Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Marketplace Deployment on AWS
  3. Deploying Snapshot Manager
  4. Deploying Snapshot Manager server using the marketplace offer
  5. NetBackup installation parameters for Snapshot Manager server
  6. IAM role required for Snapshot Manager instance
NetBackup™ Marketplace Deployment on AWS

IAM role required for Snapshot Manager instance

Table: IAM roles for Snapshot Manager instance

SID

Effect

Action

Resource

EC2AutoScaling

Allow

  • autoscaling:UpdateAutoScalingGroup

  • autoscaling:AttachInstances

*

KMS

Allow

  • kms:ListKeys

  • kms:Encrypt

  • kms:Decrypt

  • kms:ReEncryptTo

  • kms:DescribeKey

  • kms:ListAliases

  • kms:GenerateDataKey

  • kms:GenerateDataKeyWithoutPlaintext

  • kms:ReEncryptFrom

  • kms:CreateGrant

*

RDSBackup

Allow

  • rds:DescribeDBSnapshots

  • rds:DescribeDBClusters

  • rds:DescribeDBClusterSnapshots

  • rds:DeleteDBSnapshot

  • rds:CreateDBSnapshot

  • rds:CreateDBClusterSnapshot

  • rds:ModifyDBSnapshotAttribute

  • rds:DescribeDBSubnetGroups

  • rds:DescribeDBInstances

  • rds:CopyDBSnapshot

  • rds:CopyDBClusterSnapshot

  • rds:DescribeDBSnapshotAttributes

  • rds:DeleteDBClusterSnapshot

  • rds:ListTagsForResource

  • rds:AddTagsToResource

  • rds:DescribeDBClusterParameterGroups

*

RDSRecovery

Allow

  • rds:ModifyDBInstance'

  • rds:ModifyDBClusterSnapshotAttribute'

  • rds:RestoreDBInstanceFromDBSnapshot'

  • rds:ModifyDBCluster

  • rds:RestoreDBClusterFromSnapshot

  • rds:CreateDBInstance

  • rds:RestoreDBClusterToPointInTime'

  • rds:CreateDBSecurityGroup

  • ds:CreateDBCluster

  • rds:RestoreDBInstanceToPointInTime

*

EC2Backup

Allow

  • sts:GetCallerIdentity

  • ec2:CreateSnapshot

  • ec2:DescribeInstances'

  • ec2:DescribeInstanceStatus

  • ec2:ModifySnapshotAttribute

  • ec2:CreateImage

  • ec2:CopyImage

  • ec2:CopySnapshot'

  • ec2:DescribeSnapshots

  • ec2:DescribeVolumeStatus

  • ec2:DescribeVolumes

  • ec2:RegisterImage

  • ec2:DescribeVolumeAttribute

  • ec2:DescribeSubnets

  • ec2:DescribeVpcs

  • ec2:DeregisterImage

  • ec2:DeleteSnapshot

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeRegions

  • ec2:ModifyImageAttribute

  • ec2:DescribeAvailabilityZones

  • ec2:ResetSnapshotAttribute

  • ec2:DescribeHosts

  • ec2:DescribeImages

  • ec2:AssociateAddress

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribeSecurityGroups

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:CreateSnapshots

  • ec2:GetEbsEncryptionByDefault

  • ec2:DescribeKeyPairs

  • ec2:ModifyInstanceMetadataOptions

  • secretsmanager:GetResourcePolicy

  • secretsmanager:GetSecretValue

  • secretsmanager:DescribeSecret

  • secretsmanager:RestoreSecret

  • secretsmanager:PutSecretValue

  • secretsmanager:DeleteSecret

  • secretsmanager:UpdateSecret

*

SSM

Allows

  • ssm:CreateDocument

  • ssm:DescribeDocument

  • ssm:DescribeInstanceInformation

  • ssm:GetCommandInvocation

  • ssm:SendCommand

  • ssm:UpdateDocumentDefaultVersion

  • ssm:UpdateDocument

 

EC2Recovery

Allows

  • ec2:RunInstances

  • ec2:AttachNetworkInterface

  • ec2:DetachVolume

  • ec2:AttachVolume

  • ec2:DeleteTags

  • ec2:CreateTags

  • ec2:StartInstances

  • ec2:StopInstances

  • ec2:TerminateInstances

  • ec2:CreateVolume

  • ec2:DeleteVolume

  • ec2:DescribeIamInstanceProfileAssociations

  • ec2:AssociateIamInstanceProfile

  • ec2:DescribeInstanceTypeOfferings

*

SNS

Allow

  • sns:Publish

  • sns:GetTopicAttributes

*

IAM

Allow

  • iam:SimulatePrincipalPolicy

  • iam:ListAccountAliases

*

EBS

Allow

  • ebs:ListSnapshotBlocks

  • ebs:StartSnapshot

  • ebs:CompleteSnapshot

  • ebs:PutSnapshotBlock

  • ebs:ListChangedBlocks

  • ebs:GetSnapshotBlock

*

Route53

Allow

  • route53:CreateHostedZone

  • route53:ListHostedZones

  • route53:GetHostedZone

  • route53:ListResourceRecordSets

  • route53:ChangeResourceRecordSets

  • route53:ListResourceRecordSets

  • route53:ListHostedZonesByName

*

Feedback

Was this page helpful?
Previous

NetBackup installation parameters for Snapshot Manager server

Next

AWS endpoints used by Snapshot Manager

Feedback

Was this page helpful?