IAM role required for Snapshot Manager instance — NetBackup 11.0 | Cohesity Documentation

Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist

IAM role required for Snapshot Manager instance — NetBackup 11.0 | Cohesity Documentation

IAM role required for Snapshot Manager instance

Table: IAM roles for Snapshot Manager instance

SID	Effect	Action	Resource
EC2AutoScaling	Allow	autoscaling:UpdateAutoScalingGroup autoscaling:AttachInstances	*
KMS	Allow	kms:ListKeys kms:Encrypt kms:Decrypt kms:ReEncryptTo kms:DescribeKey kms:ListAliases kms:GenerateDataKey kms:GenerateDataKeyWithoutPlaintext kms:ReEncryptFrom kms:CreateGrant	*
RDSBackup	Allow	rds:DescribeDBSnapshots rds:DescribeDBClusters rds:DescribeDBClusterSnapshots rds:DeleteDBSnapshot rds:CreateDBSnapshot rds:CreateDBClusterSnapshot rds:ModifyDBSnapshotAttribute rds:DescribeDBSubnetGroups rds:DescribeDBInstances rds:CopyDBSnapshot rds:CopyDBClusterSnapshot rds:DescribeDBSnapshotAttributes rds:DeleteDBClusterSnapshot rds:ListTagsForResource rds:AddTagsToResource rds:DescribeDBClusterParameterGroups	*
RDSRecovery	Allow	rds:ModifyDBInstance' rds:ModifyDBClusterSnapshotAttribute' rds:RestoreDBInstanceFromDBSnapshot' rds:ModifyDBCluster rds:RestoreDBClusterFromSnapshot rds:CreateDBInstance rds:RestoreDBClusterToPointInTime' rds:CreateDBSecurityGroup ds:CreateDBCluster rds:RestoreDBInstanceToPointInTime	*
EC2Backup	Allow	sts:GetCallerIdentity ec2:CreateSnapshot ec2:DescribeInstances' ec2:DescribeInstanceStatus ec2:ModifySnapshotAttribute ec2:CreateImage ec2:CopyImage ec2:CopySnapshot' ec2:DescribeSnapshots ec2:DescribeVolumeStatus ec2:DescribeVolumes ec2:RegisterImage ec2:DescribeVolumeAttribute ec2:DescribeSubnets ec2:DescribeVpcs ec2:DeregisterImage ec2:DeleteSnapshot ec2:DescribeInstanceAttribute ec2:DescribeRegions ec2:ModifyImageAttribute ec2:DescribeAvailabilityZones ec2:ResetSnapshotAttribute ec2:DescribeHosts ec2:DescribeImages ec2:AssociateAddress ec2:DescribeNetworkInterfaces ec2:DescribeSecurityGroups ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateSnapshots ec2:GetEbsEncryptionByDefault ec2:DescribeKeyPairs ec2:ModifyInstanceMetadataOptions secretsmanager:GetResourcePolicy secretsmanager:GetSecretValue secretsmanager:DescribeSecret secretsmanager:RestoreSecret secretsmanager:PutSecretValue secretsmanager:DeleteSecret secretsmanager:UpdateSecret	*
SSM	Allows	ssm:CreateDocument ssm:DescribeDocument ssm:DescribeInstanceInformation ssm:GetCommandInvocation ssm:SendCommand ssm:UpdateDocumentDefaultVersion ssm:UpdateDocument
EC2Recovery	Allows	ec2:RunInstances ec2:AttachNetworkInterface ec2:DetachVolume ec2:AttachVolume ec2:DeleteTags ec2:CreateTags ec2:StartInstances ec2:StopInstances ec2:TerminateInstances ec2:CreateVolume ec2:DeleteVolume ec2:DescribeIamInstanceProfileAssociations ec2:AssociateIamInstanceProfile ec2:DescribeInstanceTypeOfferings	*
SNS	Allow	sns:Publish sns:GetTopicAttributes	*
IAM	Allow	iam:SimulatePrincipalPolicy iam:ListAccountAliases	*
EBS	Allow	ebs:ListSnapshotBlocks ebs:StartSnapshot ebs:CompleteSnapshot ebs:PutSnapshotBlock ebs:ListChangedBlocks ebs:GetSnapshotBlock	*
Route53	Allow	route53:CreateHostedZone route53:ListHostedZones route53:GetHostedZone route53:ListResourceRecordSets route53:ChangeResourceRecordSets route53:ListResourceRecordSets route53:ListHostedZonesByName	*

Feedback

Was this page helpful?

Feedback

Was this page helpful?