[ACTION REQUIRED] Update to the EBS CSI Driver IAM Policy

[ConnorJC3]

Summary

In January of 2025, AWS will change the handling of IAM polices authorizing the CreateVolume action. Previously, only the created volume was authorized when using CreateVolume to restore a snapshot. After the change, the snapshot being restored will also be authorized. Because of this change, the policy being used for the EBS CSI Driver must grant explicit access to the snapshot being restored.

If no action is taken before the change takes place, the EBS CSI Driver will be unable to restore snapshots when creating a volume.

Determine Impact

All installations of the EBS CSI Driver that restore snapshots are potentially impacted. If you use the EBS CSI Driver to restore snapshots (or may do so in the future), you should continue reading to the remediation steps below.

Affected accounts may have received an automated email from AWS titled "[Action Required] Review Permission Policies in CreateVolume API" to the email address associated with the AWS account.

Remediation: AmazonEBSCSIDriverPolicy Managed Policy

If your EBS CSI Driver installation uses the AmazonEBSCSIDriverPolicy managed policy, no action is required on your part. An update to this policy will be automatically performed by AWS prior to the roll out of the IAM change. A notice will be posted to this issue after the managed policy update is complete and available globally.

Remediation: Custom (Not AWS Managed) Policy

If your EBS CSI Driver installation uses any non-managed policy, an update is likely necessary. Update your policy to contain a statement similar to the example below:

{
    "Effect": "Allow",
    "Action": "ec2:CreateVolume",
    "Resource": "arn:*:ec2:*:*:snapshot/*"
}

This example will grant the EBS CSI Driver access to restore all EBS snapshots in the AWS account (this is the existing behavior on the example policy).

The documented example policy has been updated to reflect these changes. See the latest example policy for a full example.

Support

If you have any questions about this change and how it impacts the EBS CSI Driver, please reach out by responding to this issue or opening a new one.
If you need general support for IAM, EBS, or AWS, please reach out to AWS Support.

[nikki-quant]

Hi, thanks for the heads up about this. I'm looking at our existing policy which has the following statement:

{
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
        }
      }
    },

I'm not sure what the behaviour is here. Would the request:

• Be allowed, because the API call will add the ebs.csi.aws.com/cluster tag to the newly created volume and RequestTag does not evaluate the existing tags on resources?
• Be forbidden, because the part of the call specifically retrieving the snapshot is not looking for a snapshot with the ebs.csi.aws.com/cluster tag?

[ConnorJC3]

@nikki-quant it would succeed to authorize on the volume (as the volume the driver creates will have that tag), but fail to authorize on the snapshot (because condition keys that are not present evaluate to false, thus the RequestTag condition will evaluate to false).

Today CreateVolume only checks volume authorization, thus the call succeeds. Once AWS changes this to also check snapshot authorization, the CreateVolume call will fail because the snapshot will fail to authorize (unless the policy is updated to add a statement authorizing the snapshot as this issue explains).