AWS managed policies for AWS Elastic Disaster Recovery

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in theIAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in theIAM User Guide. AWS Elastic Disaster Recovery read-only permissions are included in the general IAM ReadOnlyAccess policy.

Topics

Elastic Disaster Recovery updates for AWS managed policies

View details about updates to AWS managed policies for AWS Elastic Disaster Recovery since March 1, 2021.

AWS Elastic Disaster Recovery policy updates
Change	Description	Date
AWSElasticDisasterRecoveryConsoleFullAccess_v2– Updated policy AWSElasticDisasterRecoveryLaunchActionsPolicy– Updated policy	Created new revisions of AWSElasticDisasterRecoveryConsoleFullAccess_v2 and AWSElasticDisasterRecoveryLaunchActionsPolicy managed policies, to support additional parameter types in SSM Parameters Store for post-launch actions.	May 19, 2024
AWSElasticDisasterRecoveryServiceRolePolicy – Updated policy	Created revision of the AWSElasticDisasterRecoveryServiceRolePolicy policy, to support replicating marketplace licenses to launched instances.	January 28, 2024
AWSElasticDisasterRecoveryCrossAccountReplicationPolicy – Updated policy	Created revision of the AWSElasticDisasterRecoveryCrossAccountReplicationPolicy policy, to support replicating marketplace licenses to launched instances.	January 28, 2024
AWSElasticDisasterRecoveryNetworkReplicationPolicy AWSElasticDisasterRecoveryServiceRolePolicy	Created new revisions of managed policies to support managed prefix lists for DRS network replication and recovery.	January 3rd, 2024
AWSElasticDisasterRecoveryAgentPolicy AWSElasticDisasterRecoveryAgentInstallationPolicy AWSElasticDisasterRecoveryEc2InstancePolicy AWSElasticDisasterRecoveryConsoleFullAccess AWSElasticDisasterRecoveryLaunchActionsPolicy AWSElasticDisasterRecoveryNetworkReplicationPolicy AWSElasticDisasterRecoveryRecoveryInstancePolicy AWSElasticDisasterRecoveryServiceRolePolicy AWSElasticDisasterRecoveryConversionServerPolicy AWSElasticDisasterRecoveryFailbackPolicy AWSElasticDisasterRecoveryFailbackInstallationPolicy AWSElasticDisasterRecoveryStagingAccountPolicy_v2 AWSElasticDisasterRecoveryStagingAccountPolicy AWSElasticDisasterRecoveryReplicationServerPolicy	Created new revisions of managed policies to support DRS to GovCloud and added Sid to statements in managed policies	November 27, 2023
AWSElasticDisasterRecoveryCrossAccountReplicationPolicy – Updated policy	Created revision of AWSElasticDisasterRecoveryCrossAccountReplicationPolicy to support DRS in GovCloud	November 27, 2023
AWSElasticDisasterRecoveryReadOnlyAccess – Updated policy	AWS Elastic Disaster Recovery updated the policy with additional read-only permissions for post-launch actions.	November 27, 2023
AWSElasticDisasterRecoveryConsoleFullAccess_v2 New policy	AWS Elastic Disaster Recovery added a new policy. This policy provides access to use DRS console. Attach this policy to your IAM roles or users.	November 27, 2023
AWSElasticDisasterRecoveryConsoleFullAccess – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance.	October 15, 2023
AWSElasticDisasterRecoveryConsoleFullAccess – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance.	October 15, 2023
AWSElasticDisasterRecoveryLaunchActionsPolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance tagged with a specific AWS-only key-value pair.	October 15, 2023
AWSElasticDisasterRecoveryEc2InstancePolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow sending installation result metrics to AWS Elastic Disaster Recovery.	October 10, 2023
AWSElasticDisasterRecoveryAgentInstallationPolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow sending installation result metrics to AWS Elastic Disaster Recovery.	October 10, 2023
AWSElasticDisasterRecoveryLaunchActionsPolicy New policy	AWS Elastic Disaster Recovery added a new policy. This policy provides access to use post-launch actions. Attach this policy to your IAM roles or users.	September 13, 2023
AWSElasticDisasterRecoveryReadOnlyAccess – Updated policy	AWS Elastic Disaster Recovery updated the policy with new read-only APIs for post-launch actions.	September 13, 2023
AWSElasticDisasterRecoveryAgentInstallationPolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow network replication and recovery.	June 13, 2023
AWSElasticDisasterRecoveryEc2InstancePolicy – Updated policy	This policy was updated to allow network replication and recovery.	June 13, 2023
AWSElasticDisasterRecoveryConsoleFullAccess– Updated policy	This policy was updated to support network replication and recovery.	June 13, 2023
AWSElasticDisasterRecoveryNetworkReplicationPolicy – New policy	This policy is used by AWS Elastic Disaster Recovery (DRS) to support network replication.	June 13, 2023
AWSElasticDisasterRecoveryServiceRolePolicy – Updated policy	This policy was updated to support network replication and recovery.	June 13, 2023
AWSElasticDisasterRecoveryCrossAccountReplicationPolicy – New policy	This policy is used by AWS Elastic Disaster Recovery (DRS) to support replication and failback.	May 14, 2023
AWSElasticDisasterRecoveryRecoveryInstancePolicy – Updated policy	This policy was updated to support failback by the agent after reverse replication.	May 14, 2023
AWSElasticDisasterRecoveryEc2InstancePolicy – Updated policy	This policy was updated to support replication by the agent.	May 14, 2023
AWSElasticDisasterRecoveryFullAccess– Updated policy	This policy was updated to support default EC2 launch templates and bulk editing of source server EC2 launch templates.	April 19, 2023
AWSElasticDisasterRecoveryCrossAccountReplicationPolicy – New policy	This policy is used by AWS Elastic Disaster Recovery (DRS) to support cross-account replication and cross-account failback.	May 7, 2023
AWSElasticDisasterRecoveryRecoveryInstancePolicy – Updated policy	This policy was updated to support cross-account failback by the agent after reverse replication.	May 7, 2023
AWSElasticDisasterRecoveryEc2InstancePolicy – Updated policy	This policy was updated to support cross-account replication by the agent.	May 7, 2023
AWSElasticDisasterRecoveryConsoleFullAccess– Updated policy	This policy was updated to support default EC2 launch templates and bulk editing of source server EC2 launch templates.	April 16, 2023
AWSElasticDisasterRecoveryAgentPolicy – Updated policy	This policy was updated to support the kernel upgrade feature.	April 1, 2023
AWSElasticDisasterRecoveryStagingAccountPolicy_v2 – New policy	This policy was updated to support the kernel upgrade feature.	December 11, 2022
AWSElasticDisasterRecoveryAgentInstallationPolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to properly support agent installation on Recovery Instances. This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent.	November 14, 2022
AWSElasticDisasterRecoveryRecoveryInstancePolicy – Updated policy	AWS Elastic Disaster Recovery updated this policy to include permissions which allow DRS Recovery Instances that originated from EC2 instances to replicate back to their origin locations in a failback scenario. As an additional security mechanism, Elastic Disaster Recovery will block requests that are not targeted at the source server the EC2 instance is associated with.	October 24, 2022
AWSElasticDisasterRecoveryAgentInstallationPolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to include resource tagging. This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent.	June 28, 2022
AWSElasticDisasterRecoveryFailbackInstallationPolicy – Updated policy	AWS Elastic Disaster Recovery updated this policy to include a new permission (drs:UpdateAgentReplicationInfoForDrs). This permission is needed to complete the failback process in some cases.	June 22, 2022
AWSElasticDisasterRecoveryServiceRolePolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow DRS to call cloudwatch:GetMetricData and also ec2:ModifyVolume on EBS volumes of the replication server in order to support the automatic volume type selection feature.	June 21st, 2022
AWSElasticDisasterRecoveryReplicationServerPolicy – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow replication servers to call drs:NotifyVolumeEventForDrs and drs:SendVolumeStatsForDrs.	June 21st, 2022
AWSElasticDisasterRecoveryConsoleFullAccess – Updated policy	AWS Elastic Disaster Recovery updated the policy to allow listing IAM roles.	May 26th, 2022
AWSElasticDisasterRecoveryReadOnlyAccess – Updated policy	AWS Elastic Disaster Recovery updated the policy with new read-only APIs of DRS and also added a permission that allows to list IAM roles.	May 26th, 2022
AWSElasticDisasterRecoveryEc2InstancePolicy – Updated policy	AWS Elastic Disaster Recovery added a new policy. This policy allows installing and using the AWS Replication Agent, which is used by AWS Elastic Disaster Recovery (DRS) to recover source servers that run on EC2 (cross-region or cross-AZ). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances.	April 6, 2022
AWSElasticDisasterRecoveryReadOnlyAccess – Updated policy	AWS Elastic Disaster Recovery updated this policy.	April 3, 2022
AWSElasticDisasterRecoveryStagingAccountPolicy – New policy	AWS Elastic Disaster Recovery added a new policy. This policy allows read-only access to AWS Elastic Disaster Recovery (DRS) resources such as source servers and jobs. It also allows creating a converted snapshot and sharing that EBS snapshot with a specified account.	February 24, 2022
AWSElasticDisasterRecoveryAgentPolicy – New policy	AWS Elastic Disaster Recovery added a new policy. This policy allows using the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery to recover source servers to AWS. We do not recommend that you attach this policy to your users or roles.	November 17, 2021
AWSElasticDisasterRecoveryConversionServerPolicy New policy	AWS Elastic Disaster Recovery added a new policy. This policy is attached to the AWS Elastic Disaster Recovery Conversion server’s instance role. This policy allows Elastic Disaster Recovery (DRS) Conversion Servers, which are EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service. An IAM role with this policy is attached (as an EC2 Instance Profile) by DRS to the DRS Conversion Servers, which are automatically launched and terminated by DRS, when needed. We do not recommend that you attach this policy to your users or roles. AWS DRS conversion servers are used by AWS Elastic Disaster Recovery when users choose to recover source servers using the Elastic Disaster Recovery console, CLI, or API.	November 17, 2021
AWSElasticDisasterRecoveryFailbackPolicy - New policy	AWS Elastic Disaster Recovery added a new policy. This policy allows using the AWS Elastic Disaster Recovery Failback Client, which is used to failback Recovery Instances back to your original source infrastructure. We do not recommend that you attach this policy to your users or roles.	November 17, 2021
AWSElasticDisasterRecoveryFailbackInstallationPolicy – New policy	AWS Elastic Disaster Recovery added a new policy. You can attach the AWSElasticDisasterRecoveryFailbackInstallationPolicy policy to your IAM identities. This policy allows installing the AWS Elastic Disaster Recovery Failback Client, which is used to failback recovery instances back to your original source infrastructure. Attach this policy to your users or roles whose credentials you provide when running the EAWS Elastic Disaster Recovery Failback Client.	November 17, 2021
AWSElasticDisasterRecoveryConsoleFullAccess – New policy	AWS Elastic Disaster Recovery added a new policy. This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and Amazon EC2 information. Attach this policy to your users or roles.	November 17, 2021
AWSElasticDisasterRecoveryReplicationServerPolicy – New policy	AWS Elastic Disaster Recovery added a new policy. This policy is attached to the Elastic Disaster Recovery Replication server’s instance role. This policy allows the Elastic Disaster Recovery (DRS) Replication Servers, which are EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service, and to create EBS snapshots in your AWS account. An IAM role with this policy is attached (as an EC2 Instance Profile) by Elastic Disaster Recovery to the DRS Replication Servers which are automatically launched and terminated by DRS, as needed. DRS Replication Servers are used to facilitate data replication from your external servers to AWS, as part of the recovery process managed by DRS. We do not recommend that you attach this policy to your users or roles.	November 17, 2021
AWSElasticDisasterRecoveryRecoveryInstancePolicy – New policy	AWS Elastic Disaster Recovery added a new policy. This policy is attached to the instance role of Elastic Disaster Recovery's Recovery Instance. This policy allows the Elastic Disaster Recovery (DRS) Recovery Instance, which are EC2 instances launched by Elastic Disaster Recovery - to communicate with the DRS service, and to be able to failback to their original source infrastructure. An IAM role with this policy is attached (as an EC2 Instance Profile) by Elastic Disaster Recovery to the DRS recovery instances. We do not recommend that you attach this policy to your users or roles.	November 17, 2021
AWSElasticDisasterRecoveryServiceRolePolicy – New policy	AWS Elastic Disaster Recovery added a new policy. This policy allows Elastic Disaster Recovery to manage AWS resources on your behalf.	November 17, 2021
AWS Elastic Disaster Recovery started tracking changes	AWS Elastic Disaster Recovery started tracking changes for AWS managed policies.	November 17, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Grant permission to tag resources during creation

AWSElasticDisasterRecoveryAgentPolicy