This article shows how to create a custom AWS IAM policy to allow snapshots. The first code snippet is what works but as you can see, it’s liberal. The second snippet is what “should” would but doesn’t. I’d love some feedback on this.
This works but is too broad:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": [ "*" ] } ] }
This doesn’t work but should:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateSnapshot", "ec2:CreateImage" ], "Resource": [ "*" ] } ] }