Permissions for creating the IAM role using a CloudFormation template
To create the IAM role that allows Server Backup agents to access your S3 buckets, we recommend downloading a CloudFormation template from the Management Console and using the template to create a stack in the AWS CloudFormation console. To do this, you must have AWS permissions to create and update stacks, work with S3 buckets, and manage IAM roles.
The following sample shows possible permissions for setting up Server Backup storage using a downloaded CloudFormation template. To determine the permissions you require, consult with an AWS power user in your organization or see documentation from Amazon Web Services.
Copy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:ExecuteChangeSet",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketVersioning",
"s3:CreateBucket",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutBucketPolicy",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:UpdateAssumeRolePolicy"
],
"Resource": ["*"]
}
]
}