AWS Minimal Permission Policy
Cloud Snapshot Manager requires the following AWS permissions to protect your AWS resources. To understand why Cloud Snapshot Manager needs these specific permissions, see AWS minimum permission requirements in Cloud Snapshot Manager Online Help.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1466719308000",
"Effect": "Allow",
"Action": [
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateIamInstanceProfile",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateNetworkInterface",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeAddresses",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:RegisterImage",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeVpcs",
"ec2:DescribeKeyPairs",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInternetGateways",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466720176000",
"Effect": "Allow",
"Action": [
"rds:CopyDBClusterSnapshot",
"rds:CopyDBSnapshot",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBSnapshot",
"rds:CreateDBInstance",
"rds:AddRoleToDBCluster",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:ListTagsForResource",
"rds:ModifyDBInstance",
"rds:ModifyDBCluster",
"rds:RestoreDBClusterFromSnapshot",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBCluster",
"rds:DeleteDBInstance"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466719308001",
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:ListKeys",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"*"
]
},
{
"Sid": "CSMCostExplorerPermissions",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466720176001",
"Effect": "Allow",
"Action": [
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation",
"ssm:DescribeDocument"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1466720176002",
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": [
"arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot",
"arn:aws:ssm:*:*:document/CSM-*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Sid": "redshiftpermissions",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:DescribeClusterSnapshots",
"redshift:DeleteClusterSnapshot",
"redshift:CreateClusterSnapshot",
"redshift:CreateTags",
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"*"
]
},
{
"Sid": "dynamodbPerms",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:CreateBackup",
"dynamodb:DeleteBackup",
"dynamodb:DescribeBackup",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:RestoreTableFromBackup",
"dynamodb:ListTagsOfResource",
"dynamodb:TagResource",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"*"
]
}
]
}