The error Client.UnauthorizedOperation typically occurs when your IAM policy doesn't grant sufficient permissions for the requested AWS operation. In this case, while you can list all snapshots with "Resource": "*", the more restrictive policy fails because of incorrect ARN formatting and missing permissions.
Here's a properly configured IAM policy that allows snapshot operations only for your resources in eu-west-1:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:Describe*"
],
"Resource": [
"arn:aws:ec2:eu-west-1:YOUR_ACCOUNT_ID:volume/*",
"arn:aws:ec2:eu-west-1:YOUR_ACCOUNT_ID:snapshot/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:DescribeAvailabilityZones",
"Resource": "*"
}
]
}
Resource ARN Format: The correct format for EC2 resources is arn:aws:ec2:region:account:resource-type/resource-id. Your original policy missed the resource type and ID portions.
Wildcard Usage: While we restrict to your account's resources, we use wildcards for volumes and snapshots to allow operations on any of your resources in the specified region.
1. Replace YOUR_ACCOUNT_ID with your actual AWS account ID
2. Attach this policy to your IAM user or role
3. Configure your AWS CLI credentials properly:
aws configure set aws_access_key_id YOUR_ACCESS_KEY
aws configure set aws_secret_access_key YOUR_SECRET_KEY
aws configure set region eu-west-1
Verify your permissions work correctly with these commands:
# List your snapshots
aws ec2 describe-snapshots --owner-ids self
# Create a test snapshot (replace vol-123456 with your volume ID)
aws ec2 create-snapshot --volume-id vol-123456 --description "Test snapshot"
- Ensure your ARN includes the correct region code (eu-west-1 in your case)
- Don't forget to include both volume and snapshot resource ARNs
- The ec2:DescribeAvailabilityZones permission requires "Resource": "*" as it's a global operation
- Always specify the Version in your IAM policies (2012-10-17 is current)
Many AWS users face security concerns when their snapshot-related IAM policies are too broad. While using "Resource": "*" might work initially, it violates the principle of least privilege. The challenge is creating a policy that allows snapshot operations only on your specific resources in a designated region.
Your existing policy has the right actions but incorrect resource specification. The issue lies in this line:
"Resource": ["arn:aws:ec2:eu-west-1:MY_USER_ID"]This ARN format doesn't match EC2 resource patterns. For EC2 snapshots and volumes, the ARN should follow this structure:
arn:aws:ec2:region:account-id:volume/volume-id
arn:aws:ec2:region:account-id:snapshot/snapshot-idHere's the fixed policy that grants snapshot permissions only for your resources:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:Describe*"
],
"Resource": [
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:volume/*",
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:snapshot/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}The policy contains two statements:
- Restricts create/delete operations to your specific resources in eu-west-1
- Allows describe actions globally (needed for listing operations)
After applying this policy, try these AWS CLI commands:
# List your volumes
aws ec2 describe-volumes --region eu-west-1
# Create a snapshot
aws ec2 create-snapshot --volume-id vol-1234567890abcdef0 --region eu-west-1With the proper permissions, you can now automate snapshots. Here's a sample bash script:
#!/bin/bash
VOLUMES=$(aws ec2 describe-volumes --query 'Volumes[*].VolumeId' --output text --region eu-west-1)
DATE=$(date +%Y-%m-%d)
for VOLUME in $VOLUMES; do
aws ec2 create-snapshot \
--volume-id $VOLUME \
--description "Daily backup $DATE" \
--region eu-west-1
doneFor production environments, consider adding these constraints:
- Tag-based restrictions using IAM conditions
- Time-based restrictions for snapshot creation
- Mandatory snapshot encryption