AWS managed policy: AWSElasticDisasterRecoveryServiceRolePolicy
This policy allows AWS Elastic Disaster Recovery to manage AWS resources on your behalf.
This policy is attached to the AWSServiceRoleForElasticDisasterRecovery role.
Permissions details
This policy includes permissions to do the following:
ec2 – Retrieve and modify resources needed to support failover and failback of source servers and source networks.
cloudwtach – Retrieve disk usage to allow cost optimization
-
iam – Acquire the permissions required for recovery
-
kms – Allow using encrypted volumes
-
drs – Retrieve tags and set tags for DRS resources, create DRS resources on failover
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DRSServiceRolePolicy1", "Effect": "Allow", "Action": [ "drs:ListTagsForResource" ], "Resource": "*" }, { "Sid": "DRSServiceRolePolicy2", "Effect": "Allow", "Action": [ "drs:TagResource" ], "Resource": "arn:aws:drs:*:*:recovery-instance/*" }, { "Sid": "DRSServiceRolePolicy3", "Effect": "Allow", "Action": [ "drs:CreateRecoveryInstanceForDrs", "drs:TagResource" ], "Resource": "arn:aws:drs:*:*:source-server/*" }, { "Sid": "DRSServiceRolePolicy4", "Effect": "Allow", "Action": "iam:GetInstanceProfile", "Resource": "*" }, { "Sid": "DRSServiceRolePolicy5", "Effect": "Allow", "Action": "kms:ListRetirableGrants", "Resource": "*" }, { "Sid": "DRSServiceRolePolicy6", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVolumeAttribute", "ec2:GetEbsDefaultKmsKeyId", "ec2:GetEbsEncryptionByDefault", "ec2:DescribeVpcAttribute", "ec2:DescribeInternetGateways", "ec2:DescribeVpcs", "ec2:DescribeNetworkAcls", "ec2:DescribeRouteTables", "ec2:DescribeDhcpOptions", "ec2:DescribeManagedPrefixLists", "ec2:GetManagedPrefixListEntries", "ec2:GetManagedPrefixListAssociations" ], "Resource": "*" }, { "Sid": "DRSServiceRolePolicy7", "Effect": "Allow", "Action": [ "ec2:RegisterImage" ], "Resource": "*" }, { "Sid": "DRSServiceRolePolicy8", "Effect": "Allow", "Action": [ "ec2:DeregisterImage" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy9", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy10", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DeleteLaunchTemplateVersions" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy11", "Effect": "Allow", "Action": [ "ec2:DeleteVolume", "ec2:ModifyVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy12", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy13", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy14", "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy15", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy16", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Sid": "DRSServiceRolePolicy17", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy18", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy19", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy20", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy21", "Effect": "Allow", "Action": [ "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy22", "Effect": "Allow", "Action": [ "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*" }, { "Sid": "DRSServiceRolePolicy23", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy24", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:launch-template/*" ] }, { "Sid": "DRSServiceRolePolicy25", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryReplicationServerRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Sid": "DRSServiceRolePolicy26", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateLaunchTemplate", "CreateSecurityGroup", "CreateVolume", "CreateSnapshot", "RunInstances" ] } } }, { "Sid": "DRSServiceRolePolicy27", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:image/*" ], "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "DRSServiceRolePolicy28", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] }