AWS Minimal Permission Policy

Cloud Snapshot Manager requires the following AWS permissions to protect your AWS resources. To understand why Cloud Snapshot Manager needs these specific permissions, see AWS minimum permission requirements in Cloud Snapshot Manager Online Help.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1466719308000", "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateIamInstanceProfile", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:CopyImage", "ec2:CopySnapshot", "ec2:CreateImage", "ec2:CreateNetworkInterface", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeregisterImage", "ec2:DescribeAddresses", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeKeyPairs", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeAccountAttributes", "ec2:DescribeInternetGateways", "ec2:DetachVolume", "ec2:DisassociateAddress", "ec2:ModifyInstanceAttribute", "ec2:ModifySnapshotAttribute", "ec2:RegisterImage", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466720176000", "Effect": "Allow", "Action": [ "rds:AddRoleToDBCluster", "rds:CopyDBClusterSnapshot", "rds:CopyDBSnapshot", "rds:CreateDBClusterSnapshot", "rds:CreateDBSnapshot", "rds:CreateDBInstance", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:DeleteDBSnapshot", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBCluster", "rds:DeleteDBInstance", "rds:ListTagsForResource", "rds:ModifyDBInstance", "rds:ModifyDBCluster", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBInstanceFromDBSnapshot" ], "Resource": [ "*" ] }, { "Sid": "IAMPermissions", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:PassRole", "iam:PutRolePolicy" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466719308001", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ListAliases", "kms:ListKeys", "kms:ListGrants", "kms:ReEncrypt*", "kms:RevokeGrant" ], "Resource": [ "*" ] }, { "Sid": "CSMCostExplorerPermissions", "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466720176001", "Effect": "Allow", "Action": [ "ssm:DescribeDocument", "ssm:DescribeInstanceInformation", "ssm:GetCommandInvocation" ], "Resource": [ "*" ] }, { "Sid": "Stmt1466720176002", "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot", "arn:aws:ssm:*:*:document/CSM-*", "arn:aws:ec2:*:*:instance/*" ] }, { "Sid": "RedshiftPermissions", "Effect": "Allow", "Action": [ "redshift:CreateClusterSnapshot", "redshift:CreateTags", "redshift:DescribeClusters", "redshift:DescribeClusterSnapshots", "redshift:DeleteClusterSnapshot", "redshift:RestoreFromClusterSnapshot" ], "Resource": [ "*" ] }, { "Sid": "DynamodbPermissions", "Effect": "Allow", "Action": [ "dynamodb:BatchWriteItem", "dynamodb:CreateBackup", "dynamodb:DescribeBackup", "dynamodb:DescribeTable", "dynamodb:DeleteBackup", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:ListBackups", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:RestoreTableFromBackup", "dynamodb:Scan", "dynamodb:TagResource", "dynamodb:UpdateItem" ], "Resource": [ "*" ] }, { "Sid": "EBSPermissions", "Effect": "Allow", "Action": [ "ebs:CompleteSnapshot", "ebs:GetSnapshotBlock", "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ebs:PutSnapshotBlock", "ebs:StartSnapshot" ], "Resource": [ "*" ] }, { "Sid": "CloudFormationPermissions", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents" ], "Resource": [ "*" ] }, { "Sid": "ECSPermissions", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:CreateService", "ecs:DeleteCluster", "ecs:DeleteService", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:DeregisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RegisterTaskDefinition" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS*", "Condition": { "StringLike": { "iam:AWSServiceName": "ecs.amazonaws.com" } } }, { "Sid": "SQSPermissions", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ReceiveMessage", "sqs:SendMessage" ], "Resource": [ "*" ] } ] }