Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager installation and configuration
  4. NetBackup Snapshot Manager cloud providers
  5. AWS plug-in configuration notes
  6. AWS permissions required by NetBackup Snapshot Manager
NetBackup™ Snapshot Manager Install and Upgrade Guide

AWS permissions required by NetBackup Snapshot Manager

The following is a IAM role definition (in JSON format) that gives NetBackup Snapshot Manager the ability to configure AWS plugin and discover assets, manage the snapshots etc.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2AutoScaling",
            "Effect": "Allow",
            "Action": [
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:AttachInstances",
																"autoscaling:DescribeScalingActivities",
																"autoscaling:TerminateInstanceInAutoScalingGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "KMS",
            "Effect": "Allow",
            "Action": [
                "kms:ListKeys",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncryptTo",
                "kms:DescribeKey",
                "kms:ListAliases",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:ReEncryptFrom",
                "kms:CreateGrant"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "RDSBackup",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBClusterSnapshots",
                "rds:DeleteDBSnapshot",
                "rds:CreateDBSnapshot",
                "rds:CreateDBClusterSnapshot",
                "rds:ModifyDBSnapshotAttribute",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeDBInstances",
                "rds:CopyDBSnapshot",
                "rds:CopyDBClusterSnapshot",
                "rds:DescribeDBSnapshotAttributes",
                "rds:DeleteDBClusterSnapshot",
                "rds:ListTagsForResource",
                "rds:AddTagsToResource"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "RDSRecovery",
            "Effect": "Allow",
            "Action": [
                "rds:ModifyDBInstance",
                "rds:ModifyDBClusterSnapshotAttribute",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:ModifyDBCluster",
                "rds:RestoreDBClusterFromSnapshot",
                "rds:CreateDBInstance",
                "rds:RestoreDBClusterToPointInTime",
                "rds:CreateDBSecurityGroup",
                "rds:CreateDBCluster",
                "rds:RestoreDBInstanceToPointInTime",
                "rds:DescribeDBClusterParameterGroups"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Backup",
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "ec2:CreateSnapshot",
                "ec2:CreateSnapshots",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:ModifySnapshotAttribute",
                "ec2:CreateImage",
                "ec2:CopyImage",
                "ec2:CopySnapshot",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:RegisterImage",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DeregisterImage",
                "ec2:DeleteSnapshot",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeRegions",
                "ec2:ModifyImageAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:ResetSnapshotAttribute",
                "ec2:DescribeHosts",
                "ec2:DescribeImages",
                "ec2:DescribeSecurityGroups" ,
                "ec2:DescribeNetworkInterfaces" 
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Recovery",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:AttachNetworkInterface",
                "ec2:DetachVolume",
                "ec2:AttachVolume",
                "ec2:DeleteTags",
                "ec2:CreateTags",
                "ec2:StartInstances",
                "ec2:StopInstances",
	               "ec2:TerminateInstances",												
                "ec2:CreateVolume",
                "ec2:DeleteVolume",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:AssociateIamInstanceProfile",
                "ec2:AssociateAddress",
                "ec2:DescribeKeyPairs",
																"ec2:AuthorizeSecurityGroupEgress",
																"ec2:AuthorizeSecurityGroupIngress",
																"ec2:DescribeInstanceTypeOfferings",
                "ec2:GetEbsEncryptionByDefault"
            ],
            "Resource": [
                "*"
            ]
        },
        {   
            "Sid": "EBS",
            "Effect": "Allow",
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock",
																"ebs:CompleteSnapshot",
																"ebs:PutSnapshotBlock",
																"ebs:ListChangedBlocks"
                "ebs:StartSnapshot"
            ],
            "Resource": [
                "*"
            ]
        },
        {   
            "Sid": "EKS",
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
																"eks:DescribeUpdate",
																"eks:UpdateNodegroupConfig",
																"eks:ListClusters"
                "eks:DescribeCluster"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "IAM",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
						          "iam:SimulatePrincipalPolicy"
            ],
            "Resource": [
                "*"
            ]
        }	
    ]
}

If a NetBackup Snapshot Manager extension is installed on a managed Kubernetes cluster in AWS, then enable the following polices for a user account or a role before configuring the plugin:

AmazonEKSClusterPolicy
AmazonEKSWorkerNodePolicy
AmazonEC2ContainerRegistryReadOnly
AmazonEKS_CNI_Policy
AmazonEKSServicePolicy

Additional IAM permissions required for marketplace deployment

{
  "Sid": "AWSMarketplacePermissions", 
  "Effect": "Allow", 
  "Action": [ 
     "autoscaling:UpdateAutoScalingGroup",  
     "autoscaling:AttachInstances", 
     "sns:Publish", 
     "sns:GetTopicAttributes", 
     "secretsmanager:GetResourcePolicy", 
     "secretsmanager:GetSecretValue", 
     "secretsmanager:DescribeSecret", 
     "secretsmanager:RestoreSecret", 
     "secretsmanager:PutSecretValue", 
     "secretsmanager:DeleteSecret", 
     "secretsmanager:UpdateSecret" 
  ], 
  "Resource": [ 
    "*" 
  ]
}

Additional IAM permissions required by PaaS workloads

{
   "Sid": "DynamoDB",
   "Effect": "Allow",
   "Action": [
      "dynamodb:ListTables",
      "dynamodb:DescribeTable",
      "dynamodb:CreateTable",
      "dynamodb:BatchWriteItem",
      "dynamodb:DescribeContinuousBackups",
      "dynamodb:ExportTableToPointInTime",
      "dynamodb:DescribeExport",
      "dynamodb:DeleteTable",
      "dynamodb:UpdateTable",
      "dynamodb:UpdateContinuousBackups"
   ],
   "Resource": [
     "*"
   ]
},
{
  "Sid": "S3Permissions",
  "Effect": "Allow",
  "Action": [
     "s3:PutObject",
     "s3:GetObject",
     "s3:ListBucket",
     "s3:DeleteObject"
  ],
  "Resource": [
    "*"
   ]
}

Feedback

Was this page helpful?
Previous

Configuring AWS permissions for NetBackup Snapshot Manager

Next

Before you create a cross account configuration

Feedback

Was this page helpful?