Skip to main content
Druva Documentation

DruvaIAMPolicy

This article provides a sample DruvaIAMPolicy.JSON policy for Public Cloud and Gov Cloud.  The DruvaIAMPolicy policy defines the AWS permissions that you can assign to a user, group, or role. 

DruvaIAMPolicy.JSON policy for Public Cloud

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:Get*",
                "s3:Getobject",
                "s3:GetobjectAcl",
                "s3:List*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutBucketPolicy",
                "s3:GetBucketPolicy",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::phoenix*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Effect": "Allow"
        },
        {
            "Action": "iam:ListInstanceProfiles",
            "Resource": "arn:aws:iam::*:instance-profile/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "sqs:ChangeMessageVisibility",
                "sqs:SendMessageBatch",
                "sqs:UntagQueue",
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "sqs:TagQueue",
                "sqs:RemovePermission",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:AddPermission",
                "sqs:DeleteMessageBatch",
                "sqs:PurgeQueue",
                "sqs:DeleteQueue",
                "sqs:CreateQueue",
                "sqs:ChangeMessageVisibilityBatch",
                "sqs:SetQueueAttributes"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:phoenix*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:AssociateIamInstanceProfile",
                "ec2:ReplaceIamInstanceProfileAssociation",
                "ec2:CancelConversionTask",
                "ec2:CancelExportTask",
                "ec2:CreateImage",
                "ec2:CreateInstanceExportTask",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeExportTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DeregisterImage",
                "ec2:DeleteSnapshot",
                "ec2:DescribeTags",
                "ec2:ImportInstance",
                "ec2:ImportVolume",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ImportImage",
                "ec2:ImportSnapshot",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:CancelImportTask",
                "ec2:DescribeVpcs",
                "ec2:RunInstances",
                "ec2:DescribeSubnets",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeRouteTables",
                "ec2:DescribeAddresses",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeDhcpOptions",
                "ec2:CreateTags",
                "ec2:CopySnapshot",
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume",
                "ec2:ModifyVolume",
                "ec2:CreateSnapshot",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeSnapshots",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeVolumesModifications",
                "ec2:AssociateAddress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

DruvaIAMPolicy.JSON policy for Gov Cloud 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "iam:ListInstanceProfiles",
            "Resource": "arn:aws-us-gov:iam::*:instance-profile/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:Get*",
                "s3:Getobject",
                "s3:GetobjectAcl",
                "s3:List*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutBucketPolicy",
                "s3:GetBucketPolicy",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws-us-gov:s3:::phoenix*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws-us-gov:iam::*:role/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "sqs:ChangeMessageVisibility",
                "sqs:SendMessageBatch",
                "sqs:UntagQueue",
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "sqs:TagQueue",
                "sqs:RemovePermission",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:AddPermission",
                "sqs:DeleteMessageBatch",
                "sqs:PurgeQueue",
                "sqs:DeleteQueue",
                "sqs:CreateQueue",
                "sqs:ChangeMessageVisibilityBatch",
                "sqs:SetQueueAttributes"
            ],
            "Resource": [
                "arn:aws-us-gov:sqs:*:*:phoenix*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:AssociateIamInstanceProfile",
                "ec2:ReplaceIamInstanceProfileAssociation",
                "ec2:CancelConversionTask",
                "ec2:CancelExportTask",
                "ec2:CreateImage",
                "ec2:CreateInstanceExportTask",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeExportTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DeregisterImage",
                "ec2:DeleteSnapshot",
                "ec2:DescribeTags",
                "ec2:ImportInstance",
                "ec2:ImportVolume",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ImportImage",
                "ec2:ImportSnapshot",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:CancelImportTask",
                "ec2:DescribeVpcs",
                "ec2:RunInstances",
                "ec2:DescribeSubnets",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeRouteTables",
                "ec2:DescribeAddresses",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeDhcpOptions",
                "ec2:CreateTags",
                "ec2:CopySnapshot",
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume",
                "ec2:ModifyVolume",
                "ec2:CreateSnapshot",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumeStatus",
                "ec2:ModifyInstanceAttribute",
                "ec2:AssociateAddress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
  • Was this article helpful?