Link Search Menu Expand Document

Permissions

Table of Contents

The deployment Elastio is performed in two steps: deploying the Elastio CloudFormation stack and deploying the Cloud Connector. Before starting the deployment, make sure that you have all the required permissions enabled in your AWS account, as well as VPC configurations set up.

Permissions to deploy the Elastio CloudFormation stack

To deploy the Elastio CloudFormation stack, certain permissions are required to create the resources necessary for the Elastio service. These permissions are not used to operate the service, they are used only for the deployment of the service.

To deploy, a user with the following policy attached is needed:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:TagResource",
                "cloudformation:UntagResource",

                "cloudformation:CancelUpdateStack",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",

                "cloudformation:GetStackPolicy",
                "cloudformation:SetStackPolicy",

                "cloudformation:ContinueUpdateRollback",
                "cloudformation:RollbackStack",
                "cloudformation:UpdateTerminationProtection",

                "cloudformation:DescribeStackDriftDetectionStatus",

                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResourceDrifts",
                "cloudformation:DescribeStackResources",
                "cloudformation:DetectStackDrift",
                "cloudformation:DetectStackResourceDrift",
                "cloudformation:ListStackResources",

                "cloudformation:GetTemplate",
                "cloudformation:GetTemplateSummary",

                "cloudformation:CreateChangeSet",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeChangeSetHooks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:ListChangeSets",

                "cloudformation:CreateStackSet",
                "cloudformation:DeleteStackSet",
                "cloudformation:DescribeStackSet",
                "cloudformation:DetectStackSetDrift",
                "cloudformation:ListStackSets",
                "cloudformation:UpdateStackSet",

                "cloudformation:DescribeStackSetOperation",
                "cloudformation:ListStackSetOperationResults",
                "cloudformation:ListStackSetOperations",
                "cloudformation:StopStackSetOperation",

                "cloudformation:ActivateOrganizationsAccess",
                "cloudformation:DeactivateOrganizationsAccess",
                "cloudformation:DescribeOrganizationsAccess",

                "cloudformation:CreateStackInstances",
                "cloudformation:DeleteStackInstances",
                "cloudformation:DescribeStackInstance",
                "cloudformation:ListStackInstanceResourceDrifts",
                "cloudformation:ListStackInstances",
                "cloudformation:UpdateStackInstances",

                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "dynamodb:ListTagsOfResource",

                "dynamodb:CreateTable",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:UpdateTable",

                "dynamodb:DescribeTimeToLive",
                "dynamodb:UpdateTimeToLive",

                "dynamodb:DescribeContributorInsights",
                "dynamodb:GetResourcePolicy",

                "iam:ListInstanceProfileTags",
                "iam:ListPolicyTags",
                "iam:ListRoleTags",
                "iam:TagInstanceProfile",
                "iam:TagPolicy",
                "iam:TagRole",
                "iam:UntagInstanceProfile",
                "iam:UntagPolicy",
                "iam:UntagRole",

                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:ListInstanceProfilesForRole",

                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",

                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:GetPolicy",

                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions",
                "iam:SetDefaultPolicyVersion",

                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:GetRole",
                "iam:PassRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription",

                "iam:AttachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",

                "lambda:ListTags",
                "lambda:TagResource",
                "lambda:UntagResource",

                "lambda:AddPermission",
                "lambda:GetPolicy",
                "lambda:RemovePermission",

                "lambda:ListVersionsByFunction",
                "lambda:PublishVersion",

                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",

                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",

                "lambda:DeleteFunctionEventInvokeConfig",
                "lambda:GetFunctionEventInvokeConfig",
                "lambda:ListFunctionEventInvokeConfigs",
                "lambda:PutFunctionEventInvokeConfig",
                "lambda:UpdateFunctionEventInvokeConfig",

                "lambda:DeleteFunctionConcurrency",
                "lambda:GetFunctionConcurrency",
                "lambda:PutFunctionConcurrency",

                "lambda:CreateEventSourceMapping",
                "lambda:DeleteEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:ListEventSourceMappings",
                "lambda:UpdateEventSourceMapping",

                "lambda:CreateAlias",
                "lambda:DeleteAlias",
                "lambda:GetAlias",
                "lambda:ListAliases",
                "lambda:UpdateAlias",

                "logs:ListTagsForResource",
                "logs:ListTagsLogGroup",
                "logs:TagLogGroup",
                "logs:TagResource",
                "logs:UntagLogGroup",
                "logs:UntagResource",

                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",

                "logs:CreateLogStream",
                "logs:DeleteLogStream",
                "logs:DescribeLogStreams",

                "logs:PutLogEvents",

                "logs:DeleteResourcePolicy",
                "logs:DescribeResourcePolicies",
                "logs:PutResourcePolicy",

                "logs:DeleteRetentionPolicy",
                "logs:PutRetentionPolicy",

                "s3:GetBucketTagging",
                "s3:PutBucketTagging",

                "s3:ListTagsForResource",
                "s3:TagResource",
                "s3:UntagResource",

                "s3:CreateBucket",
                "s3:DeleteBucket",

                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketPolicyStatus",

                "s3:GetBucketPublicAccessBlock",
                "s3:PutBucketPublicAccessBlock",

                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning",

                "s3:GetEncryptionConfiguration",
                "s3:PutEncryptionConfiguration",

                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration"
            ],
            "Resource": "*"
        }
    ]
}

In case the current user lacks any of the aforementioned permissions, the Elastio CloudFormation deploy might fail, so we recommend extending the permissions or creating a dedicated AWS IAM user to deploy the CFN. The flow of adding a new user and enabling the required permissions is described here.

Permissions to operate Elastio

During the deployment of the Elastio CloudFormation stack, specific permissions are required for creating the necessary resources for the service, but once the deployment is complete, the Elastio operates based on the principle of least-privilege, meaning only the minimum necessary permissions are required for its operation. All the permissions used to operate Elastio are described here.

F.A.Q.