AWS Minimal Permission Policy
Cloud Snapshot Manager requires the following AWS permissions to protect your AWS resources. To understand why Cloud Snapshot Manager needs these specific permissions, see AWS minimum permission requirements in Cloud Snapshot Manager Online Help.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1466719308000",
"Effect": "Allow",
"Action": [
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateIamInstanceProfile",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateNetworkInterface",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeAddresses",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeKeyPairs",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInternetGateways",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:RegisterImage",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466720176000",
"Effect": "Allow",
"Action": [
"rds:AddRoleToDBCluster",
"rds:CopyDBClusterSnapshot",
"rds:CopyDBSnapshot",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBSnapshot",
"rds:CreateDBInstance",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBCluster",
"rds:DeleteDBInstance",
"rds:ListTagsForResource",
"rds:ModifyDBInstance",
"rds:ModifyDBCluster",
"rds:RestoreDBClusterFromSnapshot",
"rds:RestoreDBInstanceFromDBSnapshot"
],
"Resource": [
"*"
]
},
{
"Sid": "IAMPermissions",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466719308001",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ListAliases",
"kms:ListKeys",
"kms:ListGrants",
"kms:ReEncrypt*",
"kms:RevokeGrant"
],
"Resource": [
"*"
]
},
{
"Sid": "CSMCostExplorerPermissions",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466720176001",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466720176002",
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": [
"arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot",
"arn:aws:ssm:*:*:document/CSM-*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Sid": "RedshiftPermissions",
"Effect": "Allow",
"Action": [
"redshift:CreateClusterSnapshot",
"redshift:CreateTags",
"redshift:DescribeClusters",
"redshift:DescribeClusterSnapshots",
"redshift:DeleteClusterSnapshot",
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"*"
]
},
{
"Sid": "DynamodbPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:CreateBackup",
"dynamodb:DescribeBackup",
"dynamodb:DescribeTable",
"dynamodb:DeleteBackup",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:RestoreTableFromBackup",
"dynamodb:Scan",
"dynamodb:TagResource",
"dynamodb:UpdateItem"
],
"Resource": [
"*"
]
},
{
"Sid": "EBSPermissions",
"Effect": "Allow",
"Action": [
"ebs:CompleteSnapshot",
"ebs:GetSnapshotBlock",
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks",
"ebs:PutSnapshotBlock",
"ebs:StartSnapshot"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudFormationPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "ECSPermissions",
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:CreateService",
"ecs:DeleteCluster",
"ecs:DeleteService",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DeregisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:RegisterTaskDefinition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ecs.amazonaws.com"
}
}
},
{
"Sid": "SQSPermissions",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": [
"*"
]
}
]
}