AWS IAM role for recovering servers to the AWS cloud

When recovering servers to Amazon EC2 in the AWS account where your backups are stored, you must configure the AWS CLI with an IAM user's access key and secret access key. If you back up servers to your own AWS account, the IAM user must be in the AWS account where your backups are stored. If you back up servers to OpenText Hosted Cloud storage, the IAM user must be in the AWS account where you want to recover servers.

The IAM user must have permissions for the following AWS services:

The following sample policy shows permissions for recovering servers to Amazon EC2.

Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StartInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:CreateTags",
                "ec2:AllocateAddress",
                "ec2:ReleaseAddress",
                "ec2:CreateVolume",
                "ec2:DeleteVolume",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DescribeVolumes",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateVpc",
                "ec2:DeleteVpc",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:DescribeVpcBlockPublicAccessOptions",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:AttachInternetGateway",
                "ec2:DetachInternetGateway",
                "ec2:CreateInternetGateway",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeInternetGateways",
                "ec2:CreateSubnet",
                "ec2:DeleteSubnet",
                "ec2:ModifySubnetAttribute",
                "ec2:DescribeSubnets",
                "ec2:CreateRouteTable",
                "ec2:DeleteRouteTable",
                "ec2:CreateRoute",
                "ec2:DeleteRoute",
                "ec2:AssociateRouteTable",
                "ec2:DisassociateRouteTable",
                "ec2:DescribeRouteTables",
                "ec2:CreateDhcpOptions",
                "ec2:DeleteDhcpOptions",
                "ec2:AssociateDhcpOptions",
                "ec2:DescribeDhcpOptions",
                "ec2:CreateNatGateway",
                "ec2:DeleteNatGateway",
                "ec2:DescribeNatGateways",
                "ec2:CreateClientVpnEndpoint",
                "ec2:DeleteClientVpnEndpoint",
                "ec2:AssociateClientVpnTargetNetwork",
                "ec2:DisassociateClientVpnTargetNetwork",
                "ec2:AuthorizeClientVpnIngress",
                "ec2:RevokeClientVpnIngress",
                "ec2:ExportClientVpnClientConfiguration",
                "ec2:DescribeClientVpnEndpoints",
                "ec2:DescribeClientVpnAuthorizationRules",
                "ec2:DescribeClientVpnTargetNetworks",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeRegions",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAddresses",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeInstanceConnectEndpoints",
                "ec2:DescribeEgressOnlyInternetGateways",
                "ec2:AssociateClientVpnTargetNetwork",
                "ec2:RunInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "acm:ImportCertificate",
                "acm:ListCertificates",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ListStackResources",
                "cloudformation:CreateUploadBucket",
                "cloudformation:CreateChangeSet",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PassRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListRoles",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:CreateServiceLinkedRole",
                "s3:PutObject"
            ],
            "Resource": ["*"]
        }
    ]
}