Skip to main content
Druva Documentation

Create IAM policy and role for the Phoenix AWS Proxy

Phoenix Editions: File:/cross.pngBusiness         File:/tick.png Enterprise     File:/tick.pngElite
(Purchase Separately)

This section provides the steps to create IAM Policy and IAM Role on the AWS console. The IAM Policy defines the trusted permission attributes to import virtual machine images from the Phoenix Cloud to your AWS account, as DR copies. The IAM Policy and IAM Role allows you to define permissions and role for the Phoenix AWS Proxy to access AWS capabilities. 

Step 1: Create IAM Policy to access AWS resources

You must create an IAM Policy to access AWS resources. Before you create an IAM Policy, ensure that you have downloaded the policy file and saved the file on the machine. For more information, see Download policy.


  1. Log in to the AWS account. 
  2. Under the Security, Identity & Compliance section, click IAM.
  3. On the left pane of the Welcome to Identity and Access Management page, click Policies.
  4. On the top-left corner of the page, click Create Policy.
  5. On the Create Policy page, select the JSON tab. 
  6. In the JSON tab, copy-paste the policy_dr_proxy.json policy. For more information, see Download policy.
  7. After you copy-paste the JSON policy, click Review policy
  8. In the Review policy section, add the following details:
    • Policy Name: A unique IAM Policy name.
    • Description: A description of the added policy.
    • Summary: Review the permissions that your policy grants. 
  9. Click Create Policy.

Step 2: Create IAM Role for Phoenix AWS Proxy

The IAM Role ensures that the Phoenix AWS Proxy has sufficient privileges to import data from the Phoenix Cloud to the customer's AWS account and create a DR copy. It also provides read and write permissions to the Phoenix AWS Proxy for the EC2 service to create and store DR copies in the account. The Phoenix AWS Proxy can use the DR copies to start EC2 instance using the DR copies in the AWS account.

Note: Role with the required policy must be attached to the Phoenix AWS Proxy.

Before you create an IAM Role, ensure that you have created the IAM Policy. For more information, see Create IAM Policy.


  1. On the AWS console, under the Security, Identity & Compliance section, click IAM.
  2. On the left pane of the Welcome to Identity and Access Management page, click Roles.
  3. On the Roles page, click Create role.
  4. In the Select type of trusted entity section of the Create role wizard, select AWS service > EC2, and then click Next: Permissions.
  5. In the Attach permissions policies section, select the Phoenix AWS Proxy policy that you created in Step 1, and click Next: Tags.

    You can optionally add IAM tags to your role. IAM tags are the key-value pairs that you can use to organize, monitor, or control the access to the role. For example, you can specify the name of the role.
  6. In the Add tags (optional) section, specify the key and its value.
  7. Click Next:Review.
  8. In the Review section, enter a unique name for the disaster recovery role in the Role name box, verify the role information, and click Create role

Phoenix lists the role created on the Configure Instance Details page.

  • Was this article helpful?