How do I generate an IAM policy for making snapshots?

I have volumes mounted on EC2 instances of which I would like to make snapshots.

I created a new IAM user with the following policy:

{
  "Statement": [
    {
      "Sid": "...",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:DeleteSnapshot",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeSnapshots",
        "ec2:DescribeTags",
        "ec2:DescribeVolumeAttribute",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes"
      ],
      "Resource": [
        "arn:aws:ec2:eu-west-1:MY_USER_ID"
      ]
    }
  ]
}

I have added the access key and secret to my ~/.bashrc and sourced it. When I run ec2-describe-snapshots I get this response: Client.UnauthorizedOperation: You are not authorized to perform this operation.

When my "Resource" was just "*" I was able to list all types of Amazon's snapshots. I am looking to create snapshots owned by/visible to just me in the eu-west-1 region.

Solution 1:

As wisely posted at How can I limit EC2 describe images permissions, resource level permissions are not implemented at all on ec2:Describe* actions.

In Reality you need to limit access based on other things and not the resource ARN.