Skip to main content

How can we help you?

Druva Documentation

IAM Roles and Permissions

Provides information about the IAM roles and permissions required by CloudRanger

Druva CloudRanger requires an Identity Access Management (IAM) role to access and manage your AWS workloads. To configure your Druva CloudRanger account, you will need to grant CloudRanger third-party access to your AWS account. 

To create an IAM role, Druva CloudRanger provides a CloudFormation template that provisions the CloudFormation stack within your AWS environment. This then generates the following IAM permissions for Druva CloudRanger to access your AWS Account:

  • IAM Role
  • IAM Instance Profile
  • IAM Policy

The generated Amazon Resource Name (ARN) of the IAM role is then linked back to CloudRanger so that it can run backup and restore jobs on your AWS workloads.

Roles and Permissions 

The following table provides detailed information about the permissions allowed for various roles:

Category Permission Name Permission Description

Resource-specific permissions

EC2 Backup permissions

ec2:CopyImage
ec2:CopySnapshot
ec2:RunCommand
ec2:ModifySnapshotAttribute
ec2:ModifyImageAttribute
ec2:TerminateInstances
ec2:CreateImage
ec2:DeregisterImage
ec2:CopyImage
ec2:CopySnapshot
ec2:RunCommand
ec2:ModifyImageAttribute
ec2:CreateSnapshot
ec2:DeleteSnapshot
ec2:DescribeInstances

Permissions required to backup EC2 instances.








 

EC2 Restore permissions

ec2:CreateVolume
ec2:RegisterImage
ec2:AttachVolume
ec2:DescribeAvailabilityZones
ec2:DescribeSubnets
ec2:DescribeVpcs
ec2:DescribeVpcAttribute
ec2:DescribeVpcEndpoints
ec2:DescribeSecurityGroups

Permissions required to restore EC2 instances.

EC2 Core permissions
ec2:DescribeRegions
ec2:DescribeSnapshots
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeImages
ec2:CreateTags
ec2:DeleteTags

Permissions required to manage core EC2 components as well as the resource on/off schedules.

RDS Backup permissions
rds:CreateDBSnapsrhot
rds:DeleteDBSnapshot
rds:CreateDBClusterSnapshot
rds:DeleteDBClusterSnapshot
rds:AddTagsToResource
rds:DescribeDBSnapshots
rds:DescribeDBClusterSnapshots
rds:DescribeDBInstances
rds:RemoveTagsFromResource
rds:ListTagsForResource
rds:ModifyDBSnapshotAttribute
rds:ModifyDBClusterSnapshotAttribute
rds:CopyDBSnapshot
rds:CopyDBClusterSnapshot

Permissions required to backup RDS databases.

RDS Restore permissions

rds:DescribeDBClusterParameterGroups
rds:CreateDBParameterGroup
rds:CreateDBClusterParameterGroup
rds:DeleteDBParameterGroup
rds:DeleteDBClusterParameterGroup
rds:CopyDBParameterGroup
rds:DeleteOptionGroup
rds:DescribeDBSecurityGroups
rds:AuthorizeDBSecurityGroupIngress
rds:RevokeDBSecurityGroupIngress
rds:CreateDBSecurityGroup
rds:DeleteDBSecurityGroup
rds:DescribeOptionGroupOptions
rds:CopyOptionGroup
rds:CreateOptionGroup
rds:RestoreDBInstanceFromDBSnapshot 
rds:RestoreDBClusterFromSnapshot
rds:CreateDBInstance
rds:DescribeOptionGroups
rds:DescribeDBParameterGroups
rds:DescribeDBSubnetGroups
rds:RestoreDBInstanceFromDBSnapshot
rds:RestoreDBClusterFromDBSnapshot

Permissions required to restore RDS databases.

RDS Core permissions
rds:DescribeDBSnapshots
rds:DescribeDBClusterSnapshots
rds:DescribeDBInstances
rds:RemoveTagsFromResource
rds:ListTagsForResource

Permissions required to manage core RDS components.

Redshift Backup permissions

redshift:authorizeSnapshotAccess 
redshift:copyClusterSnapshot
redshift:createClusterSnapshot
redshift:deleteClusterSnapshot
redshift:deleteTags
redshift:describeClusters
redshift:describeClusterSnapshots
redshift:describeSnapshotCopyGrants
redshift:describeTags

Permissions required to backup Redshift resources.

Redshift Restore permissions

redshift:revokeSnapshotAccess
redshift:revokeSnapshotAccess

Permissions required to restore Redshift resources.

DynamoDB Backup permissions

dynamodb:CreateBackup
dynamodb:BatchGetItem
dynamodb:Describe*
dynamodb:List*
dynamodb:GetItem
dynamodb:Query
dynamodb:Scan
dynamodb:UntagResource
dynamodb:DeleteBackup

Permissions required to backup DynamoDB tables.

DynamoDB Restore permissions

dynamodb:CreateTable
dynamodb:BatchWriteItem
dynamodb:PutItem
dynamodb:DeleteItem
dynamodb:RestoreTableFromBackup
dynamodb:RestoreTableToPointInTime
dynamodb:CreateTableReplica
dynamodb:UpdateItem
dynamodb:UpdateTable
dynamodb:TagResource
dynamodb:Scan
dynamodb:Query
dynamodb:GetItem

Permissions required to restore DynamoDB tables.

Resource Scheduling permissions

ec2:RebootInstances
ec2:RunInstances    
ec2:StartInstances
ec2:StopInstances
rds:StopDBInstance
rds:StartDBInstance

Permissions required as part of the resource on/off schedules.

CloudFormation stack-level permissions

CloudFormation:createstack
cloudformation:describestacks
cloudformation:describestackevents
cloudformation:ListStackResources
cloudformation:DescribeStackResource
cloudformation:DescribeStackResources
cloudformation:DeleteStack 

Permissions required to configure and manage the AWS CloudFormation stack.

S3 Archive permissions

S3:GetObject
S3:GetBucketLocation
S3:ListBucket
s3:GetObject
s3:GetObjectAcl
s3:GetObjectVersion
s3:GetObjectVersionAcl
s3:GetObjectTagging
s3:GetBucketObjectLockConfiguration
s3:GetBucketPublicAccessBlock
s3:GetBucketLocation
s3:ListBucket
s3:ListAllMyBuckets
s3:ListBucketVersions
s3:ListBucketByTags   

Permissions required to perform backup operations on S3 Archive (to move EC2 backups to S3).

Note: These are read-only permissions with no associated conditions.

 

S3:CreateBucket
s3:PutBucketAcl
s3:PutEncryptionConfiguration
s3:PutBucketPublicAccessBlock
s3:PutObject
s3:PutObjectAcl
s3:DeleteObject
s3:DeleteObjectVersion
s3:PutObjectTagging
s3:PutBucketObjectLockConfiguration
s3:PutBucketVersioning
s3:HeadBucket
s3:HeadObject  

Permissions required to perform backup operations on S3 Archive (to move EC2 backups to S3).

Note: The 'write' permissions have the associated conditions set to ‘Allow’ and are restricted to CloudRanger-provisioned buckets.

Automated Disaster Recovery permissions

VPC Cloning permissions

ec2:ModifyVpcAttribute
ec2:ModifySubnetAttribute
ec2:ModifyNetworkInterfaceAttribute
ec2:CreateNetworkInterfacePermission
ec2:describeAddresses
ec2:describeDhcpOptions
ec2:DescribeInternetGateways
ec2:DescribeEgressOnlyInternetGateways
ec2:DescribeNatGateways
ec2:CreateVPC
ec2:CreateNetworkAcl
ec2:CreateNetworkAclEntry
ec2:CreateRouteTable
ec2:CreateRoute
ec2:DescribeNetworkAcls
ec2:AllocateAddress
ec2:AssociateAddress
ec2:AuthorizeSecurityGroupIngress
ec2:AuthorizeSecurityGroupEgress
ec2:DescribeRouteTables
rds:createSubnetGroup
ec2:AssociateRouteTable
ec2:CreateInternetGateway
ec2:AttachInternetGateway
ec2:createNatGateway
rds:CreateDBSubnetGroup
ec2:CreateSecurityGroup
ec2:CreateEgressOnlyInternetGateway
ec2:CreateDHCPOptions
ec2:AssociateDHCPOptions

Permissions required for VPC Cloning as part of ADR workflow.

 
ec2:describeAddresses
ec2:describeDhcpOptions
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeNetworkAcls

Permissions required as part of mapping the core VPC Cloning components within ADR.

 
EC2:DeleteVolume
EC2:DeleteNetworkInterfacePermission
EC2:DeleteVPC'
EC2:createSubnet
EC2:deleteSubnet
EC2:deleteRoute
ec2:DeleteNetworkAcl
ec2:DeleteNetworkAclEntry
ec2:ReplaceNetworkAclAssociation
ec2:ReplaceNetworkAclEntry
ec2:RevokeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
ec2:ReleaseAddress
ec2:DisassociateAddress
ec2:deleteRouteTable 
ec2:DisassociateRouteTable
ec2:DetachInternetGateway
ec2:deleteInternetGateway
ec2:deleteNatGateway 
ec2:deleteEgressOnlyInternetGateway
ec2:deleteDHCPOptions
ec2:DeleteSecurityGroup
cloudformation:DeleteStack 
rds:DeleteDBSubnetGroup
rds:DeleteDBInstance
rds:DeleteDBCluster

Permissions required as part of VPC Cloning teardown.

Policy-level permissions

KMS Encryption Keys

kms:Decrypt
kms:ListKeyPolicies
kms:GenerateRandom
kms:ListRetirableGrants
kms:GetKeyPolicy
kms:GenerateDataKeyWithoutPlaintext
kms:ListResourceTags
kms:ReEncryptFrom
kms:ListGrants
kms:ListKeys
kms:Encrypt
kms:ListAliases
kms:GenerateDataKey
kms:CreateAlias
kms:ReEncryptTo
kms:DescribeKey
kms:DeleteAlias
kms:CreateGrant
kms:RevokeGrant
kms:DescribeKey
kms:ListAliases

Permissions required as part of cross-region and cross-account copy of encrypted backups.

Policy-level permissions

iam:ListInstanceProfiles
iam:AddRoleToInstanceProfile
iam:RemoveRoleFromInstanceProfile
iam:ListInstanceProfilesForRole
iam:GetInstanceProfile
iam:GetRole
iam:ListAccountAliases
iam:ListAttachedRolePolicies
iam:ListPolicies
iam:AttachRolePolicy
ec2:DescribeIamInstanceProfileAssociations
ec2:AssociateIamInstanceProfile
ec2:DisassociateIamInstanceProfile
ssm:DescribeInstanceInformation
ssm:SendCommand
ssm:GetCommandInvocation

Permissions to enable VSS-consistent snapshots.

 

  • Was this article helpful?