Skip to main content
Druva Documentation

DruvaIAMPolicy

This article provides a sample DruvaIAMPolicy.JSON policy for Public Cloud and Gov Cloud.  The DruvaIAMPolicy policy defines the AWS permissions that you can assign to a user, group, or role. 

DruvaIAMPolicy.JSON policy for Public Cloud

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:Getobject",
"s3:GetobjectAcl",
"s3:List*",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::phoenix*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*"
},
{
"Effect": "Allow",
"Action": "iam:ListInstanceProfiles",
"Resource": "arn:aws:iam::*:instance-profile/*"
},
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ChangeMessageVisibility",
"sqs:SendMessageBatch",
"sqs:UntagQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"sqs:TagQueue",
"sqs:RemovePermission",
"sqs:ListDeadLetterSourceQueues",
"sqs:AddPermission",
"sqs:DeleteMessageBatch",
"sqs:PurgeQueue",
"sqs:DeleteQueue",
"sqs:CreateQueue",
"sqs:ChangeMessageVisibilityBatch",
"sqs:SetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:*:*:phoenix*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask",
"ec2:DescribeVpcs",
"ec2:RunInstances",
"ec2:DescribeSubnets",
"ec2:DescribeInternetGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeVpnGateways",
"ec2:DescribeVpnConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkAcls",
"ec2:DescribeDhcpOptions",
"ec2:CreateTags",
"ec2:CopySnapshot",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:ModifyVolume",
"ec2:CreateSnapshot",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeSnapshots",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeVolumesModifications",
"ec2:AssociateAddress"
],
"Resource": "*"
}
]
}

DruvaIAMPolicy.JSON policy for Gov Cloud 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ListInstanceProfiles",
"Resource": "arn:aws-us-gov:iam::*:instance-profile/*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:Getobject",
"s3:GetobjectAcl",
"s3:List*",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws-us-gov:s3:::phoenix*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws-us-gov:s3:::*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws-us-gov:iam::*:role/*"
},
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ChangeMessageVisibility",
"sqs:SendMessageBatch",
"sqs:UntagQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"sqs:TagQueue",
"sqs:RemovePermission",
"sqs:ListDeadLetterSourceQueues",
"sqs:AddPermission",
"sqs:DeleteMessageBatch",
"sqs:PurgeQueue",
"sqs:DeleteQueue",
"sqs:CreateQueue",
"sqs:ChangeMessageVisibilityBatch",
"sqs:SetQueueAttributes"
],
"Resource": [
"arn:aws-us-gov:sqs:*:*:phoenix*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask",
"ec2:DescribeVpcs",
"ec2:RunInstances",
"ec2:DescribeSubnets",
"ec2:DescribeInternetGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeVpnGateways",
"ec2:DescribeVpnConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkAcls",
"ec2:DescribeDhcpOptions",
"ec2:CreateTags",
"ec2:CopySnapshot",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:ModifyVolume",
"ec2:CreateSnapshot",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumesModifications",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:ModifyInstanceAttribute",
"ec2:AssociateAddress"
],
"Resource": "*"
}
]
}
  • Was this article helpful?