AWS permissions required by NetBackup Snapshot Manager
The following is a IAM role definition (in JSON format) that gives NetBackup Snapshot Manager the ability to configure AWS plugin and discover assets, manage the snapshots etc.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2AutoScaling",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:AttachInstances",
"autoscaling:DescribeScalingActivities",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "KMS",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ListAliases",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptFrom",
"kms:CreateGrant"
],
"Resource": [
"*"
]
},
{
"Sid": "RDSBackup",
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBSnapshot",
"rds:CreateDBSnapshot",
"rds:CreateDBClusterSnapshot",
"rds:ModifyDBSnapshotAttribute",
"rds:DescribeDBSubnetGroups",
"rds:DescribeDBInstances",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBSnapshotAttributes",
"rds:DeleteDBClusterSnapshot",
"rds:ListTagsForResource",
"rds:AddTagsToResource"
],
"Resource": [
"*"
]
},
{
"Sid": "RDSRecovery",
"Effect": "Allow",
"Action": [
"rds:ModifyDBInstance",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:ModifyDBCluster",
"rds:RestoreDBClusterFromSnapshot",
"rds:CreateDBInstance",
"rds:RestoreDBClusterToPointInTime",
"rds:CreateDBSecurityGroup",
"rds:CreateDBCluster",
"rds:RestoreDBInstanceToPointInTime",
"rds:DescribeDBClusterParameterGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2Backup",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:ModifySnapshotAttribute",
"ec2:CreateImage",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:RegisterImage",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRegions",
"ec2:ModifyImageAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:ResetSnapshotAttribute",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups" ,
"ec2:DescribeNetworkInterfaces"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2Recovery",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:AttachNetworkInterface",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:AssociateIamInstanceProfile",
"ec2:AssociateAddress",
"ec2:DescribeKeyPairs",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstanceTypeOfferings",
"ec2:GetEbsEncryptionByDefault"
],
"Resource": [
"*"
]
},
{
"Sid": "EBS",
"Effect": "Allow",
"Action": [
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ebs:CompleteSnapshot",
"ebs:PutSnapshotBlock",
"ebs:ListChangedBlocks"
"ebs:StartSnapshot"
],
"Resource": [
"*"
]
},
{
"Sid": "EKS",
"Effect": "Allow",
"Action": [
"eks:DescribeNodegroup",
"eks:DescribeUpdate",
"eks:UpdateNodegroupConfig",
"eks:ListClusters"
"eks:DescribeCluster"
],
"Resource": [
"*"
]
},
{
"Sid": "IAM",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"*"
]
}
]
}If a NetBackup Snapshot Manager extension is installed on a managed Kubernetes cluster in AWS, then enable the following polices for a user account or a role before configuring the plugin:
AmazonEKSClusterPolicy AmazonEKSWorkerNodePolicy AmazonEC2ContainerRegistryReadOnly AmazonEKS_CNI_Policy AmazonEKSServicePolicy
Additional IAM permissions required for marketplace deployment
{
"Sid": "AWSMarketplacePermissions",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:AttachInstances",
"sns:Publish",
"sns:GetTopicAttributes",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:RestoreSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:DeleteSecret",
"secretsmanager:UpdateSecret"
],
"Resource": [
"*"
]
}Additional IAM permissions required by PaaS workloads
{
"Sid": "DynamoDB",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:BatchWriteItem",
"dynamodb:DescribeContinuousBackups",
"dynamodb:ExportTableToPointInTime",
"dynamodb:DescribeExport",
"dynamodb:DeleteTable",
"dynamodb:UpdateTable",
"dynamodb:UpdateContinuousBackups"
],
"Resource": [
"*"
]
},
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}