# Recover deleted EBS volumes, EBS snapshots, and EBS-backed AMIs with Recycle Bin
<a name="recycle-bin"></a>

Recycle Bin is a data recovery feature that enables you to restore accidentally deleted EBS volumes, EBS snapshots, and EBS-backed AMIs. When using Recycle Bin, if your resources are deleted, they are retained in the Recycle Bin for a time period that you specify before being permanently deleted.

You can restore a resource from the Recycle Bin at any time before its retention period expires. After you restore a resource from the Recycle Bin, the resource is removed from the Recycle Bin and you can use it in the same way that you use any other resource of that type in your account. If the retention period expires and the resource is not restored, the resource is permanently deleted from the Recycle Bin and it is no longer available for recovery.

Using Recycle Bin helps to ensure business continuity by protecting your business-critical data against accidental deletion.

Recycle Bin is assessed as a service capability of Amazon Elastic Block Store (Amazon EBS). Any [AWS services in Scope by Compliance](https://aws.amazon.com/compliance/services-in-scope/) Program (FedRAMP, HIPAA BAA, SOC, etc) which lists Amazon EBS will also apply to Recycle Bin.

**Topics**
+ [

## Supported resources
](#supported-resources)
+ [How does it work?](recycle-bin-concepts.md)
+ [Considerations](recycle-bin-factors.md)
+ [

## Quotas
](#recycle-bin-quotas)
+ [

## Related services
](#recycle-bin-integrations)
+ [

## Pricing
](#recycle-bin-pricing)
+ [Control access](recycle-bin-perms.md)
+ [Create retention rule](recycle-bin-create-rule.md)
+ [Update retention rule](recycle-bin-update-rule.md)
+ [Lock retention rule](recycle-bin-lock.md)
+ [Unlock retention rule](recycle-bin-unlock.md)
+ [Tag retention rules](recycle-bin-tag-resource.md)
+ [Delete retention rules](recycle-bin-delete-rule.md)
+ [Recover deleted snapshots](recycle-bin-working-with-snaps.md)
+ [Recover deleted volumes](recycle-bin-working-with-volumes.md)
+ [Recover deleted AMIs](recycle-bin-working-with-amis.md)
+ [Monitor using EventBridge](rbin-eventbridge.md)
+ [Monitor using CloudTrail](recycle-bin-ct.md)
+ [Service endpoints](rbin-service-endpoints.md)
+ [Use interface VPC endpoints](rbin-vpcendpoints.md)

## Supported resources
<a name="supported-resources"></a>

Recycle Bin supports the following resource types:
+ Amazon EBS volumes
+ Amazon EBS snapshots
**Important**  
Recycle Bin retention rules also apply to archived snapshots in the archive storage tier. If you delete an archived snapshot that matches a retention rule, that snapshot is retained in the Recycle Bin for the period defined in the retention rule. Archived snapshots are billed at the rate for archived snapshots while they are in the Recycle Bin.
+ Amazon EBS-backed Amazon Machine Images (AMIs)
**Note**  
Retention rules also apply to disabled AMIs.

# How does Recycle Bin work?
<a name="recycle-bin-concepts"></a>

To enable and use Recycle Bin, you must create *retention rules* in the AWS Regions in which you want to protect your resources. Retention rules specify the following:
+ The resource type that you want to protect (volumes, snapshots, or AMIs).
+ The type of retention rule:
  + **Tag-level retention rules** — These retention rules use resource tags to identify the resources to protect. For each retention rule, you specify one or more tag key and value pairs. Resources (of the specified type) that have at least one of these tag key and value pairs are automatically retained in the Recycle Bin upon deletion. Use this type of retention rule to protect specific resources in your account based on their tags.
  + **Region-level retention rules** — These retention rules, by default, apply to all of the resources (of the specified type) in the Region, even if the resources are not tagged. However, you can specify exclusion tags to exclude resources that have specific tags. Use this type of retention rule to protect all resources of a specific type in a Region.
+ The retention period to retain resources after they are deleted. After this period expires, the resources are permanently deleted from the Recycle Bin. The supported retention periods are:
  + EBS volumes: 1 - 7 days
  + EBS snapshots and EBS-backed AMIs: 1 - 365 days

While a resource is in the Recycle Bin, you have the ability to restore it for use at any time. The resource remains in the Recycle Bin until one of the following happens:
+ You manually restore it for use. When you restore a resource from the Recycle Bin, the resource is removed from the Recycle Bin and it immediately becomes available for use. You can use restored resources in the same way as any other resource of that type in your account.
+ The retention period expires. If the retention period expires, and the resource has not been restored from the Recycle Bin, the resource is permanently deleted from the Recycle Bin and it can no longer be viewed or restored.

# Considerations for Recycle Bin
<a name="recycle-bin-factors"></a>

The following considerations apply when working with Recycle Bin and retention rules.

**General considerations**
+ Deleted resources are moved to the Recycle Bin only if they match an existing retention rule. If you delete a resource that does not match a retention rule, or if you do not have any retention rules at that time, that resource is permanently deleted; it is not moved to the Recycle Bin.
+ 
**Important**  
Retention rules follow an eventual consistency model for the first retention rule created per resource type, per Region in your account. When you create your first retention rule for a resource type in a Region, that rule might not become active and start retaining resources immediately. However, any subsequent retention rules you create for that same resource type in the same Region will become active and start retaining resources almost immediately.
+ If a resource matches more than one retention rule upon deletion, then the retention rule with the longest retention period takes precedence.
+ You can't manually delete a resource from the Recycle Bin. The resource will be automatically deleted when its retention period expires.
+ While a resource is in the Recycle Bin, you can only view it, restore it, or modify its tags. To use the resource in any other way, you must first restore it.
+ If any AWS service, such as AWS Backup or Amazon Data Lifecycle Manager, deletes a resource that matches a retention rule, that resource is automatically retained by Recycle Bin. If needed, you can prevent these resources from entering into Recycle Bin upon deletion by tagging those resources and then adding those tags as exclusion tags to your retention rules.
+ When a resource is sent to the Recycle Bin, the following system-generate tag is assigned to the resource:
  + Tag key — `aws:recycle-bin:resource-in-bin`
  + Tag value — `true`

  You can't manually edit or delete this tag. When the resource is restored from the Recycle Bin, the tag is automatically removed.

**Considerations for volumes**
+ Volumes deleted due to instance termination or root volume replacement are protected by Recycle Bin.
+ Volumes that fail to be created are not protected by Recycle Bin on deletion.
+ Volumes of failed instance launches are not protected by Recycle Bin on deletion.
+ Volumes of managed instances are not protected by Recycle Bin on deletion.
+ Ongoing volume creation or modification will not be paused when the volume enters Recycle Bin. This means that you are still billed accordingly if the volume was created with an Amazon EBS Provisioned Rate for Volume Initialization.
+ Volumes in Recycle Bin count towards your quotas in the same way as regular volumes.
+ Volumes in Recycle Bin are not billed after their Recycle Bin exit time has elapsed. You cannot restore these volumes but you can discover them if they have not yet been deleted.
+ The `deleteVolume` event will be sent only after the volume is deleted from Recycle Bin. This event is not emitted when the volume enters Recycle Bin.

**Considerations for snapshots**
+ 
**Important**  
If you have retention rules for AMIs and for their associated snapshots, make the retention period for the snapshots the same or longer than the retention period for the AMIs. This ensures that Recycle Bin does not delete the snapshots associated with an AMI before deleting the AMI itself, as this would make the AMI unrecoverable.
+ If a snapshot is enabled for fast snapshot restore when it is deleted, fast snapshot restore is automatically disabled shortly after the snapshot is sent to the Recycle Bin. 
  + If you restore the snapshot before fast snapshot restore is disabled for the snapshot, it remains enabled.
  + If you restore the snapshot, after fast snapshot restore has been disabled, it remains disabled. If needed, you must manually re-enable fast snapshot restore.
+ If a snapshot is shared when it is deleted, it is automatically unshared when it is sent to the Recycle Bin. If you restore the snapshot, all of the previous sharing permissions are automatically restored.
+ If a snapshot that was created by another AWS service, such as AWS Backup is sent to the Recycle Bin and you later restore that snapshot from the Recycle Bin, it is no longer managed by the AWS service that created it. You must manually delete the snapshot if it is no longer needed.

**Considerations for AMIs**
+ Only Amazon EBS-backed AMIs are supported.
+ 
**Important**  
If you have retention rules for AMIs and for their associated snapshots, make the retention period for the snapshots the same or longer than the retention period for the AMIs. This ensures that Recycle Bin does not delete the snapshots associated with an AMI before deleting the AMI itself, as this would make the AMI unrecoverable.
+ If an AMI is shared when it is deleted, it is automatically unshared when it is sent to the Recycle Bin. If you restore the AMI, all of the previous sharing permissions are automatically restored.
+ Before you can restore an AMI from the Recycle Bin, you must first restore all of its associated snapshots from the Recycle Bin and ensure that they are in the `available` state.
+ If the snapshots that are associated with the AMI are deleted from the Recycle Bin, the AMI is no longer recoverable. The AMI will be deleted when the retention period expires.
+ If an AMI that was created by another AWS service, such as AWS Backup, is sent to the Recycle Bin and you later restore that AMI from the Recycle Bin, it is no longer managed by the AWS service that created it. You must manually delete the AMI if it is no longer needed.

**Considerations for Amazon Data Lifecycle Manager snapshot policies**
+ If Amazon Data Lifecycle Manager deletes a snapshot that matches a retention rule, that snapshot is automatically retained by Recycle Bin.
+ If Amazon Data Lifecycle Manager deletes a snapshot and sends it to the Recycle Bin when the policy's retention threshold is reached, and you manually restore the snapshot from the Recycle Bin, you must manually delete that snapshot when it is no longer needed. Amazon Data Lifecycle Manager will no longer manage the snapshot.
+ If you manually delete a snapshot that was created by a policy, and that snapshot is in the Recycle Bin when the policy’s retention threshold is reached, Amazon Data Lifecycle Manager will not delete the snapshot. Amazon Data Lifecycle Manager does not manage the snapshots while they are stored in the Recycle Bin.

  If the snapshot is restored from the Recycle Bin before the policy's retention threshold is reached, Amazon Data Lifecycle Manager will delete the snapshot when the policy's retention threshold is reached.

  If the snapshot is restored from the Recycle Bin after the policy's retention threshold is reached, Amazon Data Lifecycle Manager will no longer delete the snapshot. You must manually delete the snapshot when it is no longer needed.

**Considerations for AWS Backup**
+ If AWS Backup deletes a snapshot that matches a retention rule, that snapshot is automatically retained by Recycle Bin.

**Considerations for archived snapshots**
+ Recycle Bin retention rules also apply to archived snapshots in the archive storage tier. If you delete an archived snapshot that matches a retention rule, that snapshot is retained in the Recycle Bin for the period defined in the retention rule.

  Archived snapshots are billed at the rate for archived snapshots while they are in the Recycle Bin.

  If a retention rule deletes an archived snapshot from the Recycle Bin before the minimum archive period of 90 days, you are billed for the remaining days. For more information, see [Archived snapshot pricing and billing](https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-archive.html#snapshot-archive-pricing).

  To use an archived snapshot that is in the Recycle Bin, you must first recover the snapshot from the Recycle Bin and then restore it from the archive tier to the standard tier.

## Quotas
<a name="recycle-bin-quotas"></a>

The following quotas apply to Recycle Bin.


| Quota | Default quota | 
| --- | --- | 
| Retention rules per Region | 250 | 
| Tag key and value pairs per retention rule | 50 | 

## Related services
<a name="recycle-bin-integrations"></a>

Recycle Bin works with the following services:
+ **AWS CloudTrail** — Enables you to record events that occur in Recycle Bin. For more information, see [Monitor Recycle Bin using AWS CloudTrail](recycle-bin-ct.md).

## Pricing
<a name="recycle-bin-pricing"></a>

There are no additional charges for using Recycle Bin and retention rules. For more information, see [Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).
+ **Amazon EBS volumes** — Volumes in the Recycle Bin are billed at the same rate as regular volumes in your account.
+ **Amazon EBS snapshots** — Snapshots in the Recycle Bin are billed at the same rate as regular snapshots in your account.
+ **EBS-backed AMIs** — AMIs in the Recycle Bin do not incur any additional charges.

**Note**  
Some resources might still appear in the Recycle Bin console or in the AWS CLI and API output for a short period after their retention periods have expired and they have been permanently deleted. You are not billed for these resources. Billing stops as soon as the retention period expires.

You can use the following AWS generated cost allocation tags for cost tracking and allocation purposes when using AWS Billing and Cost Management.
+ Key: `aws:recycle-bin:resource-in-bin`
+ Value: `true`

For more information, see [AWS-generated cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/aws-tags.html) in the *AWS Billing and Cost Management User Guide*.

# Control access to Recycle Bin with IAM
<a name="recycle-bin-perms"></a>

By default, users don't have permission to work with Recycle Bin, retention rules, or with resources that are in the Recycle Bin. To allow users to work with these resources, you must create IAM policies that grant permission to use specific resources and API actions. After the policies are created, you must add permissions to your users, groups, or roles.

**Topics**
+ [

## Permissions for working with Recycle Bin and retention rules
](#rule-perms)
+ [

## Permissions for working with resources in the Recycle Bin
](#resource-perms)
+ [

## Condition keys for Recycle Bin
](#rbin-condition-keys)

## Permissions for working with Recycle Bin and retention rules
<a name="rule-perms"></a>

To work with Recycle Bin and retention rules, users need the following permissions.
+ `rbin:CreateRule`
+ `rbin:UpdateRule`
+ `rbin:GetRule`
+ `rbin:ListRules`
+ `rbin:DeleteRule`
+ `rbin:TagResource`
+ `rbin:UntagResource`
+ `rbin:ListTagsForResource`
+ `rbin:LockRule`
+ `rbin:UnlockRule`

To use the Recycle Bin console, users need the `tag:GetResources` permission.

The following is an example IAM policy that includes the `tag:GetResources` permission for console users. If some permissions are not needed, you can remove them from the policy.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rbin:CreateRule",
                "rbin:UpdateRule",
                "rbin:GetRule",
                "rbin:ListRules",
                "rbin:DeleteRule",
                "rbin:TagResource",
                "rbin:UntagResource",
                "rbin:ListTagsForResource",
                "rbin:LockRule",
                "rbin:UnlockRule",
                "tag:GetResources"
            ],
            "Resource": "*"
        }
    ]
}
```

------

To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

## Permissions for working with resources in the Recycle Bin
<a name="resource-perms"></a>

For more information about the IAM permissions needed to work with resources in the Recycle Bin, see the following:
+ [Permissions for working with volumes in the Recycle Bin](recycle-bin-working-with-volumes.md#volume-perms)
+ [Permissions for working with snapshots in the Recycle Bin](recycle-bin-working-with-snaps.md#snap-perms)
+ [Permissions for working with AMIs in the Recycle Bin](recycle-bin-working-with-amis.md#ami-perms)

## Condition keys for Recycle Bin
<a name="rbin-condition-keys"></a>

Recycle Bin defines the following condition keys that you can use in the `Condition` element of an IAM policy to control the conditions under which the policy statement applies. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.

**Topics**
+ [

### `rbin:Request/ResourceType` condition key
](#resource-type-parameter)
+ [

### `rbin:Attribute/ResourceType` condition key
](#resource-type-attribute)

### `rbin:Request/ResourceType` condition key
<a name="resource-type-parameter"></a>

The `rbin:Request/ResourceType` condition key can be used to filter access on [ CreateRule](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_CreateRule.html) and [ ListRules](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_ListRules.html) requests based on the value specified for the `ResourceType` request parameter.

**Example 1 - CreateRule**  
The following sample IAM policy allows IAM principals to make **CreateRule** requests only if the value specified for the `ResourceType` request parameter is `EBS_SNAPSHOT` or `EC2_IMAGE`. This allows the principal to create new retention rules for snapshots and AMIs only.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement" : [
        {
            "Effect" : "Allow",
            "Action" :[
                "rbin:CreateRule"
            ],
            "Resource" : "*",
            "Condition" : {
                "StringEquals" : {
                    "rbin:Request/ResourceType" : ["EBS_SNAPSHOT", "EC2_IMAGE"]
                }
            }
        }
    ]
}
```

------

**Example 2 - ListRules**  
The following sample IAM policy allows IAM principals to make **ListRules** requests only if the value specified for the `ResourceType` request parameter is `EBS_SNAPSHOT`. This allows the principal to list retention rules for snapshots only, and it prevents them from listing retention rules for any other resource type.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement" : [
        {
            "Effect" : "Allow",
            "Action" :[
                "rbin:ListRules"
            ],
            "Resource" : "*",
            "Condition" : {
                "StringEquals" : {
                    "rbin:Request/ResourceType" : "EBS_SNAPSHOT"
                }
            }
        }
    ]
}
```

------

### `rbin:Attribute/ResourceType` condition key
<a name="resource-type-attribute"></a>

The `rbin:Attribute/ResourceType` condition key can be used to filter access on [DeleteRule](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_DeleteRule.html), [GetRule](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_GetRule.html), [UpdateRule](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_UpdateRule.html), [LockRule](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_LockRule.html), [UnlockRule](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_UnlockRule.html), [TagResource](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_TagResource.html), [UntagResource](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_UntagResource.html), and [ ListTagsForResource](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_ListTagsForResource.html) requests based on the value of the retention rule's `ResourceType` attribute.

**Example 1 - UpdateRule**  
The following sample IAM policy allows IAM principals to make **UpdateRule** requests only if the `ResourceType` attribute of the requested retention rule is `EBS_SNAPSHOT` or `EC2_IMAGE`. This allows the principal to update retention rules for snapshots and AMIs only.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement" : [
        {
            "Effect" : "Allow",
            "Action" :[
                "rbin:UpdateRule"
            ],
            "Resource" : "*",
            "Condition" : {
                "StringEquals" : {
                    "rbin:Attribute/ResourceType" : ["EBS_SNAPSHOT", "EC2_IMAGE"]
                }
            }
        }
    ]
}
```

------

**Example 2 - DeleteRule**  
The following sample IAM policy allows IAM principals to make **DeleteRule** requests only if the `ResourceType` attribute of the requested retention rule is `EBS_SNAPSHOT`. This allows the principal to delete retention rules for snapshots only.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement" : [
        {
            "Effect" : "Allow",
            "Action" :[
                "rbin:DeleteRule"
            ],
            "Resource" : "*",
            "Condition" : {
                "StringEquals" : {
                    "rbin:Attribute/ResourceType" : "EBS_SNAPSHOT"
                }
            }
        }
    ]
}
```

------

# Create a Recycle Bin retention rule
<a name="recycle-bin-create-rule"></a>

When you create a retention rule, you must specify the following required parameters:
+ The resource type to protect (volumes, snapshots, or AMIs).
+ The type of retention rule (tag-level or Region-level). Tag-level rules protect only resources that have specific tags. Region-level rules protect all resources in the Region, but can exclude resources that have specific tags.
+ The retention period to retain resources after they are deleted. After this period expires, the resources are permanently deleted from the Recycle Bin. The supported retention periods are:
  + EBS volumes: 1 - 7 days
  + EBS snapshots and EBS-backed AMIs: 1 - 365 days

You can also optionally specify a rule name and description of up to 255 characters each, and tags to help you identify and organize your rules. We recommend that you do not include personally identifying, confidential, or sensitive information in the name, description, or tags.

You can also optionally lock Region-level retention rules on creation. If you lock a retention rule on creation, you must also specify the unlock delay period, which can be 7 to 30 days. Retention rules remain unlocked by default unless you explicitly lock them.

**Note**  
Retention rules function only in the Regions in which they are created. If you intend to use Recycle Bin in other Regions, you must create additional retention rules in those Regions.

You can create a Recycle Bin retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To create a tag-level retention rule**

1. Open the Recycle Bin console at [ https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Retention rules**, and then choose **Create retention rule**.

1. (*Optional*) For **Retention rule name**, enter a descriptive name for the retention rule.

1. (*Optional*) For **Retention rule description**, enter a brief description for the retention rule.

1. For **Resource type**, select the type of resource for the retention rule to protect. The retention rule will retain only resources of this type in the Recycle Bin.

1. For **Select the resources to retain**, choose **Retain resources that have specific tags**.

1. For **Resource tags**, enter the tag key and value pairs to use to identify the resources to retain in the Recycle Bin. Only resources of the specified type that have at least one of the specified tag will be retained by the retention rule.

1. For **Retention period**, enter the number of days to retain deleted resources in the Recycle Bin.

1. Choose **Create retention rule**.

**To create a Region-level retention rule**

1. Open the Recycle Bin console at [ https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Retention rules**, and then choose **Create retention rule**.

1. (*Optional*) For **Retention rule name**, enter a descriptive name for the retention rule.

1. (*Optional*) For **Retention rule description**, enter a brief description for the retention rule.

1. For **Resource type**, select the type of resource for the retention rule to protect. The retention rule will retain only resources of this type in the Recycle Bin.

1. For **Select the resources to retain**, choose **Retain all resources**.

1. (*Optional*) To exclude resources that have specific tags, for **Exclusion tags**, enter up to five tag key and value pairs to use to identify the resources to exclude. Resources that have any of these tags are ignored by the retention rule.

1. For **Retention period**, enter the number of days to retain deleted resources in the Recycle Bin.

1. (*Optional*) To lock the retention rule, for **Rule lock settings**, select **Lock**, and then for **Unlock delay period**, specify the unlock delay period in days. A locked retention rule can't be modified or deleted. To modify or delete the rule, you must first unlock it and then wait for the unlock delay period to expire. For more information, see [Lock a Recycle Bin retention rule to prevent it from being updated or deleted](recycle-bin-lock.md)

   To leave the retention rule unlocked, for **Rule lock settings**, keep **Unlock** selected. An unlocked retention rule can be modified or deleted at any time.
**Note**  
You can't lock Region-level retention rules that have exclusion tags.

1. Choose **Create retention rule**.

------
#### [ AWS CLI ]

**To create a retention rule**  
Use the [create-rule](https://docs.aws.amazon.com/cli/latest/reference/rbin/create-rule.html) AWS CLI command. For `--retention-period`, specify the number of days to retain deleted snapshots in the Recycle Bin. For `--resource-type`, specify `EBS_VOLUME` for volumes, `EBS_SNAPSHOT` for snapshots, or `EC2_IMAGE` for AMIs. To create a tag-level retention rule, for `--resource-tags`, specify the tags to use to identify the resources that are to be retained. To create a Region-level retention rule, omit `--resource-tags`, and optionally specify `--exclude-resource-tags`, to exclude resources that have specific tags. To lock a Region-level retention rule, include `--lock-configuration`, and specify the unlock delay period in days.

```
aws rbin create-rule \
--retention-period RetentionPeriodValue=number_of_days,RetentionPeriodUnit=DAYS \
--resource-type EBS_VOLUME|EBS_SNAPSHOT|EC2_IMAGE \
--description "rule_description" \
--lock-configuration 'UnlockDelay={UnlockDelayUnit=DAYS,UnlockDelayValue=unlock_delay_in_days}' \
--resource-tags ResourceTagKey=tag_key,ResourceTagValue=tag_value \
--exclude-resource-tags ResourceTagKey=tag_key,ResourceTagValue=tag_value
```

**Example 1**  
The following example command creates an unlocked Region-level retention rule that retains all deleted snapshots for a period of `7` days.

```
aws rbin create-rule \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Match all snapshots"
```

**Example 2**  
The following example command creates a tag-level rule that retains deleted snapshots that are tagged with `purpose=production` for a period of `7` days.

```
aws rbin create-rule \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Match snapshots with a specific tag" \
--resource-tags ResourceTagKey=purpose,ResourceTagValue=production
```

**Example 3**  
The following example command creates a locked Region-level retention rule that retains all deleted snapshots for a period of `7` days. The retention rule is locked with an unlock delay period of 7 days.

```
aws rbin create-rule \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Match all snapshots" \
--lock-configuration 'UnlockDelay={UnlockDelayUnit=DAYS,UnlockDelayValue=7}'
```

**Example 4**  
The following example command creates an unlocked  Region-level retention rule that retains all deleted snapshots, except snapshots that are tagged with `purpose:testing`, for a period of `7` days.

```
aws rbin create-rule \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Match only production snapshots" \
--exclude-resource-tags ResourceTagKey=purpose,ResourceTagValue=testing
```

------

# Update an existing Recycle Bin retention rule
<a name="recycle-bin-update-rule"></a>

You can update an unlocked retention rule's description, resource tags, and retention period at any time after creation. You can't update a retention rule's resource type or unlock delay period, even if the retention rule is unlocked.

You can't update a locked retention rule in any way. If you need to modify a locked retention rule, you must first unlock it and wait for the unlock delay period to expire.

If you need to modify the unlock delay period for a locked retention rule, you must [unlock the retention rule](recycle-bin-unlock.md), and wait for the current unlock delay period to expire. When the unlock delay period is expired, you must [relock the retention rule](recycle-bin-lock.md) and specify the new unlock delay period.

**Note**  
We recommend that you do not include personally identifying, confidential, or sensitive information in the retention rule description.

After you update a retention rule, the changes only apply to new resources that it retains. The changes do not affect resources that it previously sent to the Recycle Bin. For example, if you update a retention rule's retention period, only snapshots that are deleted after the update are retained for the new retention period. Snapshots that it sent to the Recycle Bin before the update are still retained for the previous (old) retention period.

You can update a retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To update a retention rule**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Retention rules**.

1. In the grid, select the retention rule to update, and choose **Actions**, **Edit retention rule**.

1. In the **Rule details** section, update **Retention rule name** and **Retention rule description** as needed.

1. In the **Rule settings** section, update the **Resource type**, **Resource tags to match**, and **Retention period** as needed.

1. In the **Tags** section, add or remove retention rule tags as needed.

1. Choose **Save retention rule**.

------
#### [ AWS CLI ]

**To update a retention rule**  
Use the [update-rule](https://docs.aws.amazon.com/cli/latest/reference/rbin/update-rule.html) AWS CLI command. For `--identifier`, specify the ID of the retention rule to update For `--resource-types`, specify `EBS_VOLUME` for volumes, `EBS_SNAPSHOT` for snapshots, or `EC2_IMAGE` for AMIs.

```
aws rbin update-rule \
--identifier rule_ID \
--retention-period RetentionPeriodValue=number_of_days,RetentionPeriodUnit=DAYS \
--resource-type EBS_VOLUME|EBS_SNAPSHOT|EC2_IMAGE \
--description "rule_description"
```

**Example**  
The following example command updates retention rule `6lsJ2Fa9nh9` to retain all snapshots for `7` days and updates its description.

```
aws rbin update-rule \
--identifier 6lsJ2Fa9nh9 \
--retention-period RetentionPeriodValue=7,RetentionPeriodUnit=DAYS \
--resource-type EBS_SNAPSHOT \
--description "Retain for three weeks"
```

------

# Lock a Recycle Bin retention rule to prevent it from being updated or deleted
<a name="recycle-bin-lock"></a>

Recycle Bin lets you lock Region-level retention rules at any time.

A locked retention rule can't be modified or deleted, even by users who have the required IAM permissions. Lock your retention rules to help protect them against accidental or malicious modifications and deletions.

When you lock a retention rule, you must specify an unlock delay period. This is the period of time that you must wait after unlocking the retention rule before you can modify or delete it. You cannot modify or delete the retention rule during the unlock delay period. You can modify or delete the retention rule only after the unlock delay period has expired. 

You can't change the unlock delay period after the retention rule has been locked. If your account permissions have been compromised, the unlock delay period gives you additional time to detect and respond to security threats. The length of this period should be longer than the time it takes for you to identify and respond to security breaches. To set the right duration, you can review previous security incidents and the time needed to identify and remediate an account breach.



We recommend that you use Amazon EventBridge rules to notify you of retention rule lock state changes. For more information, see [Monitor Recycle Bin using Amazon EventBridge](rbin-eventbridge.md).

**Considerations**
+ You can't lock tag-level retention rules, or Region-level retention rules that have exclusion tags.
+ You can lock an unlocked retention rule at any time.
+ The unlock delay period must be 7 to 30 days.
+ You can re-lock a retention rule during the unlock delay period. Relocking the retention rule resets the unlock delay period.

You can lock a Region-level retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To lock a retention rule**

1. Open the Recycle Bin console at [ https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation panel, choose **Retention rules**.

1. In the grid, select the unlocked retention rule to lock, and choose **Actions**, **Edit retention rule lock**.

1. In the Edit retention rule lock screen, choose **Lock**, and then for **Unlock delay period**, specify the unlock delay period in days.

1. Select the **I acknowledge that locking the retention rule will prevent it from being modified or deleted** check box, and then choose **Save**.

------
#### [ AWS CLI ]

**To lock an unlocked retention rule**  
Use the [lock-rule](https://docs.aws.amazon.com/cli/latest/reference/rbin/lock-rule.html) AWS CLI command. For `--identifier`, specify the ID of the retention rule to lock. For `--lock-configuration`, specify the unlock delay period in days.

```
aws rbin lock-rule \
--identifier rule_ID \
--lock-configuration 'UnlockDelay={UnlockDelayUnit=DAYS,UnlockDelayValue=number_of_days}'
```

**Example**  
The following example command locks retention rule `6lsJ2Fa9nh9` and sets the unlock delay period to 15 days.

```
aws rbin lock-rule \
--identifier 6lsJ2Fa9nh9 \
--lock-configuration 'UnlockDelay={UnlockDelayUnit=DAYS,UnlockDelayValue=15}'
```

------

# Unlock a Recycle Bin retention rule to allow it to be updated or deleted
<a name="recycle-bin-unlock"></a>

You can't modify or delete a locked retention rule. If you need to modify a locked retention rule, you must first unlock it. After you have unlocked the retention rule, you must wait for the unlock delay period to expire before you can modify or delete it. You can't modify or delete a retention rule during the unlock delay period.

An unlocked retention rule can be modified and deleted at any time by a user who has the required IAM permissions. Leaving your retention rules unlocked could expose them to accidental or malicious modifications and deletions.

**Considerations**
+ You can re-lock a retention rule during the unlock delay period.
+ You can re-lock a retention rule after the unlock delay period has expired.
+ You can't bypass the unlock delay period.
+ You can't change the unlock delay period after the initial lock.

We recommend that you use Amazon EventBridge rules to notify you of retention rule lock state changes. For more information, see [Monitor Recycle Bin using Amazon EventBridge](rbin-eventbridge.md).

You can unlock a locked Region-level retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To unlock a retention rule**

1. Open the Recycle Bin console at [ https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation panel, choose **Retention rules**.

1. In the grid, select the locked retention rule to unlock, and choose **Actions**, **Edit retention rule lock**.

1. On the Edit retention rule lock screen, choose **Unlock**, and then choose **Save**.

------
#### [ AWS CLI ]

**To unlock a locked retention rule**  
Use the [unlock-rule](https://docs.aws.amazon.com/cli/latest/reference/rbin/unlock-rule.html) AWS CLI command. For `--identifier`, specify the ID of the retention rule to unlock.

```
aws rbin unlock-rule \
--identifier rule_ID
```

**Example**  
The following example command unlocks retention rule `6lsJ2Fa9nh9`

```
aws rbin unlock-rule \
--identifier 6lsJ2Fa9nh9
```

------

# Tag a Recycle Bin retention rule
<a name="recycle-bin-tag-resource"></a>

You can assign custom tags to your retention rules to categorize them in different ways, for example, by purpose, owner, or environment. This helps you to efficiently find a specific retention rule based on the custom tags that you assigned.

You can assign a tag to a retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To tag a retention rule**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Retention rules**.

1. Select the retention rule to tag, choose the **Tags** tab, and then choose **Manage tags**.

1. Choose **Add tag**. For **Key**, enter the tag key. For **Value**, enter the tag value.

1. Chose **Save**.

------
#### [ AWS CLI ]

**To tag a retention rule**  
Use the [tag-resource](https://docs.aws.amazon.com/cli/latest/reference/rbin/tag-resource.html) AWS CLI command. For `--resource-arn`, specify the Amazon Resource Name (ARN) of the retention rule to tag, and for `--tags`, specify the tag key and value pair.

```
aws rbin tag-resource \
--resource-arn retention_rule_arn \
--tags key=tag_key,value=tag_value
```

**Example**  
The following example command tags retention rule `arn:aws:rbin:us-east-1:123456789012:rule/nOoSBBtItF3` with tag `purpose=production`.

```
aws rbin tag-resource \
--resource-arn arn:aws:rbin:us-east-1:123456789012:rule/nOoSBBtItF3 \
--tags key=purpose,value=production
```

------

## View retention rule tags
<a name="recycle-bin-view-resource-tag"></a>

You can view the tags assigned to a retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To view tags for a retention rule**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Retention rules**.

1. Select the retention rule for which to view the tags, and choose the **Tags** tab.

------
#### [ AWS CLI ]

**To view the tags assigned to a retention rule**  
Use the [list-tags-for-resource](https://docs.aws.amazon.com/cli/latest/reference/rbin/list-tags-for-resource.html) AWS CLI command. For `--resource-arn`, specify the ARN of the retention rule.

```
aws rbin list-tags-for-resource \
--resource-arn retention_rule_arn
```

**Example**  
The following example command lists the tags for retention rule `arn:aws:rbin:us-east-1:123456789012:rule/nOoSBBtItF3`.

```
aws rbin list-tags-for-resource \
--resource-arn arn:aws:rbin:us-east-1:123456789012:rule/nOoSBBtItF3
```

------

## Remove tags from retention rules
<a name="recycle-bin-untag-resource"></a>

You can remove tags from a retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To remove a tag from a retention rule**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Retention rules**.

1. Select the retention rule from which to remove the tag, choose the **Tags** tab, and then choose **Manage tags**.

1. Choose **Remove** next to the tag to remove.

1. Chose **Save**.

------
#### [ AWS CLI ]

**To remove a tag from a retention rule**  
Use the [untag-resource](https://docs.aws.amazon.com/cli/latest/reference/rbin/untag-resource.html) AWS CLI command. For `--resource-arn`, specify the ARN of the retention rule. For `--tagkeys`, specify the tags keys of the tags to remove.

```
aws rbin untag-resource \
--resource-arn retention_rule_arn \
--tagkeys tag_key
```

**Example**  
The following example command removes tags that have a tag key of `purpose` from retention rule `arn:aws:rbin:us-east-1:123456789012:rule/nOoSBBtItF3`.

```
aws rbin untag-resource \
--resource-arn arn:aws:rbin:us-east-1:123456789012:rule/nOoSBBtItF3 \
--tagkeys purpose
```

------

# Delete a Recycle Bin retention rule to stop it from retaining resources
<a name="recycle-bin-delete-rule"></a>

You can delete a retention rule at any time. When you delete a retention rule, it no longer retains new resources in the Recycle Bin after they have been deleted. Resources that were sent to the Recycle Bin before the retention rule was deleted continue to be retained in the Recycle Bin according to the retention period defined in the retention rule. When the period expires, the resource is permanently deleted from the Recycle Bin.

You can delete a retention rule using one of the following methods.

------
#### [ Recycle Bin console ]

**To delete a retention rule**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Retention rules**.

1. In the grid, select the retention rule to delete, and choose **Actions**, **Delete retention rule**.

1. When prompted, enter the confirmation message and choose **Delete retention rule**.

------
#### [ AWS CLI ]

**To delete a retention rule**  
Use the [delete-rule](https://docs.aws.amazon.com/cli/latest/reference/rbin/delete-rule.html) AWS CLI command. For `--identifier`, specify the ID of the retention rule to delete.

```
aws rbin delete-rule --identifier rule_ID
```

**Example**  
The following example command deletes retention rule `6lsJ2Fa9nh9`.

```
aws rbin delete-rule --identifier 6lsJ2Fa9nh9
```

------

# Recover deleted snapshots from the Recycle Bin
<a name="recycle-bin-working-with-snaps"></a>

This topic explains how to recover Amazon EBS snapshots from the Recycle Bin.

**Topics**
+ [

## Permissions for working with snapshots in the Recycle Bin
](#snap-perms)
+ [

## View snapshots in the Recycle Bin
](#recycle-bin-view-snaps)
+ [

## Restore snapshots from the Recycle Bin
](#recycle-bin-restore-snaps)

## Permissions for working with snapshots in the Recycle Bin
<a name="snap-perms"></a>

By default, users don't have permission to work with snapshots that are in the Recycle Bin. To allow users to work with these resources, you must create IAM policies that grant permission to use specific resources and API actions. After the policies are created, you must add permissions to your users, groups, or roles.

To view and recover snapshots that are in the Recycle Bin, users must have the following permissions:
+ `ec2:ListSnapshotsInRecycleBin`
+ `ec2:RestoreSnapshotFromRecycleBin`

To manage tags for snapshots in the Recycle Bin, users need the following additional permissions.
+ `ec2:CreateTags`
+ `ec2:DeleteTags`

To use the Recycle Bin console, users need the `ec2:DescribeTags` permission.

The following is an example IAM policy. It includes the `ec2:DescribeTags` permission for console users, and it includes the `ec2:CreateTags` and `ec2:DeleteTags` permissions for managing tags. If the permissions are not needed, you can remove them from the policy.

To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

For more information about the permissions needed to use Recycle Bin, see [Permissions for working with Recycle Bin and retention rules](recycle-bin-perms.md#rule-perms).

## View snapshots in the Recycle Bin
<a name="recycle-bin-view-snaps"></a>

While a snapshot is in the Recycle Bin, you can view limited information about it, including:
+ The ID of the snapshot.
+ The snapshot description.
+ The ID of the volume from which the snapshot was created.
+ The date and time when the snapshot was deleted and it entered Recycle Bin.
+ The date and time when the retention period expires. The snapshot will be permanently deleted from the Recycle Bin at this time.

You can view the snapshots in the Recycle Bin using one of the following methods.

------
#### [ Recycle Bin console ]

**To view snapshots in the Recycle Bin using the console**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Recycle Bin**.

1. The grid lists all of the snapshots that are currently in the Recycle Bin. To view the details for a specific snapshot, select it in the grid and choose **Actions**, **View details**.

------
#### [ AWS CLI ]

**To view snapshots in the Recycle Bin using the AWS CLI**  
Use the [ list-snapshots-in-recycle-bin](https://docs.aws.amazon.com/cli/latest/reference/ec2/list-snapshots-in-recycle-bin.html) AWS CLI command. Include the `--snapshot-id` option to view a specific snapshot. Or omit the `--snapshot-id` option to view all snapshots in the Recycle Bin.

```
aws ec2 list-snapshots-in-recycle-bin --snapshot-id snapshot_id
```

For example, the following command provides information about snapshot `snap-01234567890abcdef` in the Recycle Bin.

```
aws ec2 list-snapshots-in-recycle-bin --snapshot-id snap-01234567890abcdef
```

Example output:

```
{
    "SnapshotRecycleBinInfo": [
        {
            "Description": "Monthly data backup snapshot",
            "RecycleBinEnterTime": "2021-12-01T13:00:00.000Z",
            "RecycleBinExitTime": "2021-12-15T13:00:00.000Z",
            "VolumeId": "vol-abcdef09876543210",
            "SnapshotId": "snap-01234567890abcdef"
        }
    ]
}
```

------

## Restore snapshots from the Recycle Bin
<a name="recycle-bin-restore-snaps"></a>

You can't use a snapshot in any way while it is in the Recycle Bin. To use the snapshot, you must first restore it. When you restore a snapshot from the Recycle Bin, the snapshot is immediately available for use, and it is removed from the Recycle Bin. You can use a restored snapshot in the same way that you use any other snapshot in your account.

You can restore a snapshot from the Recycle Bin using one of the following methods.

------
#### [ Recycle Bin console ]

**To restore a snapshot from the Recycle Bin using the console**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Recycle Bin**.

1. The grid lists all of the snapshots that are currently in the Recycle Bin. Select the snapshot to restore and and choose **Recover**.

1. When prompted, choose **Recover**.

------
#### [ AWS CLI ]

**To restore a deleted snapshot from the Recycle Bin using the AWS CLI**  
Use the [ restore-snapshot-from-recycle-bin](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-snapshot-from-recycle-bin.html) AWS CLI command. For `--snapshot-id`, specify the ID of the snapshot to restore.

```
aws ec2 restore-snapshot-from-recycle-bin --snapshot-id snapshot_id
```

For example, the following command restores snapshot `snap-01234567890abcdef` from the Recycle Bin.

```
aws ec2 restore-snapshot-from-recycle-bin --snapshot-id snap-01234567890abcdef
```

Example output:

```
{
    "SnapshotId": "snap-01234567890abcdef",
    "Description": "Monthly data backup snapshot",
    "Encrypted": false,
    "OwnerId": "111122223333",
    "Progress": "100%",
    "StartTime": "2021-12-01T13:00:00.000000+00:00",
    "State": "recovering",
    "VolumeId": "vol-ffffffff",
    "VolumeSize": 30
}
```

------

# Recover deleted volumes from the Recycle Bin
<a name="recycle-bin-working-with-volumes"></a>

This topic explains how to recover Amazon EBS volumes from the Recycle Bin.

**Topics**
+ [

## Permissions for working with volumes in the Recycle Bin
](#volume-perms)
+ [

## View volumes in the Recycle Bin
](#recycle-bin-view-volumes)
+ [

## Restore volumes from the Recycle Bin
](#recycle-bin-restore-volumes)

## Permissions for working with volumes in the Recycle Bin
<a name="volume-perms"></a>

By default, users don't have permission to work with volumes that are in the Recycle Bin. To allow users to work with these resources, you must create IAM policies that grant permission to use specific resources and API actions. After the policies are created, you must add permissions to your users, groups, or roles.

To view and recover volumes that are in the Recycle Bin, users must have the following permissions:
+ `ec2:ListVolumesInRecycleBin`
+ `ec2:RestoreVolumeFromRecycleBin`

To manage tags for volumes in the Recycle Bin, users need the following additional permissions.
+ `ec2:CreateTags`
+ `ec2:DeleteTags`

To use the Recycle Bin console, users need the `ec2:DescribeTags` permission.

The following is an example IAM policy. It includes the `ec2:DescribeTags` permission for console users, and it includes the `ec2:CreateTags` and `ec2:DeleteTags` permissions for managing tags. If the permissions are not needed, you can remove them from the policy.

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "AllowRecycleBinVolumeOperations",
      "Effect": "Allow",
      "Action": [
        "ec2:ListVolumesInRecycleBin",
        "ec2:RestoreVolumeFromRecycleBin"
      ],
      "Resource": "arn:aws:ec2:*:123456789012:volume/*"
    },
    {
      "Sid": "AllowVolumeTagOperations",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:DescribeTags"
      ],
      "Resource": "arn:aws:ec2:*:123456789012:volume/*"
    }
  ]
}
```

To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

For more information about the permissions needed to use Recycle Bin, see [Permissions for working with Recycle Bin and retention rules](recycle-bin-perms.md#rule-perms).

## View volumes in the Recycle Bin
<a name="recycle-bin-view-volumes"></a>

While a volume is in the Recycle Bin, you can view limited information about it, including:
+ The ID of the volume.
+ The size of the volume.
+ The volume type.
+ The date and time when the volume was deleted and it entered Recycle Bin.
+ The date and time when the retention period expires. The volume will be permanently deleted from the Recycle Bin at this time.

You can view the volumes in the Recycle Bin using one of the following methods.

------
#### [ Recycle Bin console ]

**To view volumes in the Recycle Bin using the console**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Recycle Bin**.

1. The grid lists all of the volumes that are currently in the Recycle Bin. To view the details for a specific volume, select it in the grid and choose **Actions**, **View details**.

------
#### [ AWS CLI ]

**To view volumes in the Recycle Bin using the AWS CLI**  
Use the [ list-volumes-in-recycle-bin](https://docs.aws.amazon.com/cli/latest/reference/ec2/list-volumes-in-recycle-bin.html) AWS CLI command. Include the `--volume-id` option to view a specific volume. Or omit the `--volume-id` option to view all volumes in the Recycle Bin.

```
aws ec2 list-volumes-in-recycle-bin --volume-id volume_id
```

For example, the following command provides information about volume `vol-01234567890abcdef` in the Recycle Bin.

```
aws ec2 list-volumes-in-recycle-bin --volume-id vol-01234567890abcdef
```

Example output:

```
{
    "VolumeRecycleBinInfo": [
        {
            "VolumeId": "vol-01234567890abcdef",
            "RecycleBinEnterTime": "2021-12-01T13:00:00.000Z",
            "RecycleBinExitTime": "2021-12-08T13:00:00.000Z"
        }
    ]
}
```

------

## Restore volumes from the Recycle Bin
<a name="recycle-bin-restore-volumes"></a>

You can't use a volume in any way while it is in the Recycle Bin. To use the volume, you must first restore it. When you restore a volume from the Recycle Bin, the volume is immediately available for use, and it is removed from the Recycle Bin. You can use a restored volume in the same way that you use any other volume in your account.

You can restore a volume from the Recycle Bin using one of the following methods.

------
#### [ Recycle Bin console ]

**To restore a volume from the Recycle Bin using the console**

1. Open the Recycle Bin console at [https://console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/)

1. In the navigation pane, choose **Recycle Bin**.

1. The grid lists all of the volumes that are currently in the Recycle Bin. Select the volume to restore and choose **Recover**.

1. When prompted, choose **Recover**.

------
#### [ AWS CLI ]

**To restore a deleted volume from the Recycle Bin using the AWS CLI**  
Use the [ restore-volume-from-recycle-bin](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-volume-from-recycle-bin.html) AWS CLI command. For `--volume-id`, specify the ID of the volume to restore.

```
aws ec2 restore-volume-from-recycle-bin --volume-id volume_id
```

For example, the following command restores volume `vol-01234567890abcdef` from the Recycle Bin.

```
aws ec2 restore-volume-from-recycle-bin --volume-id vol-01234567890abcdef
```

Example output:

```
{
    "VolumeId": "vol-01234567890abcdef",
    "State": "available",
    "Size": 100,
    "VolumeType": "gp3",
    "AvailabilityZone": "us-east-1a",
    "CreateTime": "2021-12-01T13:00:00.000000+00:00",
    "Encrypted": false
}
```

------

# Recover deleted AMIs from the Recycle Bin
<a name="recycle-bin-working-with-amis"></a>

This topic explains how to recover Amazon EBS-backed AMIs from the Recycle Bin.

**Topics**
+ [

## Permissions for working with AMIs in the Recycle Bin
](#ami-perms)
+ [

## View AMIs in the Recycle Bin
](#recycle-bin-view-ami)
+ [

## Restore AMIs from the Recycle Bin
](#recycle-bin-restore-ami)

## Permissions for working with AMIs in the Recycle Bin
<a name="ami-perms"></a>

By default, users don't have permission to work with AMIs that are in the Recycle Bin. To allow users to work with these resources, you must create IAM policies that grant permission to use specific resources and API actions. After the policies are created, you must add permissions to your users, groups, or roles.

To view and recover AMIs that are in the Recycle Bin, users must have the following permissions:
+ `ec2:ListImagesInRecycleBin`
+ `ec2:RestoreImageFromRecycleBin`

To manage tags for AMIs in the Recycle Bin, users need the following additional permissions.
+ `ec2:CreateTags`
+ `ec2:DeleteTags`

To use the Recycle Bin console, users need the `ec2:DescribeTags` permission.

The following is an example IAM policy. It includes the `ec2:DescribeTags` permission for console users, and it includes the `ec2:CreateTags` and `ec2:DeleteTags` permissions for managing tags. If the permissions are not needed, you can remove them from the policy.

To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

For more information about the permissions needed to use Recycle Bin, see [Permissions for working with Recycle Bin and retention rules](recycle-bin-perms.md#rule-perms).

## View AMIs in the Recycle Bin
<a name="recycle-bin-view-ami"></a>

While an AMI is in the Recycle Bin, you can view limited information about it, including:
+ The name, description, and unique ID of the AMI.
+ The date and time when the AMI was deleted and it entered Recycle Bin.
+ The date and time when the retention period expires. The AMI will be permanently deleted at this time.

You can view the AMIs in the Recycle Bin using one of the following methods.

------
#### [ Recycle Bin console ]

**To view deleted AMIs in the Recycle Bin using the console**

1. Open the Recycle Bin console at [console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/).

1. In the navigation pane, choose **Recycle Bin**.

1. The grid lists all of the resources that are currently in the Recycle Bin. To view the details for a specific AMI, select it in the grid, and choose **Actions**, **View details**.

------
#### [ AWS CLI ]

**To view deleted AMIs in the Recycle Bin using the AWS CLI**  
Use the [ list-images-in-recycle-bin](https://docs.aws.amazon.com/cli/latest/reference/ec2/list-images-in-recycle-bin.html) AWS CLI command. To view specific AMIs, include the `--image-id` option and specify the IDs of the AMIs to view. You can specify up to 20 IDs in a single request.

To view all of the AMIs in the Recycle Bin, omit the `--image-id` option. If you do not specify a value for `--max-items`, the command returns 1,000 items per page, by default. For more information, see [ Pagination](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html#api-pagination) in the *Amazon EC2 API Reference*.

```
aws ec2 list-images-in-recycle-bin --image-id ami_id
```

For example, the following command provides information about AMI `ami-01234567890abcdef` in the Recycle Bin.

```
aws ec2 list-images-in-recycle-bin --image-id ami-01234567890abcdef
```

Example output:

```
{
    "Images": [
        {
            "ImageId": "ami-0f740206c743d75df",
            "Name": "My AL2 AMI",
            "Description": "My Amazon Linux 2 AMI",
            "RecycleBinEnterTime": "2021-11-26T21:04:50+00:00",
            "RecycleBinExitTime": "2022-03-06T21:04:50+00:00"
        }
    ]
}
```

**Important**  
If you receive the following error, you might need to update your AWS CLI version. For more information, see [Command not found errors ](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-install-not-found).  

```
aws.exe: error: argument operation: Invalid choice, valid choices are: ...
```

------

## Restore AMIs from the Recycle Bin
<a name="recycle-bin-restore-ami"></a>

You can't use an AMI in any way while it is in the Recycle Bin. To use the AMI, you must first restore it. When you restore an AMI from the Recycle Bin, the AMI is immediately available for use, and it is removed from the Recycle Bin. You can use a restored AMI in the same way that you use any other AMI in your account.

You can restore an AMI from the Recycle Bin using one of the following methods.

------
#### [ Recycle Bin console ]

**To restore an AMI from the Recycle Bin using the console**

1. Open the Recycle Bin console at [console.aws.amazon.com/rbin/home/](https://console.aws.amazon.com/rbin/home/).

1. In the navigation pane, choose **Recycle Bin**.

1. The grid lists all of the resources that are currently in the Recycle Bin. Select the AMI to restore, and choose **Recover**.

1. When prompted, choose **Recover**.

------
#### [ AWS CLI ]

**To restore a deleted AMI from the Recycle Bin using the AWS CLI**  
Use the [ restore-image-from-recycle-bin](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-image-from-recycle-bin.html) AWS CLI command. For `--image-id`, specify the ID of the AMI to restore.

```
aws ec2 restore-image-from-recycle-bin --image-id ami_id
```

For example, the following command restores AMI `ami-01234567890abcdef` from the Recycle Bin.

```
aws ec2 restore-image-from-recycle-bin --image-id ami-01234567890abcdef
```

The command returns no output on success.

**Important**  
If you receive the following error, you might need to update your AWS CLI version. For more information, see [Command not found errors ](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-install-not-found).  

```
aws.exe: error: argument operation: Invalid choice, valid choices are: ...
```

------

# Monitor Recycle Bin using Amazon EventBridge
<a name="rbin-eventbridge"></a>

Recycle Bin sends events to Amazon EventBridge for actions performed on retention rules. With EventBridge, you can establish rules that initiate programmatic actions in response to these events. For example, you can create a EventBridge rule that sends a notification to your email when a retention rule is unlocked and it enters its unlock delay period. For more information, see [ Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html).

Events in EventBridge are represented as JSON objects. The fields that are unique to the event are contained in the `detail` section of the JSON object. The `event` field contains the event name. The `result` field contains the completed status of the action that initiated the event. For more information, see [Amazon EventBridge event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html) in the *Amazon EventBridge User Guide*.

For more information about Amazon EventBridge, see [What Is Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) in the *Amazon EventBridge User Guide*.

**Topics**
+ [

## RuleLocked
](#RuleLocked)
+ [

## RuleChangeAttempted
](#RuleChangeAttempted)
+ [

## RuleUnlockScheduled
](#RuleUnlockScheduled)
+ [

## RuleUnlockingNotice
](#RuleUnlockingNotice)
+ [

## RuleUnlocked
](#RuleUnlocked)

## RuleLocked
<a name="RuleLocked"></a>

The following is an example of an event that Recycle Bin generates when a retention rule is successfully locked. This event can be generated by **CreateRule ** and **LockRule** requests. The API that generated the event is noted in the `api-name` field.

```
{
	"version": "0", 
	"id": "exampleb-b491-4cf7-a9f1-bf370example", 
	"detail-type": "Recycle Bin Rule Locked", 
	"source": "aws.rbin", 
	"account": "123456789012", 
	"time": "2022-08-10T16:37:50Z", 
	"region": "us-west-2", 
	"resources": [ 
	"arn:aws:rbin:us-west-2:123456789012:rule/a12345abcde" 
	], 
	"detail": 
	{
	"detail-version": " 1.0.0",
	"rule-id": "a12345abcde", 
	"rule-description": "locked account level rule", 
	"unlock-delay-period": "30 days",
	"api-name": "CreateRule"
	}
	}
```

## RuleChangeAttempted
<a name="RuleChangeAttempted"></a>

The following is an example of an event that Recycle Bin generates for unsuccessful attempts to modify or delete a locked rule. This event can be generated by ** DeleteRule** and **UpdateRule** requests. The API that generated the event is noted in the `api-name` field.

```
{
	"version": "0", 
	"id": "exampleb-b491-4cf7-a9f1-bf370example", 
	"detail-type": "Recycle Bin Rule Change Attempted", 
	"source": "aws.rbin", 
	"account": "123456789012", 
	"time": "2022-08-10T16:37:50Z", 
	"region": "us-west-2", 
	"resources": [ 
	"arn:aws:rbin:us-west-2:123456789012:rule/a12345abcde" 
	], 
	"detail": 
	{
	"detail-version": " 1.0.0",
	"rule-id": "a12345abcde", 
	"rule-description": "locked account level rule", 
	"unlock-delay-period": "30 days",
	"api-name": "DeleteRule"
	} 
	}
```

## RuleUnlockScheduled
<a name="RuleUnlockScheduled"></a>

The following is an example of an event that Recycle Bin generates when a retention rule is unlocked and it starts its unlock delay period.

```
{
	"version": "0", 
	"id": "exampleb-b491-4cf7-a9f1-bf370example", 
	"detail-type": "Recycle Bin Rule Unlock Scheduled", 
	"source": "aws.rbin", 
	"account": "123456789012", 
	"time": "2022-08-10T16:37:50Z", 
	"region": "us-west-2", 
	"resources": [ 
	"arn:aws:rbin:us-west-2:123456789012:rule/a12345abcde" 
	], 
	"detail": 
	{
	"detail-version": " 1.0.0",
	"rule-id": "a12345abcde", 
	"rule-description": "locked account level rule", 
	"unlock-delay-period": "30 days",
	"scheduled-unlock-time": "2022-09-10T16:37:50Z",
	} 
	}
```

## RuleUnlockingNotice
<a name="RuleUnlockingNotice"></a>

The following is an example of an event that Recycle Bin generates daily while a retention rule is in its unlock delay period, until the day before the unlock delay period expires.

```
{
	"version": "0", 
	"id": "exampleb-b491-4cf7-a9f1-bf370example", 
	"detail-type": "Recycle Bin Rule Unlocking Notice", 
	"source": "aws.rbin", 
	"account": "123456789012", 
	"time": "2022-08-10T16:37:50Z", 
	"region": "us-west-2", 
	"resources": [ 
	"arn:aws:rbin:us-west-2:123456789012:rule/a12345abcde" 
	], 
	"detail": 
	{
	"detail-version": " 1.0.0",
	"rule-id": "a12345abcde", 
	"rule-description": "locked account level rule", 
	"unlock-delay-period": "30 days",
	"scheduled-unlock-time": "2022-09-10T16:37:50Z"
	} 
	}
```

## RuleUnlocked
<a name="RuleUnlocked"></a>

The following is an example of an event that Recycle Bin generates when the unlock delay period for a retention rule expires and the retention rule can be modified or deleted.

```
{
	"version": "0", 
	"id": "exampleb-b491-4cf7-a9f1-bf370example", 
	"detail-type": "Recycle Bin Rule Unlocked", 
	"source": "aws.rbin", 
	"account": "123456789012", 
	"time": "2022-08-10T16:37:50Z", 
	"region": "us-west-2", 
	"resources": [ 
	"arn:aws:rbin:us-west-2:123456789012:rule/a12345abcde" 
	], 
	"detail": 
	{
	"detail-version": " 1.0.0",
	"rule-id": "a12345abcde", 
	"rule-description": "locked account level rule", 
	"unlock-delay-period": "30 days",
	"scheduled-unlock-time": "2022-09-10T16:37:50Z"
	} 
	}
```

# Monitor Recycle Bin using AWS CloudTrail
<a name="recycle-bin-ct"></a>

The Recycle Bin service is integrated with AWS CloudTrail. CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service. CloudTrail captures all API calls performed in Recycle Bin as events. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon Simple Storage Service (Amazon S3) bucket. If you don't configure a trail, you can still view the most recent management events in the CloudTrail console in **Event history**. You can use the information collected by CloudTrail to determine the request that was made to Recycle Bin, the IP address from which the request was made, who made the request, when it was made, and additional details.

For more information about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).

## Recycle Bin information in CloudTrail
<a name="service-name-info-in-cloudtrail"></a>

CloudTrail is enabled on your AWS account when you create the account. When supported event activity occurs in Recycle Bin, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).

For an ongoing record of events in your AWS account, including events for Recycle Bin, create a trail. A *trail* enables CloudTrail to deliver log files to an S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) in the *AWS CloudTrail User Guide*.

### Supported API actions
<a name="supported-actions"></a>

For Recycle Bin, you can use CloudTrail to log the following API actions as *management events.*
+ CreateRule
+ UpdateRule
+ GetRules
+ ListRule
+ DeleteRule
+ TagResource
+ UntagResource
+ ListTagsForResource
+ LockRule
+ UnlockRule

For more information about logging management events, see [Logging management events for trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) in the *CloudTrail User Guide*.

### Identity information
<a name="identity-information"></a>

Every event or log entry contains information about who generated the request. The identity information helps you determine the following: 
+ Whether the request was made with root user or user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.

For more information, see the [ CloudTrail userIdentityElement](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).

## Understand Recycle Bin log file entries
<a name="understanding-rbin-entries"></a>

A trail is a configuration that enables delivery of events as log files to an S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.

The following are example CloudTrail log entries.

------
#### [ CreateRule ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-08-02T21:43:38Z"
	  }
	}
	},
	"eventTime": "2021-08-02T21:45:22Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "CreateRule",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9",
	"requestParameters": {
	"retentionPeriod": {
	  "retentionPeriodValue": 7,
	  "retentionPeriodUnit": "DAYS"
	},
	"description": "Match all snapshots",
	"resourceType": "EBS_SNAPSHOT"
	},
	"responseElements": {
	"identifier": "jkrnexample"
	},
	"requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample",
	"eventID": "714fafex-2eam-42pl-913e-926d4example",
	"readOnly": false,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ GetRule ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-08-02T21:43:38Z"
	  }
	}
	},
	"eventTime": "2021-08-02T21:45:33Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "GetRule",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9",
	"requestParameters": {
	"identifier": "jkrnexample"
	},
	"responseElements": null,
	"requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample",
	"eventID": "714fafex-2eam-42pl-913e-926d4example",
	"readOnly": true,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ ListRules ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-08-02T21:43:38Z"
	  }
	}
	},
	"eventTime": "2021-08-02T21:44:37Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "ListRules",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9",
	"requestParameters": {
	"resourceTags": [
	  {
	    "resourceTagKey": "test",
	    "resourceTagValue": "test"
	  }
	]
	},
	"responseElements": null,
	"requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample",
	"eventID": "714fafex-2eam-42pl-913e-926d4example",
	"readOnly": true,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ UpdateRule ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-08-02T21:43:38Z"
	  }
	}
	},
	"eventTime": "2021-08-02T21:46:03Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "UpdateRule",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9",
	"requestParameters": {
	"identifier": "jkrnexample",
	"retentionPeriod": {
	  "retentionPeriodValue": 365,
	  "retentionPeriodUnit": "DAYS"
	},
	"description": "Match all snapshots",
	"resourceType": "EBS_SNAPSHOT"
	},
	"responseElements": null,
	"requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample",
	"eventID": "714fafex-2eam-42pl-913e-926d4example",
	"readOnly": false,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ DeleteRule ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-08-02T21:43:38Z"
	  }
	}
	},
	"eventTime": "2021-08-02T21:46:25Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "DeleteRule",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.9 Python/3.6.14 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 botocore/1.21.9",
	"requestParameters": {
	"identifier": "jkrnexample"
	},
	"responseElements": null,
	"requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample",
	"eventID": "714fafex-2eam-42pl-913e-926d4example",
	"readOnly": false,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ TagResource ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-10-22T21:38:34Z"
	  }
	}
	},
	"eventTime": "2021-10-22T21:43:15Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "TagResource",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.26 Python/3.6.14 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 botocore/1.21.26",
	"requestParameters": {
	"resourceArn": "arn:aws:rbin:us-west-2:123456789012:rule/ABCDEF01234",
	"tags": [
	  {
	    "key": "purpose",
	    "value": "production"
	  }
	]
	},
	"responseElements": null,
	"requestID": "examplee-7962-49ec-8633-795efexample",
	"eventID": "example4-6826-4c0a-bdec-0bab1example",
	"readOnly": false,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ UntagResource ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-10-22T21:38:34Z"
	  }
	}
	},
	"eventTime": "2021-10-22T21:44:16Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "UntagResource",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.26 Python/3.6.14 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 botocore/1.21.26",
	"requestParameters": {
	"resourceArn": "arn:aws:rbin:us-west-2:123456789012:rule/ABCDEF01234",
	"tagKeys": [
	  "purpose"
	]
	},
	"responseElements": null,
	"requestID": "example7-6c1e-4f09-9e46-bb957example",
	"eventID": "example6-75ff-4c94-a1cd-4d5f5example",
	"readOnly": false,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ ListTagsForResource ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "mfaAuthenticated": "false",
	    "creationDate": "2021-10-22T21:38:34Z"
	  }
	}
	},
	"eventTime": "2021-10-22T21:42:31Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "ListTagsForResource",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "aws-cli/1.20.26 Python/3.6.14 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 botocore/1.21.26",
	"requestParameters": {
	"resourceArn": "arn:aws:rbin:us-west-2:123456789012:rule/ABCDEF01234"
	},
	"responseElements": null,
	"requestID": "example8-10c7-43d4-b147-3d9d9example",
	"eventID": "example2-24fc-4da7-a479-c9748example",
	"readOnly": true,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"eventCategory": "Management",
	"recipientAccountId": "123456789012",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ LockRule ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "creationDate": "2022-10-25T00:45:11Z",
	    "mfaAuthenticated": "false"
	  }
	}
	},
	"eventTime": "2022-10-25T00:45:19Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "LockRule",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "python-requests/2.25.1",
	"requestParameters": {
	"identifier": "jkrnexample",
	"lockConfiguration": {
	  "unlockDelay": {
	    "unlockDelayValue": 7,
	    "unlockDelayUnit": "DAYS"
	  }
	}
	},
	"responseElements": {
	"identifier": "jkrnexample",
	"description": "",
	"resourceType": "EBS_SNAPSHOT",
	"retentionPeriod": {
	  "retentionPeriodValue": 7,
	  "retentionPeriodUnit": "DAYS"
	},
	"resourceTags": [],
	"status": "available",
	"lockConfiguration": {
	  "unlockDelay": {
	    "unlockDelayValue": 7,
	    "unlockDelayUnit": "DAYS"
	  }
	},
	"lockState": "locked"
	},
	"requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample",
	"eventID": "714fafex-2eam-42pl-913e-926d4example",
	"readOnly": false,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"recipientAccountId": "123456789012",
	"eventCategory": "Management",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------
#### [ UnlockRule ]

```
{
	"eventVersion": "1.08",
	"userIdentity": {
	"type": "AssumedRole",
	"principalId": "123456789012",
	"arn": "arn:aws:iam::123456789012:root",
	"accountId": "123456789012",
	"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
	"sessionContext": {
	  "sessionIssuer": {
	    "type": "Role",
	    "principalId": "123456789012",
	    "arn": "arn:aws:iam::123456789012:role/Admin",
	    "accountId": "123456789012",
	    "userName": "Admin"
	  },
	  "webIdFederationData": {},
	  "attributes": {
	    "creationDate": "2022-10-25T00:45:11Z",
	    "mfaAuthenticated": "false"
	  }
	}
	},
	"eventTime": "2022-10-25T00:46:17Z",
	"eventSource": "rbin.amazonaws.com",
	"eventName": "UnlockRule",
	"awsRegion": "us-west-2",
	"sourceIPAddress": "123.123.123.123",
	"userAgent": "python-requests/2.25.1",
	"requestParameters": {
	"identifier": "jkrnexample"
	},
	"responseElements": {
	"identifier": "jkrnexample",
	"description": "",
	"resourceType": "EC2_IMAGE",
	"retentionPeriod": {
	  "retentionPeriodValue": 7,
	  "retentionPeriodUnit": "DAYS"
	},
	"resourceTags": [],
	"status": "available",
	"lockConfiguration": {
	  "unlockDelay": {
	    "unlockDelayValue": 7,
	    "unlockDelayUnit": "DAYS"
	  }
	},
	"lockState": "pending_unlock",
	"lockEndTime": "Nov 1, 2022, 12:46:17 AM"
	},
	"requestID": "ex0577a5-amc4-pl4f-ef51-50fdexample",
	"eventID": "714fafex-2eam-42pl-913e-926d4example",
	"readOnly": false,
	"eventType": "AwsApiCall",
	"managementEvent": true,
	"recipientAccountId": "123456789012",
	"eventCategory": "Management",
	"tlsDetails": {
	"tlsVersion": "TLSv1.2",
	"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
	"clientProvidedHostHeader": "rbin.us-west-2.amazonaws.com"
	}
	}
```

------

# Service endpoints for Recycle Bin
<a name="rbin-service-endpoints"></a>

An *endpoint* is a URL that serves as an entry point for an AWS web service. Recycle Bin supports the following endpoint types:
+ IPv4 endpoints
+ Dual-stack endpoints that support both IPv4 and IPv6
+ FIPS endpoints

When you make a request, you can specify the endpoint and Region to use. If you do not specify an endpoint, the IPv4 endpoint is used by default. To use a different endpoint type, you must specify it in your request. For examples of how to do this, see [Specifying endpoints](#rbin-endpoint-examples).

For the Recycle Bin, see [ Recycle Bin endpoints](https://docs.aws.amazon.com/general/latest/gr/rbin.html#rbin_region) in the *Amazon Web Services General Reference*.

**Topics**
+ [

## IPv4 endpoints
](#ipv4)
+ [

## Dual-stack (IPv4 and IPv6) endpoints
](#rbin-ipv6)
+ [

## FIPS endpoints
](#rbin-fips)
+ [

## Specifying endpoints
](#rbin-endpoint-examples)

## IPv4 endpoints
<a name="ipv4"></a>

IPv4 endpoints support IPv4 traffic only. IPv4 endpoints are available for all Regions.

You must specify the Region as part of the endpoint name. The endpoint names use the following naming convention:
+ rbin.*region*.amazonaws.com

For example, the IPv4 endpoint for the US East (N. Virginia) Region is `rbin.us-east-1.amazonaws.com`.

## Dual-stack (IPv4 and IPv6) endpoints
<a name="rbin-ipv6"></a>

Dual-stack endpoints support both IPv4 and IPv6 traffic. Dual-stack endpoints are available for all Regions.

To use IPv6, you must use a dual-stack endpoint. When you make a request to a dual-stack endpoint, the endpoint URL resolves to an IPv6 or an IPv4 address, depending on the protocol used by your network and client.

You must specify the Region as part of the endpoint name. Dual-stack endpoint names use the following naming convention:
+ `rbin.region.api.aws`

For example, the dual-stack endpoint for the US East (N. Virginia) Region is `rbin.us-east-1.api.aws`.

## FIPS endpoints
<a name="rbin-fips"></a>

Recycle Bin provides FIPS-validated IPv4 and dual-stack (IPv4 and IPv6) endpoints for the following Regions:
+ `us-east-1` — US East (N. Virginia)
+ `us-east-2` — US East (Ohio)
+ `us-west-1` — US West (N. California)
+ `us-west-2` — US West (Oregon)
+ `ca-central-1` — Canada (Central)
+ `ca-west-1` — Canada West (Calgary)
+ `us-gov-east-1` — AWS GovCloud (US-East)
+ `us-gov-west-1` — AWS GovCloud (US-West)

**FIPS IPv4 endpoints** use the following naming convention: `rbin-fips.region.amazonaws.com`. For example, the FIPS IPv4 endpoint for the US East (N. Virginia) Region is `rbin-fips.us-east-1.amazonaws.com`.

**FIPS dual-stack endpoints** use the following naming convention: `rbin-fips.region.api.aws`. For example, the FIPS dual-stack endpoint for the US East (N. Virginia) Region is `rbin-fips.us-east-1.api.aws`.

## Specifying endpoints
<a name="rbin-endpoint-examples"></a>

The following examples show how to specify an endpoint for the `us-east-2` Region using the AWS CLI.
+ **Dual-stack**

  ```
  aws rbin get-rule \
  --identifier rule_id \
  --endpoint-url https://rbin.us-east-2.api.aws
  ```
+ **IPv4**

  ```
  aws rbin get-rule \
  --identifier rule_id \
  --endpoint-url https://rbin.us-east-2.amazonaws.com
  ```

# Create a private connection between a VPC and Recycle Bin
<a name="rbin-vpcendpoints"></a>

You can establish a private connection between your VPC and Recycle Bin by creating an interface VPC endpoint, powered by [AWS PrivateLink](https://aws.amazon.com/privatelink/). You can access Recycle Bin as if it were in your VPC, without using an internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Recycle Bin.

We create an endpoint network interface in each subnet that you enable for the interface endpoint.

For more information, see [ Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) in the *AWS PrivateLink Guide*.

## Create an interface VPC endpoint for Recycle Bin
<a name="rbin-vpcendpoint-create"></a>

You can create a VPC endpoint for Recycle Bin using either the Amazon VPC console or the AWS CLI. For more information, see [ Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *AWS PrivateLink Guide*.

Create a VPC endpoint for Recycle Bin using the following service name: `com.amazonaws.region.rbin`

If you enable private DNS for the endpoint, you can make API requests to Recycle Bin using its default DNS name for the Region, for example, `rbin.us-east-1.amazonaws.com`.

## Create a VPC endpoint policy for Recycle Bin
<a name="rbin-vpcendpoint-policy"></a>

By default, full access to Recycle Bin is allowed through the endpoint. You can control access to the interface endpoint using VPC endpoint policies. You can attach an endpoint policy to your VPC endpoint that controls access to Recycle Bin. The policy specifies the following information:
+ The **principal** that can perform actions.
+ The **actions** that can be performed.
+ The **resources** on which actions can be performed.

For more information, see [ Controlling access to services with VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html)s in the *Amazon VPC User Guide*.

```
{
    "Statement": [ 
    {
        "Effect": "Allow",
        "Action": "rbin:*",        
        "Resource": "*", 
        "Principal": "*" 
    }, 
    {
        "Effect": "Deny",
        "Action": "rbin:DeleteRule",
        "Resource": "*", 
        "Principal": "*",
        "Condition": {
            "StringEquals" : {
                "rbin:Attribute/ResourceType": "EBS_SNAPSHOT"
            }
        }
    }] 
}
```