Skip to main content
IAM Roles and Permissions
Updated over 8 months ago

Druva CloudRanger requires an Identity Access Management (IAM) role to access and manage your AWS workloads. To configure your Druva CloudRanger account, you will need to grant CloudRanger third-party access to your AWS account.

To create an IAM role, Druva CloudRanger provides a CloudFormation template that provisions the CloudFormation stack within your AWS environment. This then generates the following IAM permissions for Druva CloudRanger to access your AWS Account:

  • IAM Role

  • IAM Instance Profile

  • IAM Policy

The generated Amazon Resource Name (ARN) of the IAM role is then linked back to CloudRanger so that it can run backup and restore jobs on your AWS workloads.

Roles and Permissions

The following table provides detailed information about the permissions allowed for various roles:

Category

Permission Name

Permission Description

Resource-specific permissions

EC2 Backup permissions

ec2:CopyImage ec2:CopySnapshot ec2:RunCommand ec2:ModifySnapshotAttribute ec2:ModifyImageAttribute ec2:TerminateInstances ec2:CreateImage ec2:DeregisterImage ec2:CopyImage ec2:CopySnapshot ec2:RunCommand ec2:ModifyImageAttribute ec2:CreateSnapshot ec2:DeleteSnapshot ec2:DescribeInstances

Permissions required to backup EC2 instances.

EC2 Restore permissions

ec2:CreateVolume ec2:RegisterImage ec2:AttachVolume ec2:DescribeAvailabilityZones ec2:DescribeSubnets ec2:DescribeVpcs ec2:DescribeVpcAttribute ec2:DescribeVpcEndpoints ec2:DescribeSecurityGroups

Permissions required to restore EC2 instances.

EC2 Core permissions

ec2:DescribeRegions ec2:DescribeSnapshots ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeImages ec2:CreateTags ec2:DeleteTags

Permissions required to manage core EC2 components as well as the resource on/off schedules.

RDS Backup permissions

rds:CreateDBSnapsrhot rds:DeleteDBSnapshot rds:CreateDBClusterSnapshot rds:DeleteDBClusterSnapshot rds:AddTagsToResource rds:DescribeDBSnapshots rds:DescribeDBClusterSnapshots rds:DescribeDBInstances rds:RemoveTagsFromResource rds:ListTagsForResource rds:ModifyDBSnapshotAttribute rds:ModifyDBClusterSnapshotAttribute rds:CopyDBSnapshot rds:CopyDBClusterSnapshot

Permissions required to backup RDS databases.

RDS Restore permissions

rds:DescribeDBClusterParameterGroups rds:CreateDBParameterGroup rds:CreateDBClusterParameterGroup rds:DeleteDBParameterGroup rds:DeleteDBClusterParameterGroup rds:CopyDBParameterGroup rds:DeleteOptionGroup rds:DescribeDBSecurityGroups rds:AuthorizeDBSecurityGroupIngress rds:RevokeDBSecurityGroupIngress rds:CreateDBSecurityGroup rds:DeleteDBSecurityGroup rds:DescribeOptionGroupOptions rds:CopyOptionGroup rds:CreateOptionGroup rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBClusterFromSnapshot rds:CreateDBInstance rds:DescribeOptionGroups rds:DescribeDBParameterGroups rds:DescribeDBSubnetGroups rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBClusterFromDBSnapshot

Permissions required to restore RDS databases.

RDS Core permissions

rds:DescribeDBSnapshots rds:DescribeDBClusterSnapshots rds:DescribeDBInstances rds:RemoveTagsFromResource rds:ListTagsForResource

Permissions required to manage core RDS components.

Redshift Backup permissions

redshift:authorizeSnapshotAccess redshift:copyClusterSnapshot redshift:createClusterSnapshot redshift:deleteClusterSnapshot redshift:deleteTags redshift:describeClusters redshift:describeClusterSnapshots redshift:describeSnapshotCopyGrants redshift:describeTags

Permissions required to backup Redshift resources.

Redshift Restore permissions

redshift:revokeSnapshotAccess redshift:revokeSnapshotAccess

Permissions required to restore Redshift resources.

DynamoDB Backup permissions

dynamodb:CreateBackup dynamodb:BatchGetItem dynamodb:Describe* dynamodb:List* dynamodb:GetItem dynamodb:Query dynamodb:Scan dynamodb:UntagResource dynamodb:DeleteBackup

Permissions required to backup DynamoDB tables.

DynamoDB Restore permissions

dynamodb:CreateTable dynamodb:BatchWriteItem dynamodb:PutItem dynamodb:DeleteItem dynamodb:RestoreTableFromBackup dynamodb:RestoreTableToPointInTime dynamodb:CreateTableReplica dynamodb:UpdateItem dynamodb:UpdateTable dynamodb:TagResource dynamodb:Scan dynamodb:Query dynamodb:GetItem

Permissions required to restore DynamoDB tables.

Resource Scheduling permissions

ec2:RebootInstances ec2:RunInstances ec2:StartInstances ec2:StopInstances rds:StopDBInstance rds:StartDBInstance

Permissions required as part of the resource on/off schedules.

CloudFormation stack-level permissions

CloudFormation:createstack
cloudformation:describestacks
cloudformation:describestackevents
cloudformation:ListStackResources
cloudformation:DescribeStackResource
cloudformation:DescribeStackResources
cloudformation:DeleteStack

Permissions required to configure and manage the AWS CloudFormation stack.

S3 Archive permissions

S3:GetObject S3:GetBucketLocation S3:ListBucket s3:GetObject s3:GetObjectAcl s3:GetObjectVersion s3:GetObjectVersionAcl s3:GetObjectTagging s3:GetBucketObjectLockConfiguration s3:GetBucketPublicAccessBlock s3:GetBucketLocation s3:ListBucket s3:ListAllMyBuckets s3:ListBucketVersions s3:ListBucketByTags

Permissions required to perform backup operations on S3 Archive (to move EC2 backups to S3).


๐Ÿ“ Note
โ€‹ These are read-only permissions with no associated conditions.


S3:CreateBucket s3:PutBucketAcl s3:PutEncryptionConfiguration s3:PutBucketPublicAccessBlock s3:PutObject s3:PutObjectAcl s3:DeleteObject s3:DeleteObjectVersion s3:PutObjectTagging s3:PutBucketObjectLockConfiguration s3:PutBucketVersioning s3:HeadBucket s3:HeadObject

Permissions required to perform backup operations on S3 Archive (to move EC2 backups to S3).


๐Ÿ“ Note
โ€‹ The 'write'permissions have the associated conditions set to โ€˜Allowโ€™ and are restricted to CloudRanger-provisioned buckets.


Automated Disaster Recovery permissions

VPC Cloning permissions

ec2:ModifyVpcAttribute ec2:ModifySubnetAttribute ec2:ModifyNetworkInterfaceAttribute ec2:CreateNetworkInterfacePermission ec2:describeAddresses ec2:describeDhcpOptions ec2:DescribeInternetGateways ec2:DescribeEgressOnlyInternetGateways ec2:DescribeNatGateways ec2:CreateVPC ec2:CreateNetworkAcl ec2:CreateNetworkAclEntry ec2:CreateRouteTable ec2:CreateRoute ec2:DescribeNetworkAcls ec2:AllocateAddress ec2:AssociateAddress ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:DescribeRouteTables rds:createSubnetGroup ec2:AssociateRouteTable ec2:CreateInternetGateway ec2:AttachInternetGateway ec2:createNatGateway rds:CreateDBSubnetGroup ec2:CreateSecurityGroup ec2:CreateEgressOnlyInternetGateway ec2:CreateDHCPOptions ec2:AssociateDHCPOptions

Permissions required for VPC Cloning as part of ADR workflow.

ec2:describeAddresses ec2:describeDhcpOptions ec2:DescribeInternetGateways ec2:DescribeKeyPairs ec2:DescribeNetworkAcls

Permissions required as part of mapping the core VPC Cloning components within ADR.

EC2:DeleteVolume EC2:DeleteNetworkInterfacePermission EC2:DeleteVPC' EC2:createSubnet EC2:deleteSubnet EC2:deleteRoute ec2:DeleteNetworkAcl ec2:DeleteNetworkAclEntry ec2:ReplaceNetworkAclAssociation ec2:ReplaceNetworkAclEntry ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:ReleaseAddress ec2:DisassociateAddress ec2:deleteRouteTable ec2:DisassociateRouteTable ec2:DetachInternetGateway ec2:deleteInternetGateway ec2:deleteNatGateway ec2:deleteEgressOnlyInternetGateway ec2:deleteDHCPOptions ec2:DeleteSecurityGroup cloudformation:DeleteStack rds:DeleteDBSubnetGroup rds:DeleteDBInstance rds:DeleteDBCluster

Permissions required as part of VPC Cloning teardown.

Policy-level permissions

KMS Encryption Keys

kms:Decrypt kms:ListKeyPolicies kms:GenerateRandom kms:ListRetirableGrants kms:GetKeyPolicy kms:GenerateDataKeyWithoutPlaintext kms:ListResourceTags kms:ReEncryptFrom kms:ListGrants kms:ListKeys kms:Encrypt kms:ListAliases kms:GenerateDataKey kms:CreateAlias kms:ReEncryptTo kms:DescribeKey kms:DeleteAlias kms:CreateGrant kms:RevokeGrant kms:DescribeKey kms:ListAliases

Permissions required as part of cross-region and cross-account copy of encrypted backups.

Policy-level permissions

iam:ListInstanceProfiles iam:AddRoleToInstanceProfile iam:RemoveRoleFromInstanceProfile iam:ListInstanceProfilesForRole iam:GetInstanceProfile iam:GetRole iam:ListAccountAliases iam:ListAttachedRolePolicies iam:ListPolicies iam:AttachRolePolicyec2:DescribeIamInstanceProfileAssociations ec2:AssociateIamInstanceProfile ec2:DisassociateIamInstanceProfile ssm:DescribeInstanceInformation ssm:SendCommand ssm:GetCommandInvocation

Permissions to enable VSS-consistent snapshots.

Did this answer your question?