Skip to main content

IAM Roles and Permissions for AWS S3

Updated today

AWS Workloads (CloudRanger) requires an Identity Access Management (IAM) role to access and manage your AWS workloads. To configure your AWS Workloads account, you will need to grant AWS Workloads third-party access to your AWS account.

To create an IAM role, AWS Workloads Management Console provides a CloudFormation template that provisions the CloudFormation stack within your AWS environment. This then generates the following IAM permissions for AWS Workloads to access your AWS Account:

  • IAM Role

  • IAM Instance Profile

  • IAM Policy

The generated Amazon Resource Name (ARN) of the IAM role is then linked back to AWS Workloads so that it can run backup and restore jobs on your AWS workloads.

Roles and Permissions

The following table provides detailed information about the permissions allowed for roles:

Category

Permission name

Permission description

S3 bucket

permissions

  • s3:ListBucket

  • s3:GetObject

  • s3:GetObjectVersion

  • s3:GetBucketVersioning

  • s3:GetBucketLocation

  • s3:ListObjects

  • s3:ListObjectsV2

  • s3:GetObjectTagging

  • s3:GetObjectAttributes

  • s3:PutObject

  • s3:PutObjectTagging

  • s3:PutObjectVersionTagging

  • s3:CreateBucket

  • s3:DeleteObject

  • s3:DeleteObjectVersion

  • s3:PutBucketVersioning

  • s3:PutBucketEncryption

  • s3:GetBucketEncryption

  • s3:ListAllMyBuckets

  • s3:GetBucketAcl

  • s3:GetBucketLifecycleConfiguration

  • s3:GetBucketReplication

  • s3:GetBucketTagging

  • s3:GetBucketLogging

  • s3:GetObjectLockConfiguration

  • s3:GetMetricStatistics

  • s3:GetBucketOwnershipControls

  • s3:GetObjectAcl

  • sts:GetCallerIdentity

  • kms:ListKeys

  • kms:DescribeKey

  • kms:ListAliases

  • kms:GenerateDataKey

  • kms:Decrypt

  • kms:Encrypt

  • kms:ReEncrypt

  • kms:CreateGrant

  • kms:RevokeGrant

  • s3:PutObjectAcl

  • cloudwatch:GetMetricStatistics

  • cloudwatch:ListMetrics

  • cloudwatch:GetMetricData

Permissions required to discover backup and restore AWS S3 buckets.

You must update your CloudFormation stack. For more information, see Update Existing AWS Access Roles for AWS Workloads.

Refer to the below sample:

"CloudRangerS3AirGapRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": {
          "Fn::Join": [
            "",
            [
              "cloudranger-s3-airgap-backup-",
              {
                "Fn::GetAtt": [
                  "CloudRangerInitializeSNSProvisioner",
                  "CRAccountId"
                ]
              }
            ]
          ]
        },
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": [
                "sts:AssumeRole"
              ],
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::221354433967:role/CloudRanger2-dev-us-east-1-lambdaRole"
              },
              "Condition": {
                "StringEquals": {
                  "sts:ExternalId": "cloudranger_SvCNzUMy"
                }
              }
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyName": "s3statements",
            "PolicyDocument": {
              "Statement": [
                {
                  "Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:GetBucketVersioning",
                    "s3:GetBucketLocation",
                    "s3:ListObjects",
                    "s3:ListObjectsV2",
                    "s3:GetObjectTagging",
                    "s3:GetObjectAttributes",
                    "s3:PutObject",
                    "s3:PutObjectTagging",
                    "s3:PutObjectVersionTagging",
                    "s3:CreateBucket",
                    "s3:DeleteObject",
                    "s3:DeleteObjectVersion",
                    "s3:PutBucketVersioning",
                    "s3:PutBucketEncryption",
                    "s3:GetBucketEncryption",
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketAcl",
                    "s3:GetBucketLifecycleConfiguration",
                    "s3:GetBucketReplication",
                    "s3:GetBucketTagging",
                    "s3:GetBucketLogging",
                    "s3:GetObjectLockConfiguration",
                    "s3:GetMetricStatistics",
                    "s3:GetBucketOwnershipControls",
                    "s3:GetObjectAcl",
                    "sts:GetCallerIdentity",
                    "kms:ListKeys",
                    "kms:DescribeKey",
                    "kms:ListAliases",
                    "kms:GenerateDataKey",
                    "kms:Decrypt",
                    "kms:Encrypt",
                    "kms:ReEncrypt",
                    "kms:CreateGrant",
                    "kms:RevokeGrant",
                    "s3:PutObjectAcl",
                    "s3:PutObjectAcl",
                    "cloudwatch:GetMetricStatistics",
                    "cloudwatch:ListMetrics"
                  ],
                  "Effect": "Allow",
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    }
Related Articles
About Connecting to AWS
IAM Roles and Permissions
Update Existing AWS Access Roles in AWS Workloads
IAM Roles and Permissions for AWS S3
EC2 Airgap FLR: Restoring Files Directly to Your AWS
Did this answer your question?