AWS managed policy: AWSElasticDisasterRecoveryConsoleFullAccess

This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and EC2 information. It also includes EC2 actions that allow to launch, delete, or modify replication servers and recovery instances. These EC2 actions are limited only to resources which the service creates with a specific AWS-only tag. policy to your users or roles.

AWSElasticDisasterRecoveryConsoleFullAccess includes access to your AWS managed keys. However, it does not include access to your customer managed keys, so if you use CMK you will need to add a policy statement to allow the usage of your KMS keys.

Permissions details

This policy includes the following permissions.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ConsoleFullAccess1",
			"Effect": "Allow",
			"Action": [
				"drs:*"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess2",
			"Effect": "Allow",
			"Action": [
				"kms:ListAliases",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess3",
			"Effect": "Allow",
			"Action": [
				"ec2:DescribeAccountAttributes",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeImages",
				"ec2:DescribeInstances",
				"ec2:DescribeInstanceTypes",
				"ec2:DescribeInstanceAttribute",
				"ec2:DescribeInstanceStatus",
				"ec2:DescribeInstanceTypeOfferings",
				"ec2:DescribeLaunchTemplateVersions",
				"ec2:DescribeLaunchTemplates",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSnapshots",
				"ec2:DescribeSubnets",
				"ec2:DescribeVolumes",
				"ec2:GetEbsEncryptionByDefault",
				"ec2:GetEbsDefaultKmsKeyId",
				"ec2:DescribeKeyPairs",
				"ec2:DescribeCapacityReservations",
				"ec2:DescribeHosts"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess4",
			"Effect": "Allow",
			"Action": "license-manager:ListLicenseConfigurations",
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess5",
			"Effect": "Allow",
			"Action": "resource-groups:ListGroups",
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess6",
			"Effect": "Allow",
			"Action": "elasticloadbalancing:DescribeLoadBalancers",
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess7",
			"Effect": "Allow",
			"Action": [
				"iam:ListInstanceProfiles",
				"iam:ListRoles"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess8",
			"Effect": "Allow",
			"Action": "iam:PassRole",
			"Resource": [
				"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole",
				"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole"
			],
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": "ec2.amazonaws.com"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess9",
			"Effect": "Allow",
			"Action": [
				"ec2:DeleteSnapshot"
			],
			"Resource": "arn:aws:ec2:*:*:snapshot/*",
			"Condition": {
				"Null": {
					"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess10",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateLaunchTemplateVersion",
				"ec2:ModifyLaunchTemplate",
				"ec2:DeleteLaunchTemplateVersions",
				"ec2:CreateTags",
				"ec2:DeleteTags"
			],
			"Resource": "arn:aws:ec2:*:*:launch-template/*",
			"Condition": {
				"Null": {
					"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess11",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateLaunchTemplate"
			],
			"Resource": "arn:aws:ec2:*:*:launch-template/*",
			"Condition": {
				"Null": {
					"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess12",
			"Effect": "Allow",
			"Action": [
				"ec2:DeleteVolume"
			],
			"Resource": "arn:aws:ec2:*:*:volume/*",
			"Condition": {
				"Null": {
					"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess13",
			"Effect": "Allow",
			"Action": [
				"ec2:StartInstances",
				"ec2:StopInstances",
				"ec2:TerminateInstances",
				"ec2:ModifyInstanceAttribute",
				"ec2:GetConsoleOutput",
				"ec2:GetConsoleScreenshot"
			],
			"Resource": "arn:aws:ec2:*:*:instance/*",
			"Condition": {
				"Null": {
					"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess14",
			"Effect": "Allow",
			"Action": [
				"ec2:RevokeSecurityGroupEgress",
				"ec2:AuthorizeSecurityGroupIngress",
				"ec2:AuthorizeSecurityGroupEgress"
			],
			"Resource": "arn:aws:ec2:*:*:security-group/*",
			"Condition": {
				"Null": {
					"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess15",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateVolume"
			],
			"Resource": "arn:aws:ec2:*:*:volume/*",
			"Condition": {
				"Null": {
					"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess16",
			"Effect": "Allow",
			"Action": "ec2:CreateSecurityGroup",
			"Resource": "arn:aws:ec2:*:*:vpc/*"
		},
		{
			"Sid": "ConsoleFullAccess17",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateSecurityGroup"
			],
			"Resource": "arn:aws:ec2:*:*:security-group/*",
			"Condition": {
				"Null": {
					"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess18",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateSnapshot"
			],
			"Resource": "arn:aws:ec2:*:*:volume/*",
			"Condition": {
				"Null": {
					"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess19",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateSnapshot"
			],
			"Resource": "arn:aws:ec2:*:*:snapshot/*",
			"Condition": {
				"Null": {
					"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess20",
			"Effect": "Allow",
			"Action": [
				"ec2:DetachVolume",
				"ec2:AttachVolume"
			],
			"Resource": "arn:aws:ec2:*:*:instance/*",
			"Condition": {
				"Null": {
					"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess21",
			"Effect": "Allow",
			"Action": [
				"ec2:DetachVolume",
				"ec2:AttachVolume",
				"ec2:StartInstances",
				"ec2:GetConsoleOutput",
				"ec2:GetConsoleScreenshot"
			],
			"Resource": "arn:aws:ec2:*:*:instance/*",
			"Condition": {
				"StringEquals": {
					"ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance"
				},
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"drs.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess22",
			"Effect": "Allow",
			"Action": [
				"ec2:AttachVolume"
			],
			"Resource": "arn:aws:ec2:*:*:volume/*",
			"Condition": {
				"Null": {
					"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess23",
			"Effect": "Allow",
			"Action": [
				"ec2:DetachVolume"
			],
			"Resource": "arn:aws:ec2:*:*:volume/*",
			"Condition": {
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess24",
			"Effect": "Allow",
			"Action": [
				"ec2:RunInstances"
			],
			"Resource": "arn:aws:ec2:*:*:instance/*",
			"Condition": {
				"Null": {
					"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess25",
			"Effect": "Allow",
			"Action": [
				"ec2:RunInstances"
			],
			"Resource": [
				"arn:aws:ec2:*:*:security-group/*",
				"arn:aws:ec2:*:*:volume/*",
				"arn:aws:ec2:*:*:subnet/*",
				"arn:aws:ec2:*:*:image/*",
				"arn:aws:ec2:*:*:network-interface/*",
				"arn:aws:ec2:*:*:launch-template/*"
			],
			"Condition": {
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess26",
			"Effect": "Allow",
			"Action": "ec2:CreateTags",
			"Resource": [
				"arn:aws:ec2:*:*:security-group/*",
				"arn:aws:ec2:*:*:volume/*",
				"arn:aws:ec2:*:*:snapshot/*",
				"arn:aws:ec2:*:*:instance/*"
			],
			"Condition": {
				"StringEquals": {
					"ec2:CreateAction": [
						"CreateSecurityGroup",
						"CreateVolume",
						"CreateSnapshot",
						"RunInstances"
					]
				},
				"Bool": {
					"aws:ViaAWSService": "true"
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess27",
			"Effect": "Allow",
			"Action": "ec2:CreateTags",
			"Resource": "arn:aws:ec2:*:*:launch-template/*",
			"Condition": {
				"StringEquals": {
					"ec2:CreateAction": [
						"CreateLaunchTemplate"
					]
				}
			}
		},
		{
			"Sid": "ConsoleFullAccess28",
			"Effect": "Allow",
			"Action": [
				"cloudformation:DescribeStacks",
				"cloudformation:ListStacks"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsoleFullAccess29",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketLocation",
				"s3:ListAllMyBuckets"
			],
			"Resource": "*"
		}
	]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWSElasticDisasterRecoveryFailbackInstallationPolicy

AWSElasticDisasterRecoveryReadOnlyAccess