AWS managed policy: AWSElasticDisasterRecoveryEc2InstancePolicy
This policy allows installing and using the AWS Replication Agent, which is used by AWS Elastic Disaster Recovery (AWS DRS) to recover source servers that run on EC2 (cross-Region, cross-AZ or cross-Account). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances.
Permissions details
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DRSEc2InstancePolicy1", "Effect": "Allow", "Action": [ "drs:GetAgentInstallationAssetsForDrs", "drs:SendClientLogsForDrs", "drs:SendClientMetricsForDrs", "drs:CreateSourceServerForDrs", "drs:CreateSourceNetwork" ], "Resource": "*" }, { "Sid": "DRSEc2InstancePolicy2", "Effect": "Allow", "Action": [ "drs:TagResource" ], "Resource": "arn:aws:drs:*:*:source-server/*", "Condition": { "StringEquals": { "drs:CreateAction": "CreateSourceServerForDrs" } } }, { "Sid": "DRSEc2InstancePolicy3", "Effect": "Allow", "Action": [ "drs:TagResource" ], "Resource": "arn:aws:drs:*:*:source-network/*", "Condition": { "StringEquals": { "drs:CreateAction": "CreateSourceNetwork" } } }, { "Sid": "DRSEc2InstancePolicy4", "Effect": "Allow", "Action": [ "drs:SendAgentMetricsForDrs", "drs:SendAgentLogsForDrs", "drs:UpdateAgentSourcePropertiesForDrs", "drs:UpdateAgentReplicationInfoForDrs", "drs:UpdateAgentConversionInfoForDrs", "drs:GetAgentCommandForDrs", "drs:GetAgentConfirmedResumeInfoForDrs", "drs:GetAgentRuntimeConfigurationForDrs", "drs:UpdateAgentBacklogForDrs", "drs:GetAgentReplicationInfoForDrs" ], "Resource": "arn:aws:drs:*:*:source-server/*" }, { "Sid": "DRSEc2InstancePolicy5", "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Resource": [ "arn:aws:iam::*:role/service-role/DRSCrossAccountAgentAuthorizedRole_*" ], "Condition": { "StringLike": { "aws:RequestTag/SourceInstanceARN": "${ec2:SourceInstanceARN}" }, "ForAnyValue:StringEquals": { "sts:TransitiveTagKeys": "SourceInstanceARN" } } } ] }