Link Search Menu Expand Document

Elastio IAM Policies

Table of Contents

Creating policies and attaching them to IAM identities (users, groups of users or roles) can grant or restrict access to various AWS resources. A policy is a stack of permissions granted to an identity or a resource. Permissions in the policies define whether the request is allowed or denied. Permissions can be set for all resources of a certain kind, or more specifically to those with a certain suffix or tag. All the policies are stored in your AWS account and use JSON-based access policy language.

Elastio creates six policies in your AWS account upon Elastio account level stack deployment:

  • ElastioAgentlessBackupAndRestore
  • ElastioBackupAdmin
  • ElastioFullAdmin
  • ElastioJobsAdmin
  • ElastioLocalBackup
  • ElastioMountAndRestore

All of the above listed policies are example policies and are subject to change over time. The updated list of the policies can be found in your AWS account.

Elastio IAM Policies can be used to grant permission to roles and users within your AWS account. The name of the policy describes what exact operations it allows you to perform. Additional information on each of the policies is below.

ElastioAgentlessBackupAndRestore

ElastioAgentlessBackupAndRestore policy allows running background jobs, such as EC2 instances and EBS volumes backups and restores, as well as Integrity Scan. Background jobs are agentless operations in which Elastio launches an EC2 instance to run them on instead of the machine where the operation was initiated.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": "ssm:GetParameter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": [
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-ingest",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-lifecycle",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-bg-jobs-service",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-write",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-jobs-status-service"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeHosts",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

ElastioBackupAdmin

ElastioBackupAdmin policy combines ElastioCreateBackups, ElastioRestoreBackups and the ability to run background jobs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": "ssm:GetParameter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": [
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-ingest",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-update",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-soft-delete",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-lifecycle",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-jobs-status-service",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-write",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-bg-jobs-service",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-jobs-status-service-force-abort"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeHosts",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

ElastioFullAdmin (Applies to Elastio tagged resources only)

ElastioFullAdmin policy is similar to the AWS built-in AdministratorAccess policy. It grants all necessary permissions to perform all possible operations on Elastio resources, while still limiting permissions only to Elastio resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": "ssm:GetParameter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:*:%aws_account_id%:function:elastio-*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DescribeStacks",
                "sqs:GetQueueUrl",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "ssm:DescribeParameters",
                "autoscaling:CreateAutoscalingGroup",
                "batch:Describe*",
                "autoscaling:Describe*",
                "batch:Create*",
                "ecs:Create*",
                "ecs:Describe*",
                "ecs:RegisterTaskDefinition",
                "ecs:DeregisterTaskDefinition",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:Create*",
                "ec2:Describe*",
                "ec2:RunInstances",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DeleteScalingPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "kms:ListAliases",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:CreateAlias",
                "kms:DeleteAlias"
            ],
            "Resource": [
                "arn:aws:kms:*:%aws_account_id%:alias/elastio-*",
                "arn:aws:kms:*:%aws_account_id%:key/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": [
                "kms:CreateKey",
                "kms:CreateGrant",
                "kms:PutKeyPolicy",
                "kms:ListResourceTags",
                "kms:TagResource",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ScheduleKeyDeletion"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": "ec2:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "autoscaling:*",
            "Resource": "arn:aws:autoscaling:*:%aws_account_id%:autoScalingGroup:*:autoScalingGroupName/elastio-*",
            "Effect": "Allow"
        },
        {
            "Action": "batch:*",
            "Resource": [
                "arn:aws:batch:*:%aws_account_id%:compute-environment/elastio-*",
                "arn:aws:batch:*:%aws_account_id%:job-queue/elastio-*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "ssm:GetParameter",
            "Resource": [
                "arn:aws:ssm:*:%aws_account_id%:parameter/elastio/*",
                "arn:aws:ssm:*::parameter/aws/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "ecs:*",
            "Resource": [
                "arn:aws:ecs:*:%aws_account_id%:capacity-provider/elastio-*",
                "arn:aws:ecs:*:%aws_account_id%:service/elastio-*",
                "arn:aws:ecs:*:%aws_account_id%:cluster/elastio-*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "ssm:*",
            "Resource": "arn:aws:ssm:*:%aws_account_id%:parameter/elastio/*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::elastio-*",
            "Effect": "Allow"
        },
        {
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:*:%aws_account_id%:table/elastio-*",
            "Effect": "Allow"
        },
        {
            "Action": "cloudformation:*",
            "Resource": "arn:aws:cloudformation:*:%aws_account_id%:stack/elastio-*",
            "Effect": "Allow"
        },
        {
            "Action": "iam:*",
            "Resource": "arn:aws:iam::*:role/elastio-*",
            "Effect": "Allow"
        },
        {
            "Action": "events:*",
            "Resource": "arn:aws:events:*:%aws_account_id%:rule/elastio-*",
            "Effect": "Allow"
        }
    ]
}

ElastioJobsAdmin

ElastioJobsAdmin policy allows you to run any background jobs within Elastio, such as backups and restores, to perform iscan, to run retention jobs, etc. Additionally, this policy allows you to force-abort background jobs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": "ssm:GetParameter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": [
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-ingest",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-lifecycle",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-bg-jobs-service",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-write",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-jobs-status-service",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-jobs-status-service-force-abort"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeHosts",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

ElastioLocalBackup

ElastioLocalBackup policy allows you to run local (i.e operating on data local to the system where the command is running) stream, file, and block backups.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": "ssm:GetParameter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": [
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-ingest",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-lifecycle",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-jobs-status-service",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-write"
            ],
            "Effect": "Allow"
        }
    ]
}

ElastioMountAndRestore

ElastioMountAndRestore policy allows you to mount all recovery points available for mount including agentless (EC2 and EBS) backups. With this policy granted, you can also restore local backups.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/elastio:resource": "*"
                }
            },
            "Action": "ssm:GetParameter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": [
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-catalog-service-read",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-lifecycle",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-jobs-status-service",
                "arn:aws:lambda:*:%aws_account_id%:function:elastio-provisioner-service-read"
            ],
            "Effect": "Allow"
        }
    ]
}

IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the AgentlessBackupAndRestore action, then a user with that policy can perform EBS volume and EC2 instance backup and restore operations as background jobs.

IAM roles or users can be granted access to the user’s AWS console. If AWS console access is allowed, the IAM user can sign in to the console using a user name and password. A programmatic access is granted to the user which is using the terminal with AWS CLI installed and configured. Either or both can be allowed to a certain role or user within AWS account or organization.

Note: Any of the policies Elastio creates can be used to create AWS roles and users to grant different permission within an AWS account. It should be also mentioned that before removing Elastio from the respective AWS account, the policies should be detached from all users and roles before attempting to remove the CFN (CloudFormation Stack) Elastio created. Otherwise, CFN removal will fail.