Search code examples
amazon-web-servicesamazon-ec2amazon-iamamazon-ami

IAM permission for EC2 Data Lifecycle Manager is not working

I have created an IAM user in my AWS account. IAM user requires permission to access Amazon data Lifecycle Manager. I had given the following permissions to the IAM user

  • AmazonEC2FullAccess,
  • AWSDataLifecycleManagerServiceRole
  • and AWSDataLifecycleManagerServiceRoleForAMIManagement.

But when I tried to access Amazon Data Lifecycle Manager with this IAM user account, I get this following statement on the lifecycle manager page

It is taking a bit longer than usual to fetch your data.

(The page keepy on loading for a longer period of time)

This message doesn't appear when I tried to access the same page with the same IAM user but this time with Administrator-Access. please click here to see the attached screenshot

Can somebody please let me know what's going wrong here, because I want to grant limited permission for my IAM user to manage my AWS resources.

Solution

  • The policies that you mencioned does not include permissions to access Data Lifecycle Manager.

    This is another service that is not included on EC2 (this is why AmazonEC2FullAccess does not give you permissions). Additionally, AWSDataLifecycleManagerServiceRole and AWSDataLifecycleManagerServiceRoleForAMIManagement are managed policies to allow AWS Data Lifecycle Manager itself to take actions on AWS resources. So these policies should not be applied to IAM Users.

    You need to create a custom IAM Policy with the proper permissions. In case of read only you can use this:

    {
     "Version": "2012-10-17",
     "Statement": [
         {
            "Sid": "DataLifecycleManagerRead",
            "Effect": "Allow",
            "Action": [
                "dlm:Get*",
                "dlm:List*"
            ],
            "Resource": "*"
        }
    ]
}

    UPDATE

    To create policies through web console, some additional permissions are required because the web shows more information to help during creation process. So in order to have enough permissions to create policies via web use this (some of these are referenced on documentation but seems to be incomplete):

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dlm:*",
                "iam:GetRole",
                "ec2:DescribeTags",
                "iam:ListRoles",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:AttachRolePolicy"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:CreateSnapshots",
                "ec2:DeleteSnapshot",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:EnableFastSnapshotRestores",
                "ec2:DescribeFastSnapshotRestores",
                "ec2:DisableFastSnapshotRestores",
                "ec2:CopySnapshot",
                "ec2:ModifySnapshotAttribute",
                "ec2:DescribeSnapshotAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:PutRule",
                "events:DeleteRule",
                "events:DescribeRule",
                "events:EnableRule",
                "events:DisableRule",
                "events:ListTargetsByRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "arn:aws:events:*:*:rule/AwsDataLifecycleRule.managed-cwe.*"
        }
    ]
}