# Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess\_v2 Allows full administrative access to AWS Elastic Disaster Recovery (AWS DRS) Console. Attach this policy to your users or roles. **Permissions details** This policy includes permissions to do the following: + `drs` – All APIs. + `kms` – List aliases and describe keys. + `ec2` – Describe account attributes, availability zones, images, instance (including types, statuses, type offerings), subnets, volumes, ebs encryption by default, ebs default kms key id, key/pairs, capacity reservations and hosts. Describe, create and delete snapshots. Describe and create launch templates. Start, run, stop and terminate instances. Describe and modify instance attributes. Create, attach and detach volumes. Describe, create, modify and delete launch template version. Create and delete tags. Get console output and screenshots. Describe and create security groups. Authorize and revoke security group egress. Authorize security group ingress. + `license manager` – List license configurations. + `resource groups` – List groups. + `elastic load balancing` – Describe load balancers. + `iam` – List instance profiles and roles, passRole. + `cloudformation` – Describe and list stacks. + `s3` – Get bucket location and list all my buckets. + `ssm` – Describe instance information, send command, start automation execution. List documents and command invocations. Get and put parameters. Describe and get document. Get automation executions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ConsoleFullAccess1", "Effect": "Allow", "Action": [ "drs:*" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess2", "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess3", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId", "ec2:DescribeKeyPairs", "ec2:DescribeCapacityReservations", "ec2:DescribeHosts" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess4", "Effect": "Allow", "Action": "license-manager:ListLicenseConfigurations", "Resource": "*" }, { "Sid": "ConsoleFullAccess5", "Effect": "Allow", "Action": "resource-groups:ListGroups", "Resource": "*" }, { "Sid": "ConsoleFullAccess6", "Effect": "Allow", "Action": "elasticloadbalancing:DescribeLoadBalancers", "Resource": "*" }, { "Sid": "ConsoleFullAccess7", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess8", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Sid": "ConsoleFullAccess9", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess10", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess11", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess12", "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess13", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess14", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess15", "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess16", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Sid": "ConsoleFullAccess17", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess18", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess19", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess20", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess21", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume", "ec2:StartInstances", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess22", "Effect": "Allow", "Action": [ "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess23", "Effect": "Allow", "Action": [ "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess24", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess25", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess26", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateSecurityGroup", "CreateVolume", "CreateSnapshot", "RunInstances" ] }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess27", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateLaunchTemplate" ] } } }, { "Sid": "ConsoleFullAccess28", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStacks" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess29", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess30", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceInformation", "ssm:DescribeParameters" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess31", "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:StartAutomationExecution" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-CreateImage", "arn:aws:ssm:*:*:document/AWSMigration-ValidateNetworkConnectivity", "arn:aws:ssm:*:*:document/AWSMigration-VerifyMountedVolumes", "arn:aws:ssm:*:*:document/AWSMigration-ValidateHttpResponse", "arn:aws:ssm:*:*:document/AWSMigration-ValidateDiskSpace", "arn:aws:ssm:*:*:document/AWSMigration-VerifyProcessIsRunning", "arn:aws:ssm:*:*:document/AWSMigration-LinuxTimeSyncSetting", "arn:aws:ssm:*:*:document/AWSEC2-ApplicationInsightsCloudwatchAgentInstallAndConfigure", "arn:aws:ssm:*:*:automation-execution/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess32", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] }, "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess33", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListCommandInvocations" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess34", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ConsoleFullAccess35", "Effect": "Allow", "Action": [ "ssm:DescribeDocument", "ssm:GetDocument" ], "Resource": "arn:aws:ssm:*:*:document/*" }, { "Sid": "ConsoleFullAccess36", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "ssm.amazonaws.com" } } }, { "Sid": "ConsoleFullAccess37", "Effect": "Allow", "Action": [ "ssm:GetAutomationExecution" ], "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } } ] } ``` ------