Enable EC2 and EBS Restore Capabilities

The ability to restore EC2 and EBS capabilities depends on the existence of the vmimport service role that has the necessary permissions to perform import operations on your behalf. You need to create this role separately, in addition to following the steps outlined in the 'Add an S3 Account Using IAM Role' article.

1. Log in to your Amazon Web Services management console using either root credentials or user credentials with permissions allowing IAM management.
2. Use the search box to locate the IAM > Roles section:

3. Click Create role.

4. On Select Trusted Entity area, keep Trusted entity type as AWS service and set Use case to EC2. Click Next.

5. On the Add permissions step, click Create policy.

6. On Create Policy click JSON tab.

7. Paste the code from the snippet:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:ModifySnapshotAttribute",
                "ec2:CopySnapshot",
                "ec2:RegisterImage",
                "ec2:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

8. Click Next
9. On Tags, add tags, if necessary. Click Next
10. On Review Policy, name the created policy. Click on Create policy at the bottom of the page.

11. Go back to the previous browser tab (i.e. containing the page with the Role creation wizard) and refresh the policy list. Find the freshly created policy, select it, and click Next at the bottom of the page.

13. Name the role as vmimport, and click on Create role at the bottom of the page:

14. On the Roles section of the console, check that the created vmimport role appears.
15. Click on the role to access parameters.

16. On parameters page, switch to the Trust relationships tab and click Edit trust policy button:

17. Replace the existing JSON code with the following snippet:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vmie.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "vmimport"
        }
      }
    }
  ]
}

18. Click Update policy button at the bottom of the page.