EFS Restore IAM Permissions

To perform EFS restore operations, IAM roles and IAM users must be granted specific permissions.

IAM Role Permissions

IAM roles specified in the restore settings must meet the following requirements:

The AWS Backup service must be granted permissions to assume the IAM roles.

To allow the AWS Backup service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AssumeRole",

"Principal": {

"Service": "backup.amazonaws.com"

}

]

}

To learn how to configure trust relationships, see Before You Begin.

The IAM roles must be granted the following permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"backup-storage:MountCapsule",

"backup:CopyFromBackupVault",

"backup:CopyIntoBackupVault",

"backup:CreateBackupVault",

"backup:DeleteBackupVault",

"backup:DeleteRecoveryPoint",

"backup:DescribeCopyJob",

"backup:DescribeRecoveryPoint",

"backup:DescribeRestoreJob",

"backup:ListBackupVaults",

"backup:ListTags",

"backup:StartCopyJob",

"backup:StartRestoreJob",

"backup:TagResource",

"ec2:DescribeAccountAttributes",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeRegions",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets",

"ec2:DescribeVpcs",

"elasticfilesystem:CreateAccessPoint",

"elasticfilesystem:CreateFileSystem",

"elasticfilesystem:CreateMountTarget",

"elasticfilesystem:DeleteAccessPoint",

"elasticfilesystem:DeleteFileSystem",

"elasticfilesystem:DeleteMountTarget",

"elasticfilesystem:DescribeAccessPoints",

"elasticfilesystem:DescribeFileSystemPolicy",

"elasticfilesystem:DescribeFileSystems",

"elasticfilesystem:DescribeLifecycleConfiguration",

"elasticfilesystem:DescribeMountTargetSecurityGroups",

"elasticfilesystem:DescribeMountTargets",

"elasticfilesystem:PutBackupPolicy",

"elasticfilesystem:PutFileSystemPolicy",

"elasticfilesystem:PutLifecycleConfiguration",

"elasticfilesystem:Restore",

"elasticfilesystem:TagResource",

"elasticfilesystem:UntagResource",

"elasticfilesystem:UpdateFileSystem",

"iam:GetContextKeysForPrincipalPolicy",

"iam:GetRole",

"iam:ListAccountAliases",

"iam:PassRole",

"iam:SimulatePrincipalPolicy",

"kms:CreateGrant",

"kms:DescribeKey",

"kms:GenerateDataKeyWithoutPlaintext",

"kms:ListAliases",

"kms:ListKeys"

"Resource": "*"

}

]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.