ec2:LockSnapshot

Write

ec2:LockSnapshot is a Write access-level action in the ec2 service. Grants permission to lock an Amazon EBS snapshot in either governance or compliance mode to protect it against accidental or malicious deletions

Resource types

ARNs that ec2:LockSnapshot can be scoped to in an IAM policy.

arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}
snapshot

Condition keys

Keys you can use in the Condition block of a policy that grants ec2:LockSnapshot.

ec2:SnapshotTime String

Filters access by the initiation time of a snapshot

aws:RequestTag/${TagKey} String

Filters access by a tag key and value pair that is allowed in the request

aws:ResourceTag/${TagKey} String

Filters access by a tag key and value pair of a resource

aws:TagKeys ArrayOfString

Filters access by a list of tag keys that are allowed in the request

ec2:Add/group String

Filters access by the group being added to a snapshot

ec2:Add/userId String

Filters access by the account id being added to a snapshot

ec2:Attribute String

Filters access by an attribute of a resource

ec2:Attribute/${AttributeName} String

Filters access by an attribute being set on a resource

ec2:AvailabilityZone String

Filters access by the name of an Availability Zone in an AWS Region

ec2:Encrypted Bool

Filters access by whether the EBS volume is encrypted

ec2:ProductCode String

Filters access by the product code that is associated with the AMI

ec2:Region String

Filters access by the name of the AWS Region

ec2:Remove/group String

Filters access by the group being removed from a snapshot

ec2:Remove/userId String

Filters access by the account id being removed from a snapshot

ec2:ResourceTag/${TagKey} String

Filters access by a tag key and value pair of a resource

ec2:SnapshotCoolOffPeriod Numeric

Filters access by the compliance mode cooling-off period

ec2:SnapshotID String

Filters access by the ID of a snapshot

ec2:SnapshotLockDuration Numeric

Filters access by the snapshot lock duration

ec2:SourceAvailabilityZone String

Filters access by the name of the Availability Zone from which the request originated

ec2:IsLaunchTemplateResource Bool

Filters access by whether users are able to override resources that are specified in the launch template

ec2:SourceOutpostArn ARN

Filters access by the ARN of the Outpost from which the request originated

ec2:LaunchTemplate ARN

Filters access by the ARN of a launch template

ec2:Location String

Filters access by the destination for the snapshot copy

ec2:VolumeSize Numeric

Filters access by the size of the volume, in GiB

ec2:OutpostArn ARN

Filters access by the ARN of the Outpost

ec2:Owner String

Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID)

ec2:ParentSnapshot ARN

Filters access by the ARN of the parent snapshot

ec2:ParentVolume ARN

Filters access by the ARN of the parent volume from which the snapshot was created

Example IAM policy

A minimal policy that allows ec2:LockSnapshot. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEc2LockSnapshot",
      "Effect": "Allow",
      "Action": "ec2:LockSnapshot",
      "Resource": "*"
    }
  ]
}

Related actions in ec2

View all ec2 actions →