AWS IAM role for recovering servers to the AWS cloud
When recovering servers to Amazon EC2 in the AWS account where your backups are stored, you must configure the AWS CLI with an IAM user's access key and secret access key. The IAM user must have permissions for the following AWS services:
-
EC2. The user must be able to:
-
Run and manage instances, and create and manage volumes.
-
Create and manage security groups, virtual private clouds (VPCs), subnets, route tables, DHCP options, NAT gateways, and VPNs.
-
Describe other resources, including regions, availability zones, IP addresses, account attributes, and network information.
-
-
Certificate Manager. The user must be able to import and list certificates.
-
CloudFormation. The user must be able to create and manage stacks and stack resources.
-
Identity and Access Management (IAM). The user must be able to create and manage roles, policies, and instance profiles.
-
S3. The user must be able to add objects to S3 buckets.
The following sample policy shows permissions for recovering servers to Amazon EC2.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:CreateTags",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DescribeVolumes",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateVpc",
"ec2:DeleteVpc",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:ModifyVpcAttribute",
"ec2:DescribeVpcBlockPublicAccessOptions",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcPeeringConnections",
"ec2:AttachInternetGateway",
"ec2:DetachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:ModifySubnetAttribute",
"ec2:DescribeSubnets",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:AssociateRouteTable",
"ec2:DisassociateRouteTable",
"ec2:DescribeRouteTables",
"ec2:CreateDhcpOptions",
"ec2:DeleteDhcpOptions",
"ec2:AssociateDhcpOptions",
"ec2:DescribeDhcpOptions",
"ec2:CreateNatGateway",
"ec2:DeleteNatGateway",
"ec2:DescribeNatGateways",
"ec2:CreateClientVpnEndpoint",
"ec2:DeleteClientVpnEndpoint",
"ec2:AssociateClientVpnTargetNetwork",
"ec2:DisassociateClientVpnTargetNetwork",
"ec2:AuthorizeClientVpnIngress",
"ec2:RevokeClientVpnIngress",
"ec2:ExportClientVpnClientConfiguration",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribeClientVpnTargetNetworks",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAddresses",
"ec2:DescribeAccountAttributes",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstanceConnectEndpoints",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:AssociateClientVpnTargetNetwork",
"ec2:RunInstances",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"acm:ImportCertificate",
"acm:ListCertificates",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStackResources",
"cloudformation:CreateUploadBucket",
"cloudformation:CreateChangeSet",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PassRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListRoles",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:CreateServiceLinkedRole",
"s3:PutObject"
],
"Resource": ["*"]
}
]
}