Permissions
Table of Contents
The deployment Elastio is performed in two steps: deploying the Elastio CloudFormation stack and deploying the Cloud Connector. Before starting the deployment, make sure that you have all the required permissions enabled in your AWS account, as well as VPC configurations set up.
Permissions to deploy the Elastio CloudFormation stack
To deploy the Elastio CloudFormation stack, certain permissions are required to create the resources necessary for the Elastio service. These permissions are not used to operate the service, they are used only for the deployment of the service.
To deploy, a user with the following policy attached is needed:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:TagResource",
"cloudformation:UntagResource",
"cloudformation:CancelUpdateStack",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:GetStackPolicy",
"cloudformation:SetStackPolicy",
"cloudformation:ContinueUpdateRollback",
"cloudformation:RollbackStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResourceDrifts",
"cloudformation:DescribeStackResources",
"cloudformation:DetectStackDrift",
"cloudformation:DetectStackResourceDrift",
"cloudformation:ListStackResources",
"cloudformation:GetTemplate",
"cloudformation:GetTemplateSummary",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeChangeSetHooks",
"cloudformation:ExecuteChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:CreateStackSet",
"cloudformation:DeleteStackSet",
"cloudformation:DescribeStackSet",
"cloudformation:DetectStackSetDrift",
"cloudformation:ListStackSets",
"cloudformation:UpdateStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackSetOperationResults",
"cloudformation:ListStackSetOperations",
"cloudformation:StopStackSetOperation",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:DeactivateOrganizationsAccess",
"cloudformation:DescribeOrganizationsAccess",
"cloudformation:CreateStackInstances",
"cloudformation:DeleteStackInstances",
"cloudformation:DescribeStackInstance",
"cloudformation:ListStackInstanceResourceDrifts",
"cloudformation:ListStackInstances",
"cloudformation:UpdateStackInstances",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:ListTagsOfResource",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:UpdateTimeToLive",
"dynamodb:DescribeContributorInsights",
"dynamodb:GetResourcePolicy",
"iam:ListInstanceProfileTags",
"iam:ListPolicyTags",
"iam:ListRoleTags",
"iam:TagInstanceProfile",
"iam:TagPolicy",
"iam:TagRole",
"iam:UntagInstanceProfile",
"iam:UntagPolicy",
"iam:UntagRole",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:SetDefaultPolicyVersion",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:PassRole",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:AddPermission",
"lambda:GetPolicy",
"lambda:RemovePermission",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:GetFunctionEventInvokeConfig",
"lambda:ListFunctionEventInvokeConfigs",
"lambda:PutFunctionEventInvokeConfig",
"lambda:UpdateFunctionEventInvokeConfig",
"lambda:DeleteFunctionConcurrency",
"lambda:GetFunctionConcurrency",
"lambda:PutFunctionConcurrency",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetEventSourceMapping",
"lambda:ListEventSourceMappings",
"lambda:UpdateEventSourceMapping",
"lambda:CreateAlias",
"lambda:DeleteAlias",
"lambda:GetAlias",
"lambda:ListAliases",
"lambda:UpdateAlias",
"logs:ListTagsForResource",
"logs:ListTagsLogGroup",
"logs:TagLogGroup",
"logs:TagResource",
"logs:UntagLogGroup",
"logs:UntagResource",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:DeleteLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:DeleteResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:PutResourcePolicy",
"logs:DeleteRetentionPolicy",
"logs:PutRetentionPolicy",
"s3:GetBucketTagging",
"s3:PutBucketTagging",
"s3:ListTagsForResource",
"s3:TagResource",
"s3:UntagResource",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:PutEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": "*"
}
]
}
In case the current user lacks any of the aforementioned permissions, the Elastio CloudFormation deploy might fail, so we recommend extending the permissions or creating a dedicated AWS IAM user to deploy the CFN. The flow of adding a new user and enabling the required permissions is described here.
Permissions to operate Elastio
During the deployment of the Elastio CloudFormation stack, specific permissions are required for creating the necessary resources for the service, but once the deployment is complete, the Elastio operates based on the principle of least-privilege, meaning only the minimum necessary permissions are required for its operation. All the permissions used to operate Elastio are described here.
F.A.Q.
- Why do I need to deploy this CloudFormation template?
- Why do I need to grant
CAPABILITY_NAMED_IAMwhen deploying Elastio’s CloudFormation template? - What kind of access to my AWS account does Elastio require?
- How can I audit Elastio’s activity in my account?
- What are the specific Elastio IAM Policies that we use?
- What are the Elastio resources created by the Elastio CFN?