IAM Roles and Permissions
Druva CloudRanger requires an Identity Access Management (IAM) role to access and manage your AWS workloads. To configure your Druva CloudRanger account, you will need to grant CloudRanger third-party access to your AWS account.
To create an IAM role, Druva CloudRanger provides a CloudFormation template that provisions the CloudFormation stack within your AWS environment. This then generates the following IAM permissions for Druva CloudRanger to access your AWS Account:
- IAM Role
- IAM Instance Profile
- IAM Policy
The generated Amazon Resource Name (ARN) of the IAM role is then linked back to CloudRanger so that it can run backup and restore jobs on your AWS workloads.
Roles and Permissions
The following table provides detailed information about the permissions allowed for various roles:
Category | Permission Name | Permission Description |
Resource-specific permissions |
||
EC2 Backup permissions |
ec2:CopyImage ec2:CopySnapshot ec2:RunCommand ec2:ModifySnapshotAttribute ec2:ModifyImageAttribute ec2:TerminateInstances ec2:CreateImage ec2:DeregisterImage ec2:CopyImage ec2:CopySnapshot ec2:RunCommand ec2:ModifyImageAttribute ec2:CreateSnapshot ec2:DeleteSnapshot ec2:DescribeInstances |
Permissions required to backup EC2 instances. |
EC2 Restore permissions |
ec2:CreateVolume ec2:RegisterImage ec2:AttachVolume ec2:DescribeAvailabilityZones ec2:DescribeSubnets ec2:DescribeVpcs ec2:DescribeVpcAttribute ec2:DescribeVpcEndpoints ec2:DescribeSecurityGroups |
Permissions required to restore EC2 instances. |
EC2 Core permissions |
ec2:DescribeRegions ec2:DescribeSnapshots ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeImages ec2:CreateTags ec2:DeleteTags |
Permissions required to manage core EC2 components as well as the resource on/off schedules. |
RDS Backup permissions |
rds:CreateDBSnapsrhot rds:DeleteDBSnapshot rds:CreateDBClusterSnapshot rds:DeleteDBClusterSnapshot rds:AddTagsToResource rds:DescribeDBSnapshots rds:DescribeDBClusterSnapshots rds:DescribeDBInstances rds:RemoveTagsFromResource rds:ListTagsForResource rds:ModifyDBSnapshotAttribute rds:ModifyDBClusterSnapshotAttribute rds:CopyDBSnapshot rds:CopyDBClusterSnapshot |
Permissions required to backup RDS databases. |
RDS Restore permissions |
rds:DescribeDBClusterParameterGroups rds:CreateDBParameterGroup rds:CreateDBClusterParameterGroup rds:DeleteDBParameterGroup rds:DeleteDBClusterParameterGroup rds:CopyDBParameterGroup rds:DeleteOptionGroup rds:DescribeDBSecurityGroups rds:AuthorizeDBSecurityGroupIngress rds:RevokeDBSecurityGroupIngress rds:CreateDBSecurityGroup rds:DeleteDBSecurityGroup rds:DescribeOptionGroupOptions rds:CopyOptionGroup rds:CreateOptionGroup rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBClusterFromSnapshot rds:CreateDBInstance rds:DescribeOptionGroups rds:DescribeDBParameterGroups rds:DescribeDBSubnetGroups rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBClusterFromDBSnapshot |
Permissions required to restore RDS databases. |
RDS Core permissions |
rds:DescribeDBSnapshots rds:DescribeDBClusterSnapshots rds:DescribeDBInstances rds:RemoveTagsFromResource rds:ListTagsForResource |
Permissions required to manage core RDS components. |
Redshift Backup permissions |
redshift:authorizeSnapshotAccess redshift:copyClusterSnapshot redshift:createClusterSnapshot redshift:deleteClusterSnapshot redshift:deleteTags redshift:describeClusters redshift:describeClusterSnapshots redshift:describeSnapshotCopyGrants redshift:describeTags |
Permissions required to backup Redshift resources. |
Redshift Restore permissions |
redshift:revokeSnapshotAccess redshift:revokeSnapshotAccess |
Permissions required to restore Redshift resources. |
DynamoDB Backup permissions |
dynamodb:CreateBackup dynamodb:BatchGetItem dynamodb:Describe* dynamodb:List* dynamodb:GetItem dynamodb:Query dynamodb:Scan dynamodb:UntagResource dynamodb:DeleteBackup |
Permissions required to backup DynamoDB tables. |
DynamoDB Restore permissions |
dynamodb:CreateTable dynamodb:BatchWriteItem dynamodb:PutItem dynamodb:DeleteItem dynamodb:RestoreTableFromBackup dynamodb:RestoreTableToPointInTime dynamodb:CreateTableReplica dynamodb:UpdateItem dynamodb:UpdateTable dynamodb:TagResource dynamodb:Scan dynamodb:Query dynamodb:GetItem |
Permissions required to restore DynamoDB tables. |
Resource Scheduling permissions |
ec2:RebootInstances ec2:RunInstances ec2:StartInstances ec2:StopInstances rds:StopDBInstance rds:StartDBInstance |
Permissions required as part of the resource on/off schedules. |
CloudFormation stack-level permissions |
CloudFormation:createstack cloudformation:describestacks cloudformation:describestackevents cloudformation:ListStackResources cloudformation:DescribeStackResource cloudformation:DescribeStackResources cloudformation:DeleteStack |
Permissions required to configure and manage the AWS CloudFormation stack. |
S3 Archive permissions |
S3:GetObject S3:GetBucketLocation S3:ListBucket s3:GetObject s3:GetObjectAcl s3:GetObjectVersion s3:GetObjectVersionAcl s3:GetObjectTagging s3:GetBucketObjectLockConfiguration s3:GetBucketPublicAccessBlock s3:GetBucketLocation s3:ListBucket s3:ListAllMyBuckets s3:ListBucketVersions s3:ListBucketByTags |
Permissions required to perform backup operations on S3 Archive (to move EC2 backups to S3).
|
|
S3:CreateBucket s3:PutBucketAcl s3:PutEncryptionConfiguration s3:PutBucketPublicAccessBlock s3:PutObject s3:PutObjectAcl s3:DeleteObject s3:DeleteObjectVersion s3:PutObjectTagging s3:PutBucketObjectLockConfiguration s3:PutBucketVersioning s3:HeadBucket s3:HeadObject |
Permissions required to perform backup operations on S3 Archive (to move EC2 backups to S3).
|
Automated Disaster Recovery permissions |
||
VPC Cloning permissions |
ec2:ModifyVpcAttribute ec2:ModifySubnetAttribute ec2:ModifyNetworkInterfaceAttribute ec2:CreateNetworkInterfacePermission ec2:describeAddresses ec2:describeDhcpOptions ec2:DescribeInternetGateways ec2:DescribeEgressOnlyInternetGateways ec2:DescribeNatGateways ec2:CreateVPC ec2:CreateNetworkAcl ec2:CreateNetworkAclEntry ec2:CreateRouteTable ec2:CreateRoute ec2:DescribeNetworkAcls ec2:AllocateAddress ec2:AssociateAddress ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:DescribeRouteTables rds:createSubnetGroup ec2:AssociateRouteTable ec2:CreateInternetGateway ec2:AttachInternetGateway ec2:createNatGateway rds:CreateDBSubnetGroup ec2:CreateSecurityGroup ec2:CreateEgressOnlyInternetGateway ec2:CreateDHCPOptions ec2:AssociateDHCPOptions |
Permissions required for VPC Cloning as part of ADR workflow. |
ec2:describeAddresses ec2:describeDhcpOptions ec2:DescribeInternetGateways ec2:DescribeKeyPairs ec2:DescribeNetworkAcls |
Permissions required as part of mapping the core VPC Cloning components within ADR. |
|
EC2:DeleteVolume EC2:DeleteNetworkInterfacePermission EC2:DeleteVPC' EC2:createSubnet EC2:deleteSubnet EC2:deleteRoute ec2:DeleteNetworkAcl ec2:DeleteNetworkAclEntry ec2:ReplaceNetworkAclAssociation ec2:ReplaceNetworkAclEntry ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:ReleaseAddress ec2:DisassociateAddress ec2:deleteRouteTable ec2:DisassociateRouteTable ec2:DetachInternetGateway ec2:deleteInternetGateway ec2:deleteNatGateway ec2:deleteEgressOnlyInternetGateway ec2:deleteDHCPOptions ec2:DeleteSecurityGroup cloudformation:DeleteStack rds:DeleteDBSubnetGroup rds:DeleteDBInstance rds:DeleteDBCluster |
Permissions required as part of VPC Cloning teardown. |
|
Policy-level permissions |
||
KMS Encryption Keys |
kms:Decrypt kms:ListKeyPolicies kms:GenerateRandom kms:ListRetirableGrants kms:GetKeyPolicy kms:GenerateDataKeyWithoutPlaintext kms:ListResourceTags kms:ReEncryptFrom kms:ListGrants kms:ListKeys kms:Encrypt kms:ListAliases kms:GenerateDataKey kms:CreateAlias kms:ReEncryptTo kms:DescribeKey kms:DeleteAlias kms:CreateGrant kms:RevokeGrant kms:DescribeKey kms:ListAliases |
Permissions required as part of cross-region and cross-account copy of encrypted backups. |
Policy-level permissions |
iam:ListInstanceProfiles iam:AddRoleToInstanceProfile iam:RemoveRoleFromInstanceProfile iam:ListInstanceProfilesForRole iam:GetInstanceProfile iam:GetRole iam:ListAccountAliases iam:ListAttachedRolePolicies iam:ListPolicies iam:AttachRolePolicy ec2:DescribeIamInstanceProfileAssociations ec2:AssociateIamInstanceProfile ec2:DisassociateIamInstanceProfile ssm:DescribeInstanceInformation ssm:SendCommand ssm:GetCommandInvocation |
Permissions to enable VSS-consistent snapshots. |