TransWikia.com

IAM policy that can delete snapshot on AWS

Server Fault Asked by Golyat on December 5, 2021

I want to create an IAM policy that can delete snapshots with the Test stack tag.

I have tried my own version of the policy as such:

{
     "Version": "2012-10-17",
     "Statement": [
    {
        "Action": [
            "ec2:describe*"
        ],
        "Resource": [
            "*"
        ],
        "Effect": "Allow"
    },
    {
        "Action": [
            "ec2:DeleteSnapshot"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/Stack": "Test"
            }
        },
        "Resource": [
            "*"
        ],
        "Effect": "Allow"
    }
]

}

It doesn’t work. I get permission denied when I attempt to delete snapshot as a user who is a member of a group where this policy applies.
What is wrong?

2 Answers

This works for me (maybe API has been updated):

- Sid: RestrictSnapshotActions
  Effect: Allow
  Action:
    - ec2:DeleteSnapshot
  Resource:
    - arn:aws:ec2:*::snapshot/*
  Condition:
    StringEquals:
       ec2:ResourceTag/Stack: Test

See also: https://aws.amazon.com/blogs/compute/tag-amazon-ebs-snapshots-on-creation-and-implement-stronger-security-policies/

Answered by Robert Cowham on December 5, 2021

The DeleteSnapshot API does not support resource level permissions. So we cannot use any conditions except "ec2:Region" and AWS global conditions.

So, you have to remove the condition block to be able to delete the snapshot.

Answered by sudo on December 5, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP