticfilesystem:CreateFileSystem",

                   "elasticfilesystem:CreateMountTarget",

                   "elasticfilesystem:DeleteAccessPoint",

                   "elasticfilesystem:DeleteFileSystem",

                   "elasticfilesystem:DeleteMountTarget",

                   "elasticfilesystem:DescribeAccessPoints",

                   "elasticfilesystem:DescribeFileSystemPolicy",

                   "elasticfilesystem:DescribeFileSystems",

                   "elasticfilesystem:DescribeLifecycleConfiguration",

                   "elasticfilesystem:DescribeMountTargets",

                   "elasticfilesystem:DescribeMountTargetSecurityGroups",

                   "elasticfilesystem:PutBackupPolicy",

                   "elasticfilesystem:PutFileSystemPolicy",

                   "elasticfilesystem:PutLifecycleConfiguration",

                   "elasticfilesystem:Restore",

                   "elasticfilesystem:TagResource",

                   "elasticfilesystem:UntagResource",

                   "elasticfilesystem:UpdateFileSystem",

                   "iam:GetContextKeysForPrincipalPolicy",

                   "iam:GetRole",

                   "iam:ListAccountAliases",

                   "iam:PassRole",

                   "iam:SimulatePrincipalPolicy",

                   "kms:CreateGrant",

                   "kms:DescribeKey",

                   "kms:GenerateDataKeyWithoutPlaintext",

                   "kms:ListAliases",

                   "kms:ListKeys"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }

    IAM User Permissions

    IAM users whose one-time access keys are specified in the restore settings must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "iam:UpdateAssumeRolePolicy",

                   "backup:CopyFromBackupVault",

                   "elasticfilesystem:DeleteAccessPoint",

                   "backup:ListTags",

                   "backup:DescribeCopyJob",

                   "iam:CreateRole",

                   "backup:CopyIntoBackupVault",

                   "iam:PutRolePolicy",

                   "iam:ListAttachedRolePolicies",

                   "backup:StartRestoreJob",

                   "ec2:DescribeAccountAttributes",

                   "iam:ListRolePolicies",

                   "elasticfilesystem:PutFileSystemPolicy",

                   "iam:DeleteRole",

                   "backup-storage:MountCapsule",

                   "backup:CreateBackupVault",

                   "elasticfilesystem:CreateMountTarget",

                   "ec2:DescribeSubnets",

                   "elasticfilesystem:DeleteFileSystem",

                   "backup:TagResource",

                   "elasticfilesystem:UntagResource",

                   "elasticfilesystem:CreateFileSystem",

                   "ec2:DescribeRegions",

                   "kms:GenerateDataKeyWithoutPlaintext",

                   "iam:ListInstanceProfilesForRole",

                   "iam:PassRole",

                   "ec2:DescribeAvailabilityZones",

                   "iam:DeleteRolePolicy",

                   "elasticfilesystem:DescribeLifecycleConfiguration",

                   "elasticfilesystem:DescribeFileSystemPolicy",

                   "elasticfilesystem:PutLifecycleConfiguration",

                   "kms:DescribeKey",

                   "backup:StartCopyJob",

                   "elasticfilesystem:DescribeFileSystems",

                   "elasticfilesystem:DeleteMountTarget",

                   "elasticfilesystem:CreateAccessPoint",

                   "kms:CreateGrant",

                   "elasticfilesystem:DescribeMountTargets",

                   "elasticfilesystem:Restore",

                   "backup:DeleteBackupVault",

                   "backup:DescribeRestoreJob",

                   "backup:DeleteRecoveryPoint",

                   "elasticfilesystem:DescribeAccessPoints",

                   "ec2:DescribeSecurityGroups",

                   "elasticfilesystem:TagResource",

                   "backup:DescribeRecoveryPoint",

                   "kms:ListKeys",

                   "ec2:DescribeVpcs",

                   "kms:ListAliases",

                   "elasticfilesystem:PutBackupPolicy",

                   "elasticfilesystem:DescribeMountTargetSecurityGroups",

                   "elasticfilesystem:UpdateFileSystem"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }