AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Restore and Recover Your Data > Amazon EC2 > Required Configurations for Snapshot-Based Restore

    Export to PDF

    Required Configurations for Snapshot-Based Restore

    To restore instances or devices to a different region within the same account:

    - If restoring unencrypted volumes, you need to go to AWS to add the "ec2:DescribeSnapshotAttribute" permission for the Cloud Backup for IaaS + PaaS backup role "AWSBackupAdminRole". - If restoring volumes encrypted with KMS, you need to go to AWS to add the following permissions for the Cloud Backup for IaaS + PaaS backup role "AWSBackupAdminRole": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:\DescribeSnapshotAttribute", "kms:\PutKeyPolicy", "kms:GetKeyPolicy", "kms:\DescribeKey", "kms:CreateKey", "kms:CreateGrant" ], "Resource": "*" } ] } Note that if the KMS key is a multi-region key and does not exist in the destination region, the key will be duplicated to the destination region during the restore job. Additionally, the duplicated key will be used to encrypt the new volume. To ensure the restore job is working, the "AWSBackupAdminRole" must be added as a key user and have the "kms:ReplicateKey" permission, as shown below: ![Add the "AWSBackupAdminRole" and the "kms:ReplicateKey" permission.](/en/iaas-paas/restore-and-recover-your-data/amazon-ec2/images/image74.png "Add the "AWSBackupAdminRole" and the "kms:ReplicateKey" permission.") To restore instances or devices to different accounts: - If restoring unencrypted volumes, you need to go to AWS to add the "ec2:\DescribeSnapshotAttribute" permission for the Cloud Backup for IaaS + PaaS backup role "AWSBackupAdminRole" in the source account. - If restoring volumes encrypted with KMS, you need to go to AWS to add the following permissions for the Cloud Backup for IaaS + PaaS backup role "AWSBackupAdminRole" in the source account: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:\DescribeSnapshotAttribute", "kms:\PutKeyPolicy", "kms:GetKeyPolicy", "kms:\DescribeKey" ], "Resource": "*" } ] } Additionally, you need to add the following permissions for the Cloud Backup for IaaS + PaaS backup role "AWSBackupAdminRole" in the destination account: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:CreateKey", "kms:CreateGrant" ], "Resource": "*" } ] } Note that if the KMS key is a customer managed key, to ensure the restore job is working, the "AWSBackupAdminRole" must be added as a key user in the source account and have the "kms:ReplicateKey" permission, as shown below: ![Add the "AWSBackupAdminRole" and the "kms:ReplicateKey" permission.](/en/iaas-paas/restore-and-recover-your-data/amazon-ec2/images/image75.png "Add the "AWSBackupAdminRole" and the "kms:ReplicateKey" permission.")