AWS Minimal Permission Policy

Cloud Snapshot Manager requires the following AWS permissions to protect your AWS resources. To understand why Cloud Snapshot Manager needs these specific permissions, see AWS minimum permission requirements in Cloud Snapshot Manager Online Help.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1466719308000", "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateIamInstanceProfile", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:CopyImage", "ec2:CopySnapshot", "ec2:CreateImage", "ec2:CreateNetworkInterface", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeregisterImage", "ec2:DescribeAddresses", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DetachVolume", "ec2:DisassociateAddress", "ec2:ModifyInstanceAttribute", "ec2:ModifySnapshotAttribute", "ec2:RegisterImage", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeVpcs", "ec2:DescribeKeyPairs", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeAccountAttributes", "ec2:DescribeInternetGateways", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466720176000", "Effect": "Allow", "Action": [ "rds:CopyDBClusterSnapshot", "rds:CopyDBSnapshot", "rds:CreateDBClusterSnapshot", "rds:CreateDBSnapshot", "rds:CreateDBInstance", "rds:AddRoleToDBCluster", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:ListTagsForResource", "rds:ModifyDBInstance", "rds:ModifyDBCluster", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBInstanceFromDBSnapshot", "rds:DeleteDBSnapshot", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBCluster", "rds:DeleteDBInstance" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466719308001", "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:ListKeys", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": [ "*" ] }, { "Sid": "CSMCostExplorerPermissions", "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466720176001", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceInformation", "ssm:GetCommandInvocation", "ssm:DescribeDocument" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466720176002", "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot", "arn:aws:ssm:*:*:document/CSM-*", "arn:aws:ec2:*:*:instance/*" ] }, { "Sid": "redshiftpermissions", "Effect": "Allow", "Action": [ "redshift:DescribeClusters", "redshift:DescribeClusterSnapshots", "redshift:DeleteClusterSnapshot", "redshift:CreateClusterSnapshot", "redshift:CreateTags", "redshift:RestoreFromClusterSnapshot" ], "Resource": [ "*" ] }, { "Sid": "dynamodbPerms", "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateBackup", "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups", "dynamodb:ListTables", "dynamodb:RestoreTableFromBackup", "dynamodb:ListTagsOfResource", "dynamodb:TagResource", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "*" ] } ] }