Skip to main content

How can we help you?

Druva Documentation

DruvaIAMPolicy

Overview

If you deployed the Druva AWS proxy via the CloudFormation stack in AWS before November 23, 2020, the deployment created an IAM role called DruvaIAMRole that gave Enterprise Workloads access to the AWS resources to perform Disaster Recovery as a Service (DRaaS) tasks. The DruvaIAMPolicy is an inline policy that defines the permissions associated with the DruvaIAMRole

Starting November 23, 2020, we introduced the DruvaIAMRolePL role when we introduced support for Private Link with DRaaS. DruvaIAMRolePL supersedes the DruvaIAMRole. Both the DruvaIAMRole and the DruvaIAMRolePL are associated with the DruvaIAMPolicy. The Druva IAMPolicy for the DruvaIAMRolePL has a few more permissions required for DR failovers and AWS PrivateLink.
We recommend updating the DruvaIAMPolicy associated with DruvaIAMRole or DruvaIAMRolePL with the contents of the following JSON files depending upon whether the deployment is in the Cloud or the Druva GovCloud.

Access and edit the DruvaIAMPolicy

  1. Log in to your AWS Management Console.
  2. In the search bar at the top, search for the IAM service.
  3. On the Identify and Access Management (IAM) page, in the left navigation pane, click Roles under Access Management
  4. In the list of roles, search for the DruvaIAMRolePL role or the DruvaIAMRole (AWS Service: EC2). Click the role from the search results.

    Search for IAMRolePL.png
  5. Under the Permissions tab, expand the DruvaIAMPolicy and click Edit policy.
  6. Replace the contents of the existing policy with the following JSON policy for the Cloud or Druva GovCloud (depending upon where the Druva AWS proxy is deployed) and save the role.

    Edit Policy.png

DruvaIAMPolicy.JSON policy for Public Cloud

(Last updated May 02, 2022)

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ebs:ListChangedBlocks",
"ebs:PutSnapshotBlock",
"ebs:GetSnapshotBlock",
"ebs:ListSnapshotBlocks",
"ebs:StartSnapshot"
],
"Condition": {
"StringLike": {
"aws:RequestTag/Name": [
"druva*",
"Druva*",
"phoenix*",
"Phoenix*"
]
}
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:Getobject",
"s3:GetobjectAcl",
"s3:List*",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::phoenix*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*"
},
{
"Effect": "Allow",
"Action": "iam:ListInstanceProfiles",
"Resource": "arn:aws:iam::*:instance-profile/*"
},
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:UntagQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"sqs:TagQueue",
"sqs:RemovePermission",
"sqs:ListDeadLetterSourceQueues",
"sqs:AddPermission",
"sqs:PurgeQueue",
"sqs:DeleteQueue",
"sqs:CreateQueue",
"sqs:ChangeMessageVisibility",
"sqs:SetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:*:*:phoenix*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask",
"ec2:DescribeVpcs",
"ec2:RunInstances",
"ec2:DescribeSubnets",
"ec2:DescribeInternetGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeVpnGateways",
"ec2:DescribeVpnConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkAcls",
"ec2:DescribeDhcpOptions",
"ec2:CreateTags",
"ec2:CopySnapshot",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:ModifyVolume",
"ec2:CreateSnapshot",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeSnapshots",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeVolumesModifications",
"ec2:AssociateAddress",
"ec2:GetConsoleScreenshot",
"ec2:GetConsoleOutput",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeNatGateways",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:MonitorInstances",
"ebs:CompleteSnapshot",
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"route53:ListHostedZonesByName",
"route53:ListHostedZonesByVPC",
"route53:ListResourceRecordSets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource",
"lambda:InvokeFunctionUrl",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:InvokeAsync",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:*Druva*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:UntagLogGroup",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:TagLogGroup",
"logs:GetLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricStream",
"cloudwatch:TagResource",
"cloudwatch:PutMetricData",
"cloudwatch:UntagResource",
"cloudwatch:StopMetricStreams",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetricStreams",
"cloudwatch:DeleteMetricStream",
"cloudwatch:GetMetricStream",
"cloudwatch:ListMetrics",
"cloudwatch:StartMetricStreams"
],
"Resource": "*"
}
]}

DruvaIAMPolicy.JSON policy for Gov Cloud

(Last updated May 02, 2022) 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ebs:ListChangedBlocks",
"ebs:PutSnapshotBlock",
"ebs:GetSnapshotBlock",
"ebs:ListSnapshotBlocks",
"ebs:StartSnapshot"
],
"Condition": {
"StringLike": {
"aws:RequestTag/Name": [
"druva*",
"Druva*",
"phoenix*",
"Phoenix*"
]
}
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ListInstanceProfiles",
"Resource": "arn:aws-us-gov:iam::*:instance-profile/*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:Getobject",
"s3:GetobjectAcl",
"s3:List*",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws-us-gov:s3:::phoenix*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws-us-gov:iam::*:role/*"
},
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:UntagQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"sqs:TagQueue",
"sqs:RemovePermission",
"sqs:ListDeadLetterSourceQueues",
"sqs:AddPermission",
"sqs:PurgeQueue",
"sqs:DeleteQueue",
"sqs:CreateQueue",
"sqs:ChangeMessageVisibility",
"sqs:SetQueueAttributes"
],
"Resource": [
"arn:aws-us-gov:sqs:*:*:phoenix*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask",
"ec2:DescribeVpcs",
"ec2:RunInstances",
"ec2:DescribeSubnets",
"ec2:DescribeInternetGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeVpnGateways",
"ec2:DescribeVpnConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkAcls",
"ec2:DescribeDhcpOptions",
"ec2:CreateTags",
"ec2:CopySnapshot",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:ModifyVolume",
"ec2:CreateSnapshot",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumesModifications",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:ModifyInstanceAttribute",
"ec2:AssociateAddress",
"ec2:GetConsoleScreenshot",
"ec2:GetConsoleOutput",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeNatGateways",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:MonitorInstances",
"ebs:CompleteSnapshot",
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"route53:ListHostedZonesByName",
"route53:ListHostedZonesByVPC",
"route53:ListResourceRecordSets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource",
"lambda:InvokeFunctionUrl",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:InvokeAsync",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction",
"lambda:UntagResource"
],
"Resource": [
"arn:aws-us-gov:lambda:*:*:function:*Druva*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:UntagLogGroup",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:TagLogGroup",
"logs:GetLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricStream",
"cloudwatch:TagResource",
"cloudwatch:PutMetricData",
"cloudwatch:UntagResource",
"cloudwatch:StopMetricStreams",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetricStreams",
"cloudwatch:DeleteMetricStream",
"cloudwatch:GetMetricStream",
"cloudwatch:ListMetrics",
"cloudwatch:StartMetricStreams"
],
"Resource": "*"
}
]}
  • Was this article helpful?