AWS Permissions for cross-account copying of snapshots

To support copy and restore snapshot operations to and from a DR account, Cloud Snapshot Manager requires specific IAM permissions.

To utilize the feature, you require the following:

  • Permissions to set up a DR account.
  • (Optional) Permissions to allow CSM to expire snapshots in the DR account.
  • (Optional) Permissions to run the Lambda script successfully if you are using the script to expire snapshots.
  • Permission for the source account so that snapshots can be shared and copied to the DR account.
  • Permissions for the account to which snapshots are restored in case of a restore operation.

To understand why Cloud Snapshot Manager needs these specific permissions, see AWS minimum permission requirements in Cloud Snapshot Manager Online Help

The following permissions are required to set up a DR account:

{ "Sid": "Stmt1466719308000", "Effect": "Allow", "Action": [ "ec2:CopySnapshot", "ec2:CreateTags", "ec2:DescribeSnapshots", "ec2:ModifySnapshotAttribute" ], "Resource": [ "*" ] } { "Sid": "Stmt1466719308001", "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:ListKeys", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": [ "*" ] } { "Sid": "CSMCostExplorerPermissions", "Effect": "Allow", "Action": [ "ce:GetCostAndUsage" ], "Resource": [ "*" ] }

The following permissions are required if you want to allow CSM to expire snapshots in the DR account:

{ "Sid": "Stmt1466719308000", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:DeleteTags" ], "Resource": [ "*" ] }

The following permissions are required to run the Lambda script:

{ "Sid": "Stmt1466719308000", "Effect": "Allow", "Action": [ "ec2:DescribeSnapshots", "ec2:DeleteSnapshot", "ec2:DescribeRegions", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "*" ] }

The following permission is required for the source account so that snapshots can be shared and copied to the DR account:

{ "Sid": "Stmt1466719308000", "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": [ "*" ] }

The following permissions are required for the account to which snapshots are restored:

{ "Sid": "Stmt1466719308000", "Effect": "Allow", "Action": [ "ec2:AssociateAddress", "ec2:AssociateIamInstanceProfile", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DescribeAddresses", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifySnapshotAttribute", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeVpcs", "ec2:DescribeKeyPairs", "ec2:DescribeIamInstanceProfileAssociations" ], "Resource": [ "*" ] } { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ] } { "Sid": "Stmt1466719308001", "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:ListKeys", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": [ "*" ] }