Initializing AWS Elastic Disaster Recovery Additional policies Manually initializing DRS Programmatically initializing DRS

Elastic Disaster Recovery initialization and permissions

In order to use AWS Elastic Disaster Recovery, the service must first be initialized for any AWS Region in which you plan to use Elastic Disaster Recovery.

Initializing AWS Elastic Disaster Recovery

AWS Elastic Disaster Recovery must be initialized upon first use from within the AWS Elastic Disaster Recovery Console. The initialization process occurs automatically once a user accesses the AWS Elastic Disaster Recovery Console. The user is directed to create the default replication settings, and upon saving the template, the service is initialized by creating the IAM roles which are required for the service to work. Learn more about creating the default replication settings as part of the quick start guide.

Important

AWS Elastic Disaster Recovery is not compatible with CloudEndure Disaster Recovery.

AWS Elastic Disaster Recovery can only be initialized by the Admin user of your AWS Account. During initialization, the following IAM roles will be created:

AWSServiceRoleForElasticDisasterRecovery
AWSElasticDisasterRecoveryReplicationServerRole
AWSElasticDisasterRecoveryConversionServerRole
AWSElasticDisasterRecoveryRecoveryInstanceRole
AWSElasticDisasterRecoveryAgentRole
AWSElasticDisasterRecoveryFailbackRole
AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole

Additional policies

You can create roles with granular permission for AWS Elastic Disaster Recovery. The service comes with the following predefined managed IAM policies:

AWSElasticDisasterRecoveryConsoleFullAccess
AWSElasticDisasterRecoveryReadOnlyAccess
AWSElasticDisasterRecoveryAgentPolicy
AWSElasticDisasterRecoveryAgentInstallationPolicy
AWSElasticDisasterRecoveryFailbackPolicy
AWSElasticDisasterRecoveryFailbackInstallationPolicy
AWSElasticDisasterRecoveryInstancePolicy
AWSElasticDisasterRecoveryServiceRolePolicy
AWSElasticDisasterRecoveryLaunchActionsPolicy

Learn more about AWS Elastic Disaster Recovery roles and managed policies.

Manually initializing DRS

You can manually initialize AWS Elastic Disaster Recovery through the API. This can help you automate service initialization through script when initializing multiple accounts.

Note

You will need to create the replication settings template after initializing the service.

To initialize AWS Elastic Disaster Recovery manually, create the following IAM roles through the IAM CreateRoleAPI. Learn more about creating IAM roles in the AWS IAM documentation.

Creation of each role must include the following parameters:

Role name	Path	Trusted Entity
AWSElasticDisasterRecoveryAgentRole	/service-role/	drs.amazonaws.com
AWSElasticDisasterRecoveryFailbackRole	/service-role/	drs.amazonaws.com
AWSElasticDisasterRecoveryConversionServerRole	/service-role/	ec2.amazonaws.com
AWSElasticDisasterRecoveryRecoveryInstanceRole	/service-role/	ec2.amazonaws.com
AWSElasticDisasterRecoveryReplicationServerRole	/service-role/	ec2.amazonaws.com
AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole	/service-role/	ec2.amazonaws.com

Example using the AWS CLI: aws iam create-role --path "/service-role/" --role-name AWSElasticDisasterRecoveryReplicationServerRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal": {"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}'

After the roles have been created, attach the following AWS managed policies to the roles through the IAM AttachRolePolicy API. Learn more about adding and removing IAM identity permissions in the AWS IAM documentation.

Attach Managed Policy AWSElasticDisasterRecoveryAgentPolicy to Role AWSElasticDisasterRecoveryAgentRole
Attach Managed Policy AWSElasticDisasterRecoveryFailbackPolicy to Role AWSElasticDisasterRecoveryFailbackRole
Attach Managed Policy AWSElasticDisasterRecoveryConversionServerPolicy to Role AWSElasticDisasterRecoveryConversionServerRole
Attach Managed Policy AWSElasticDisasterRecoveryRecoveryInstancePolicy to Role AWSElasticDisasterRecoveryRecoveryInstanceRole
Attach Managed Policy AWSElasticDisasterRecoveryReplicationServerPolicy to Role AWSElasticDisasterRecoveryReplicationServerRole
Attach Managed Policy AWSElasticDisasterRecoveryRecoveryInstancePolicy and AmazonSSMManagedInstanceCore to Role AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole

Note

Roles must also have a trust policy defined. The trust policy needs to define source identity and source account for security reasons, and allow the service to call SetSourceIdentity and AssumeRole. See the following policy examples.

Example 1: creating a role for the AWSElasticDisasterRecoveryAgentRole with trusted entity relationships via the CreateRole API:

Role: AWSElasticDisasterRecoveryAgentRole


$ aws iam create-role --path "/service-role/" --role-name
				AWSElasticDisasterRecoveryAgentRole --assume-role-policy-document file://agent-source-drs-trust-policy.json

agent-source-drs-trust-policy.json



{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "drs.amazonaws.com"
			},
			"Action": [
				"sts:AssumeRole",
				"sts:SetSourceIdentity"
			],
			"Condition": {
				"StringLike": {
					"sts:SourceIdentity": "s-*",
					"aws:SourceAccount": "1234567891011"
				}
			}
		}
	]
}

Example 2: creating a role for the AWSElasticDisasterRecoveryFailbackRole with trusted entity relationships via the CreateRole API:

Role: AWSElasticDisasterRecoveryFailbackRole


$ aws iam create-role --path "/service-role/" --role-name
				AWSElasticDisasterRecoveryFailbackRole --assume-role-policy-document file://failback-source-drs-trust-policy.json

failback-source-drs-trust-policy.json



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "drs.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetSourceIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "aws:SourceAccount": "1234567891011",
                    "sts:SourceIdentity": "i-*"
                }
            }
        }
    ]
}

Example 3: creating roles for the AWSElasticDisasterRecoveryConversionServerRole, AWSElasticDisasterRecoveryRecoveryInstanceRole, and AWSElasticDisasterRecoveryReplicationServerRole with trusted entity relationships via the CreateRole API:

Role: AWSElasticDisasterRecoveryConversionServerRole


$ aws iam create-role --path "/service-role/" --role-name
				AWSElasticDisasterRecoveryConversionServerRole --assume-role-policy-document file://source-drs-trust-policy.json

Role: AWSElasticDisasterRecoveryRecoveryInstanceRole


$ aws iam create-role --path "/service-role/" --role-name
				AWSElasticDisasterRecoveryRecoveryInstanceRole --assume-role-policy-document file://source-drs-trust-policy.json

Role: AWSElasticDisasterRecoveryReplicationServerRole


$ aws iam create-role --path "/service-role/" --role-name
				AWSElasticDisasterRecoveryReplicationServerRole --assume-role-policy-document file://source-drs-trust-policy.json

source-drs-trust-policy.json



{
    "Version":  "2012-10-17",
     "Statement": [
        {
             "Effect":  "Allow",
             "Principal": {
                 "Service":  "ec2.amazonaws.com"
            },
             "Action":  "sts:AssumeRole"
        }
    ]
}

Once the policies are attached to the roles, run the aws drs initialize-service command. This will automatically create the service-linked role (AWSServiceRoleForElasticDisasterRecovery), create instance profiles, add roles to instance profiles, and will finish service initialization.

Learn more about AWS Elastic Disaster Recovery roles and managed policies.

Programmatically initializing DRS

To programmatically initialize the service, create an IAM role with the following IAM policy:



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:ArnEquals": {
                    "iam:PolicyARN": [
                        "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryAgentPolicy",
                        "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryFailbackPolicy",
                        "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryConversionServerPolicy",
                        "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryRecoveryInstancePolicy",
                        "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryReplicationServerPolicy"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com",
                        "drs.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "drs:InitializeService",
                "drs:ListTagsForResource",
                "drs:GetReplicationConfiguration",
                "drs:CreateLaunchConfigurationTemplate",
                "drs:GetLaunchConfiguration",
                "drs:CreateReplicationConfigurationTemplate",
                "drs:*ReplicationConfigurationTemplate*",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:GetRole",
                "iam:DeleteRole",
                "iam:DeleteServiceLinkedRole",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "sts:DecodeAuthorizationMessage",
                "ec2:DescribeSecurityGroups",
                "ec2:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/drs.amazonaws.com/AWSServiceRoleForElasticDisasterRecovery"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:GetInstanceProfile",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/*",
                "arn:aws:iam::*:role/*"
            ]
        }
    ]
}

Learn more about AWS Elastic Disaster Recovery roles and managed policies.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started

Accessing the console