# Security in AWS Elastic Disaster Recovery Security ## Overview Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you. The [shared responsibility model ](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security of the cloud and security in the cloud: + **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs ](https://aws.amazon.com/compliance/programs/) . To learn about the compliance programs that apply to AWS Elastic Disaster Recovery (AWS DRS), see [AWS Services in Scope by Compliance Program ](https://aws.amazon.com/compliance/services-in-scope/) . + **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations This documentation helps you understand how to apply the shared responsibility model when using AWS DRS. It shows you how to configure AWS DRS to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your AWS Elastic Disaster Recovery resources. The customer is responsible for making sure that no misconfigurations are present during and after the recovery process, including: 1. The replication server should be accessed only from the CIDR range of the source servers. Proper security groups rules should be assigned to the replication server after it is created. 1. After the recovery, the customer should make sure that on the recovery instances only allowed ports are exposed to the public internet. 1. Hardening of OS packages and other software deployed in the recovery instances is completely under the customer’s responsibility and we recommend the following: 1. Packages should be up to date and free of known vulnerabilities. 1. Only necessary OS/application services should be up and running. 1. Activating the Anti-DDOS protection (AWS Shield) in the customer's AWS Account to eliminate the risk of denial of service attacks on the replication servers as well as the migrated servers. # Identity and access management for AWS Elastic Disaster Recovery Identity and access management AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS resources. IAM allows you to create users and groups under your AWS account. You control the permissions that users have to perform tasks using AWS resources. You can use IAM for no additional charge. By default, IAM users don't have permissions for AWS Elastic Disaster Recovery (AWS DRS) resources and operations. To allow IAM users to manage AWS DRS resources, you must create an IAM policy that explicitly grants them permissions, and attach the policy to the users or groups that require those permissions. When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources. For more information, see [Policies and Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide* guide. ## Federated identity As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials. A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials. For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*. # Authenticating with identities in AWS Elastic Disaster Recovery Authenticating with identities Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role. You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*. For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*. ## AWS account root user When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. ## IAM users and groups An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. ## IAM roles An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*. IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. # Grant permission to tag resources during creation Grant permission to tag resources during creation Some resource-creating Amazon DRS API actions allow you to specify tags when you create the resource. You can use resource tags to implement attribute-based control (ABAC). To allow users to tag resources on creation, they must have permissions to use the action that creates the resource, such as: + `drs:CreateSourceServerForDrs` – for creating a source server + `drs:CreateRecoveryInstanceForDrs` – for creating a Recovery instance + `drs:TagResource` – if tags are specified in the resource-creating action If tags are specified in the resource-creating action, Amazon performs additional authorization on the `drs:TagResource` action to verify that users have permissions to create tags. Therefore, users must also have explicit permissions to use the `drs:TagResource` action. In the IAM policy definition for the `drs:TagResource` action, use the Condition element with the `drs:CreateAction` condition key to give tagging permissions to the action that creates the resource. The following example demonstrates a policy that allows an agent installer to create a source server or recovery instance and apply any tags to the resource on creation. The installer is not permitted to tag any existing resources (it cannot call the `drs:TagResource` action directly). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "drs:GetAgentInstallationAssetsForDrs", "drs:SendClientLogsForDrs", "drs:CreateSourceServerForDrs", "drs:CreateRecoveryInstanceForDrs", "drs:DescribeRecoveryInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": "drs:TagResource", "Resource": "arn:aws:drs:*:*:source-server/*", "Condition": { "StringEquals": { "drs:CreateAction": "CreateSourceServerForDrs" } } }, { "Effect": "Allow", "Action": "drs:TagResource", "Resource": "arn:aws:drs:*:*:recovery-instance/*", "Condition": { "StringEquals": { "drs:CreateAction": "CreateRecoveryInstanceForDrs" } } }, { "Effect": "Allow", "Action": "drs:IssueAgentCertificateForDrs", "Resource": "arn:aws:drs:*:*:source-server/*" } ] } ``` ------ The `drs:TagResource` action is only evaluated if tags are applied during the resource-creating action. Therefore, an installer that has permissions to create a resource (assuming there are no tagging conditions) does not require permissions to use the `drs:TagResource` action if no tags are specified in the request. However, if the installer attempts to create a resource with tags, the request fails if the installer does not have permissions to use the `drs:TagResource ` action. # AWS managed policies for AWS Elastic Disaster Recovery AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. # AWS managed policy: AWSElasticDisasterRecoveryAgentPolicy AWSElasticDisasterRecoveryAgentPolicy This policy gives the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to replicate source servers to AWS, permissions to communicate with AWS DRS to receive instructions and to send logs and metrics. **Important** This policy is designed exclusively for the AWS Replication Agent. We do not recommend that you attach this policy to your IAM users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryAgentPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryAgentPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryAgentInstallationPolicy AWSElasticDisasterRecoveryAgentInstallationPolicy This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryAgentInstallationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryAgentInstallationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryConversionServerPolicy AWSElasticDisasterRecoveryConversionServerPolicy This policy is attached to the AWS Elastic Disaster Recovery Conversion Server's instance role. This policy allows AWS Elastic Disaster Recovery (AWS DRS) Conversion Servers, which are EC2 instances launched by AWS DRS, to communicate with the DRS service. An IAM role with this policy is attached (as an EC2 Instance Profile) by DRS to the DRS Conversion Servers, which are automatically launched and terminated by DRS when needed. DRS Conversion Servers are used by AWS Elastic Disaster Recovery when users choose to recover source servers using the AWS DRS console, CLI, or API. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryConversionServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryConversionServerPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryFailbackPolicy AWSElasticDisasterRecoveryFailbackPolicy This policy allows using the AWS Elastic Disaster Recovery Failback Client, which is used to fail back Recovery Instances to your original source infrastructure. This policy is also used by AWS Elastic Disaster Recovery to refresh credentials for the Failback Client. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryFailbackPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryFailbackPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryFailbackInstallationPolicy AWSElasticDisasterRecoveryFailbackInstallationPolicy You can attach the AWSElasticDisasterRecoveryFailbackInstallationPolicy policy to your IAM identities. This policy allows installing the AWS Elastic Disaster Recovery Failback Client, which is used to failback Recovery Instances back to your original source infrastructure. Attach this policy to your users or roles whose credentials you provide when running the AWS Elastic Disaster Recovery Failback Client. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryFailbackInstallationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryFailbackInstallationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryConsoleFullAccess AWSElasticDisasterRecoveryConsoleFullAccess This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and EC2 information. It also includes EC2 actions that allow to launch, delete, or modify replication servers and recovery instances. These EC2 actions are limited only to resources which the service creates with a specific AWS-only tag. Attach this policy to your users or roles. AWSElasticDisasterRecoveryConsoleFullAccess includes access to your AWS managed keys. However, it does not include access to your customer managed keys, so if you use CMK you will need to add a policy statement to allow the usage of your KMS keys. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryConsoleFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryConsoleFullAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryReadOnlyAccess AWSElasticDisasterRecoveryReadOnlyAccess You can attach the AWSElasticDisasterRecoveryReadOnlyAccess policy to your IAM identities. This policy provides permissions to all read-only public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as some read-only APIs of other AWS services that are required to make full read-only use of the DRS console. This includes: + **AWS Elastic Disaster Recovery (read-only)** – View all DRS resources such as Source Servers, Recovery Instances, Recovery Snapshots, and post-launch actions. + **IAM (read-only)** – List IAM roles in your account. + **EC2 (read-only)** – View EC2 instance details, launch templates, security groups, and subnets related to your recovery environment. + **SSM (read-only)** – View Systems Manager configurations such as post-launch action settings and automation executions. Attach this policy to your users or roles. This policy is ideal for team members who need visibility into your disaster recovery setup, such as auditors or monitoring teams, without the ability to make changes. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryReadOnlyAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryReplicationServerPolicy AWSElasticDisasterRecoveryReplicationServerPolicy This policy is attached to the AWS Elastic Disaster Recovery replication server’s instance role. This policy allows the AWS Elastic Disaster Recovery (AWS DRS) replication servers, which are Amazon EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service, and to create EBS snapshots in your AWS account. An IAM role with this policy is attached (as an EC2 instance profile) by AWS DRS to the AWS DRS replication servers which are automatically launched and terminated by AWS DRS, as needed. AWS DRS replication servers are used to facilitate data replication from your external servers to AWS, as part of the recovery process managed by AWS DRS. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryReplicationServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryReplicationServerPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryRecoveryInstancePolicy AWSElasticDisasterRecoveryRecoveryInstancePolicy This policy is attached to the instance role of AWS Elastic Disaster Recovery's recovery instance. This policy allows the AWS Elastic Disaster Recovery (AWS DRS) recovery instance, which are EC2 instances launched by AWS DRS - to communicate with the AWS DRS service, and to be able to failback to their original source infrastructure. An IAM role with this policy is attached (as an Amazon EC2 Instance Profile) by AWS DRS to the AWS DRS recovery instances. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryRecoveryInstancePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryRecoveryInstancePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryServiceRolePolicy AWSElasticDisasterRecoveryServiceRolePolicy This policy allows AWS Elastic Disaster Recovery to manage AWS resources on your behalf. This policy is attached to the [AWSServiceRoleForElasticDisasterRecovery](using-service-linked-roles.md) role. **Permissions details** This policy includes permissions to do the following: + ec2 – Retrieve and modify resources needed to support failover and failback of source servers and source networks. + cloudwtach – Retrieve disk usage to allow cost optimization + iam – Acquire the permissions required for recovery + kms – Allow using encrypted volumes + drs – Retrieve tags and set tags for DRS resources, create DRS resources on failover **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryServiceRolePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryStagingAccountPolicy AWSElasticDisasterRecoveryStagingAccountPolicy This policy allows read-only access to AWS Elastic Disaster Recovery (AWS DRS) resources such as source servers and jobs. It also allows creating a converted snapshot and sharing that EBS snapshot with a specified account. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryStagingAccountPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryStagingAccountPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2 AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2 This policy is used by AWS Elastic Disaster Recovery (AWS DRS) to recover source servers into a separate target account and to allow failing back. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryStagingAccountPolicy_v2.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryEc2InstancePolicy AWSElasticDisasterRecoveryEc2InstancePolicy This policy allows installing and using the AWS Replication Agent, which is used by AWS Elastic Disaster Recovery (AWS DRS) to recover source servers that run on EC2 (cross-Region, cross-AZ or cross-Account). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryEc2InstancePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryEc2InstancePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryCrossAccountReplicationPolicy AWSElasticDisasterRecoveryCrossAccountReplicationPolicy This policy allows AWS Elastic Disaster Recovery (DRS) to support cross-account replication and cross-account failback. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryNetworkReplicationPolicy AWSElasticDisasterRecoveryNetworkReplicationPolicy This policy allows AWS Elastic Disaster Recovery (DRS) to support network replication. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryNetworkReplicationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryNetworkReplicationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryLaunchActionsPolicy AWSElasticDisasterRecoveryLaunchActionsPolicy You can attach the AWSElasticDisasterRecoveryLaunchActionsPolicy policy to your IAM identities. This policy allows you to use Amazon SSM and additional services required permissions to run post-launch actions in AWS Elastic Disaster Recovery (AWS DRS). Attach this policy to your IAM roles or users. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryLaunchActionsPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryLaunchActionsPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 You can attach the **AWSElasticDisasterRecoveryConsoleFullAccess\$1v2** policy to your IAM identities. Allows full administrative access to AWS Elastic Disaster Recovery (AWS DRS) Console. Attach this policy to your users or roles. **Permissions details** This policy includes permissions to do the following: + `drs` – All apis. + `kms` – List aliases and describe keys. + `ec2` – Describe account attributes, availability zones, images, instance (including types, statuses, type offerings), subnets, volumes, ebs encryption by default, ebs default kms key id, key/pairs, capacity reservations and hosts. Describe, create and delete snapshots. Describe and create launch templates. Start, run, stop and terminate instances. Describe and modify instance attributes. Create, attach and detach volumes. Describe, create, modify and delete launch template version. Create and delete tags. Get console output and screenshots. Describe and create security groups. Authorize and revoke security group egress. Authorize security group ingress. + `license manager` – List license configurations. + `resource groups` – List groups. + `elastic load balancing` – Describe load balancers.. + `iam` – List instance profiles and roles, passRole. + `cloudformation` – Describe and list stacks. + `s3` – Get bucket location and list all my buckets. + `ssm` – Describe instance information, send command, start automation execution. List documents and command invocations. Get and put parameters. Describe and get document. Get automation executions. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryConsoleFullAccess\$1v2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryConsoleFullAccess_v2.html) in the AWS Managed Policy Reference Guide. ## Elastic Disaster Recovery updates for AWS managed policies Updates View details about updates to AWS managed policies for AWS Elastic Disaster Recovery since March 1, 2021. **AWS Elastic Disaster Recovery policy updates** | Change | Description | Date | | --- | --- | --- | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Updated policies to reflect changes in SSM. | July 3, 2025 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of AWSElasticDisasterRecoveryServiceRolePolicy, AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 and AWSElasticDisasterRecoveryConsoleFullAccess managed policies to support a change in authentication with EBS APIs. | January 6, 2025 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 and AWSElasticDisasterRecoveryLaunchActionsPolicy managed policies, to support additional parameter types in SSM Parameters Store for post-launch actions. | May 19, 2024 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– Updated policy | Created revision of the AWSElasticDisasterRecoveryServiceRolePolicy policy, to support replicating marketplace licenses to launched instances. | January 28, 2024 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– Updated policy | Created revision of the AWSElasticDisasterRecoveryCrossAccountReplicationPolicy policy, to support replicating marketplace licenses to launched instances. | January 28, 2024 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of managed policies to support managed prefix lists for DRS network replication and recovery. | January 3rd, 2024 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of managed policies to support DRS to GovCloud and added Sid to statements in managed policies | November 27, 2023 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– Updated policy | Created revision of AWSElasticDisasterRecoveryCrossAccountReplicationPolicy to support DRS in GovCloud | November 27, 2023 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy with additional read-only permissions for post-launch actions. | November 27, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess_v2.md) New policy | AWS Elastic Disaster Recovery added a new policy. This policy provides access to use DRS console. Attach this policy to your IAM roles or users. | November 27, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance. | October 15, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance. | October 15, 2023 | | [AWSElasticDisasterRecoveryLaunchActionsPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryLaunchActionsPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance tagged with a specific AWS-only key-value pair. | October 15, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow sending installation result metrics to AWS Elastic Disaster Recovery. | October 10, 2023 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow sending installation result metrics to AWS Elastic Disaster Recovery. | October 10, 2023 | | [AWSElasticDisasterRecoveryLaunchActionsPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryLaunchActionsPolicy.md) New policy | AWS Elastic Disaster Recovery added a new policy. This policy provides access to use post-launch actions. Attach this policy to your IAM roles or users. | September 13, 2023 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy with new read-only APIs for post-launch actions. | September 13, 2023 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | This policy was updated to allow network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | This policy was updated to support network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryNetworkReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryNetworkReplicationPolicy.md)– New policy | This policy is used by AWS Elastic Disaster Recovery (DRS) to support network replication. | June 13, 2023 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– Updated policy | This policy was updated to support network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– New policy | This policy is used by AWS Elastic Disaster Recovery (DRS) to support replication and failback. | May 14, 2023 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– Updated policy | This policy was updated to support failback by the agent after reverse replication. | May 14, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | This policy was updated to support replication by the agent. | May 14, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | This policy was updated to support default EC2 launch templates and bulk editing of source server EC2 launch templates. | April 19, 2023 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– New policy | This policy is used by AWS Elastic Disaster Recovery (DRS) to support cross-account replication and cross-account failback. | May 7, 2023 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– Updated policy | This policy was updated to support cross-account failback by the agent after reverse replication. | May 7, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | This policy was updated to support cross-account replication by the agent. | May 7, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | This policy was updated to support default EC2 launch templates and bulk editing of source server EC2 launch templates. | April 16, 2023 | | [AWSElasticDisasterRecoveryAgentPolicy](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentPolicy.md) – Updated policy | This policy was updated to support the kernel upgrade feature. | April 1, 2023 | | [AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2 ](security-iam-awsmanpol-AWSElasticDisasterRecoveryStagingAccountPolicy_v2.md)– New policy | This policy was updated to support the kernel upgrade feature. | December 11, 2022 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to properly support agent installation on Recovery Instances. This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. | November 14, 2022 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated this policy to include permissions which allow DRS Recovery Instances that originated from EC2 instances to replicate back to their origin locations in a failback scenario. As an additional security mechanism, Elastic Disaster Recovery will block requests that are not targeted at the source server the EC2 instance is associated with. | October 24, 2022 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to include resource tagging. This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. | June 28, 2022 | | [AWSElasticDisasterRecoveryFailbackInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryFailbackInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated this policy to include a new permission (drs:UpdateAgentReplicationInfoForDrs). This permission is needed to complete the failback process in some cases. | June 22, 2022 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow DRS to call cloudwatch:GetMetricData and also ec2:ModifyVolume on EBS volumes of the replication server in order to support the automatic volume type selection feature. | June 21st, 2022 | | [AWSElasticDisasterRecoveryReplicationServerPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReplicationServerPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow replication servers to call drs:NotifyVolumeEventForDrs and drs:SendVolumeStatsForDrs. | June 21st, 2022 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow listing IAM roles. | May 26th, 2022 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy with new read-only APIs of DRS and also added a permission that allows to list IAM roles. | May 26th, 2022 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | AWS Elastic Disaster Recovery added a new policy. This policy allows installing and using the AWS Replication Agent, which is used by AWS Elastic Disaster Recovery (DRS) to recover source servers that run on EC2 (cross-region or cross-AZ). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances. | April 6, 2022 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated this policy. | April 3, 2022 | | [AWSElasticDisasterRecoveryStagingAccountPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryStagingAccountPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows read-only access to AWS Elastic Disaster Recovery (DRS) resources such as source servers and jobs. It also allows creating a converted snapshot and sharing that EBS snapshot with a specified account. | February 24, 2022 | | [AWSElasticDisasterRecoveryAgentPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows using the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery to recover source servers to AWS. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryConversionServerPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConversionServerPolicy.md) New policy | AWS Elastic Disaster Recovery added a new policy. This policy is attached to the AWS Elastic Disaster Recovery Conversion server’s instance role. This policy allows Elastic Disaster Recovery (DRS) Conversion Servers, which are EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service. An IAM role with this policy is attached (as an EC2 Instance Profile) by DRS to the DRS Conversion Servers, which are automatically launched and terminated by DRS, when needed. We do not recommend that you attach this policy to your users or roles. AWS DRS conversion servers are used by AWS Elastic Disaster Recovery when users choose to recover source servers using the Elastic Disaster Recovery console, CLI, or API. | November 17, 2021 | | [AWSElasticDisasterRecoveryFailbackPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryFailbackPolicy.md) - New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows using the AWS Elastic Disaster Recovery Failback Client, which is used to failback Recovery Instances back to your original source infrastructure. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryFailbackInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryFailbackInstallationPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. You can attach the AWSElasticDisasterRecoveryFailbackInstallationPolicy policy to your IAM identities. This policy allows installing the AWS Elastic Disaster Recovery Failback Client, which is used to failback recovery instances back to your original source infrastructure. Attach this policy to your users or roles whose credentials you provide when running the EAWS Elastic Disaster Recovery Failback Client. | November 17, 2021 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and Amazon EC2 information. Attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryReplicationServerPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReplicationServerPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy is attached to the Elastic Disaster Recovery Replication server’s instance role. This policy allows the Elastic Disaster Recovery (DRS) Replication Servers, which are EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service, and to create EBS snapshots in your AWS account. An IAM role with this policy is attached (as an EC2 Instance Profile) by Elastic Disaster Recovery to the DRS Replication Servers which are automatically launched and terminated by DRS, as needed. DRS Replication Servers are used to facilitate data replication from your external servers to AWS, as part of the recovery process managed by DRS. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy is attached to the instance role of Elastic Disaster Recovery's Recovery Instance. This policy allows the Elastic Disaster Recovery (DRS) Recovery Instance, which are EC2 instances launched by Elastic Disaster Recovery - to communicate with the DRS service, and to be able to failback to their original source infrastructure. An IAM role with this policy is attached (as an EC2 Instance Profile) by Elastic Disaster Recovery to the DRS recovery instances. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows Elastic Disaster Recovery to manage AWS resources on your behalf. | November 17, 2021 | | AWS Elastic Disaster Recovery started tracking changes | AWS Elastic Disaster Recovery started tracking changes for AWS managed policies. | November 17, 2021 | # Managing access using policies Managing access using policies You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. ## Identity-based policies Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as a user, role, or group. These policies control what actions that identity can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Creating IAM Policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the IAM User Guide. Identity-based policies can be further categorized as inline policies or managed policies. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies include AWS managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see [ Choosing Between Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline) in the IAM User Guide. # Using identity-based policies By default, IAM users and roles don't have permission to create or modify AWS Elastic Disaster Recovery resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the users or groups that require those permissions. To learn how to attach policies to a user or group, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the IAM User Guide. To learn how to create an IAM identity-based policy using example JSON policy documents, see [Creating policies on the JSON tab in the IAM User Guide.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) **Topics** + [ # Customer-managed policies in AWS Elastic Disaster Recovery ](customer_managed_policies_drs.md) + [ # Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess ](customer_managed_policies_drs_full_access.md) + [ # Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 ](customer_managed_policies_drs_full_access_v2.md) + [ # Launch Actions Policy - AWSElasticDisasterRecoveryLaunchActionsPolicy ](customer_managed_policies_launch_actions.md) + [ # Console Read-Only Access Policy - AWSElasticDisasterRecoveryReadOnlyAccess ](customer_managed_policies_drs_readonly.md) # Customer-managed policies in AWS Elastic Disaster Recovery You can create your own custom IAM policies to allow permissions for AWS Elastic Disaster Recovery actions and resources. You can attach these custom policies to the users, roles, or groups that require those permissions. You can also create your own custom IAM policies for integration between AWS Elastic Disaster Recovery and other AWS services. The following example IAM policies grant permissions for various AWS Elastic Disaster Recovery actions. Use them to limit AWS Elastic Disaster Recovery access for your users and roles. # Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and Amazon EC2 information. Attach this policy to your users or roles. **Permissions details** This policy includes the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ConsoleFullAccess1", "Effect": "Allow", "Action": [ "drs:*" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess2", "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess3", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId", "ec2:DescribeKeyPairs", "ec2:DescribeCapacityReservations", "ec2:DescribeHosts" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess4", "Effect": "Allow", "Action": "license-manager:ListLicenseConfigurations", "Resource": "*" }, { "Sid": "ConsoleFullAccess5", "Effect": "Allow", "Action": "resource-groups:ListGroups", "Resource": "*" }, { "Sid": "ConsoleFullAccess6", "Effect": "Allow", "Action": "elasticloadbalancing:DescribeLoadBalancers", "Resource": "*" }, { "Sid": "ConsoleFullAccess7", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess8", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Sid": "ConsoleFullAccess9", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess10", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess11", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess12", "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess13", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess14", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess15", "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess16", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Sid": "ConsoleFullAccess17", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess18", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess19", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess20", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess21", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume", "ec2:StartInstances", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess22", "Effect": "Allow", "Action": [ "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess23", "Effect": "Allow", "Action": [ "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess24", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess25", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess26", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateSecurityGroup", "CreateVolume", "CreateSnapshot", "RunInstances" ] }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess27", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateLaunchTemplate" ] } } }, { "Sid": "ConsoleFullAccess28", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStacks" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess29", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess30", "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } } ] } ``` ------ # Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 Allows full administrative access to AWS Elastic Disaster Recovery (AWS DRS) Console. Attach this policy to your users or roles. **Permissions details** This policy includes permissions to do the following: + `drs` – All apis. + `kms` – List aliases and describe keys. + `ec2` – Describe account attributes, availability zones, images, instance (including types, statuses, type offerings), subnets, volumes, ebs encryption by default, ebs default kms key id, key/pairs, capacity reservations and hosts. Describe, create and delete snapshots. Describe and create launch templates. Start, run, stop and terminate instances. Describe and modify instance attributes. Create, attach and detach volumes. Describe, create, modify and delete launch template version. Create and delete tags. Get console output and screenshots. Describe and create security groups. Authorize and revoke security group egress. Authorize security group ingress. + `license manager` – List license configurations. + `resource groups` – List groups. + `elastic load balancing` – Describe load balancers.. + `iam` – List instance profiles and roles, passRole. + `cloudformation` – Describe and list stacks. + `s3` – Get bucket location and list all my buckets. + `ssm` – Describe instance information, send command, start automation execution. List documents and command invocations. Get and put parameters. Describe and get document. Get automation executions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ConsoleFullAccess1", "Effect": "Allow", "Action": [ "drs:*" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess2", "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess3", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId", "ec2:DescribeKeyPairs", "ec2:DescribeCapacityReservations", "ec2:DescribeHosts" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess4", "Effect": "Allow", "Action": "license-manager:ListLicenseConfigurations", "Resource": "*" }, { "Sid": "ConsoleFullAccess5", "Effect": "Allow", "Action": "resource-groups:ListGroups", "Resource": "*" }, { "Sid": "ConsoleFullAccess6", "Effect": "Allow", "Action": "elasticloadbalancing:DescribeLoadBalancers", "Resource": "*" }, { "Sid": "ConsoleFullAccess7", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess8", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Sid": "ConsoleFullAccess9", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess10", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess11", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess12", "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess13", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess14", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess15", "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess16", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Sid": "ConsoleFullAccess17", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess18", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess19", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess20", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess21", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume", "ec2:StartInstances", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess22", "Effect": "Allow", "Action": [ "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess23", "Effect": "Allow", "Action": [ "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess24", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess25", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess26", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateSecurityGroup", "CreateVolume", "CreateSnapshot", "RunInstances" ] }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess27", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateLaunchTemplate" ] } } }, { "Sid": "ConsoleFullAccess28", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStacks" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess29", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess30", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceInformation", "ssm:DescribeParameters" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess31", "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:StartAutomationExecution" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-CreateImage", "arn:aws:ssm:*:*:document/AWSMigration-ValidateNetworkConnectivity", "arn:aws:ssm:*:*:document/AWSMigration-VerifyMountedVolumes", "arn:aws:ssm:*:*:document/AWSMigration-ValidateHttpResponse", "arn:aws:ssm:*:*:document/AWSMigration-ValidateDiskSpace", "arn:aws:ssm:*:*:document/AWSMigration-VerifyProcessIsRunning", "arn:aws:ssm:*:*:document/AWSMigration-LinuxTimeSyncSetting", "arn:aws:ssm:*:*:document/AWSEC2-ApplicationInsightsCloudwatchAgentInstallAndConfigure", "arn:aws:ssm:*:*:automation-execution/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess32", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] }, "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess33", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListCommandInvocations" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess34", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ConsoleFullAccess35", "Effect": "Allow", "Action": [ "ssm:DescribeDocument", "ssm:GetDocument" ], "Resource": "arn:aws:ssm:*:*:document/*" }, { "Sid": "ConsoleFullAccess36", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "ssm.amazonaws.com" } } }, { "Sid": "ConsoleFullAccess37", "Effect": "Allow", "Action": [ "ssm:GetAutomationExecution" ], "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } } ] } ``` ------ # Launch Actions Policy - AWSElasticDisasterRecoveryLaunchActionsPolicy This policy allows you to use Amazon SSM and additional services required permissions to run post-launch actions in AWS Elastic Disaster Recovery (AWS DRS). Attach this policy to your IAM roles or users. **Permissions details** This policy includes the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "LaunchActionsPolicy1", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceInformation" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "LaunchActionsPolicy2", "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:StartAutomationExecution" ], "Resource": [ "arn:aws:ssm:*:*:document/*", "arn:aws:ssm:*:*:automation-execution/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "LaunchActionsPolicy3", "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:StartAutomationExecution" ], "Resource": [ "arn:aws:ssm:*::document/AWS-*", "arn:aws:ssm:*::document/AWSCodeDeployAgent-*", "arn:aws:ssm:*::document/AWSConfigRemediation-*", "arn:aws:ssm:*::document/AWSConformancePacks-*", "arn:aws:ssm:*::document/AWSDisasterRecovery-*", "arn:aws:ssm:*::document/AWSDistroOTel-*", "arn:aws:ssm:*::document/AWSDocs-*", "arn:aws:ssm:*::document/AWSEC2-*", "arn:aws:ssm:*::document/AWSEC2Launch-*", "arn:aws:ssm:*::document/AWSFIS-*", "arn:aws:ssm:*::document/AWSFleetManager-*", "arn:aws:ssm:*::document/AWSIncidents-*", "arn:aws:ssm:*::document/AWSKinesisTap-*", "arn:aws:ssm:*::document/AWSMigration-*", "arn:aws:ssm:*::document/AWSNVMe-*", "arn:aws:ssm:*::document/AWSNitroEnclavesWindows-*", "arn:aws:ssm:*::document/AWSObservabilityExporter-*", "arn:aws:ssm:*::document/AWSPVDriver-*", "arn:aws:ssm:*::document/AWSQuickSetupType-*", "arn:aws:ssm:*::document/AWSQuickStarts-*", "arn:aws:ssm:*::document/AWSRefactorSpaces-*", "arn:aws:ssm:*::document/AWSResilienceHub-*", "arn:aws:ssm:*::document/AWSSAP-*", "arn:aws:ssm:*::document/AWSSAPTools-*", "arn:aws:ssm:*::document/AWSSQLServer-*", "arn:aws:ssm:*::document/AWSSSO-*", "arn:aws:ssm:*::document/AWSSupport-*", "arn:aws:ssm:*::document/AWSSystemsManagerSAP-*", "arn:aws:ssm:*::document/AmazonCloudWatch-*", "arn:aws:ssm:*::document/AmazonCloudWatchAgent-*", "arn:aws:ssm:*::document/AmazonECS-*", "arn:aws:ssm:*::document/AmazonEFSUtils-*", "arn:aws:ssm:*::document/AmazonEKS-*", "arn:aws:ssm:*::document/AmazonInspector-*", "arn:aws:ssm:*::document/AmazonInspector2-*", "arn:aws:ssm:*::document/AmazonInternal-*", "arn:aws:ssm:*::document/AwsEnaNetworkDriver-*", "arn:aws:ssm:*::document/AwsVssComponents-*", "arn:aws:ssm:*:*:automation-execution/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "LaunchActionsPolicy4", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] }, "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "LaunchActionsPolicy5", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "LaunchActionsPolicy6", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListCommandInvocations" ], "Resource": "*" }, { "Sid": "LaunchActionsPolicy7", "Effect": "Allow", "Action": [ "ssm:ListDocumentVersions", "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": "arn:aws:ssm:*:*:document/*" }, { "Sid": "LaunchActionsPolicy8", "Effect": "Allow", "Action": [ "ssm:GetAutomationExecution" ], "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "LaunchActionsPolicy9", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecoveryService-*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "ssm.amazonaws.com" } } }, { "Sid": "LaunchActionsPolicy10", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecoveryService-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "LaunchActionsPolicy11", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "drs.amazonaws.com" } } } ] } ``` ------ # Console Read-Only Access Policy - AWSElasticDisasterRecoveryReadOnlyAccess You can attach the AWSElasticDisasterRecoveryReadOnlyAccess policy to your IAM identities. This policy provides permissions to all read-only public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as some read-only APIs of IAM, EC2 and SSM in order to list and view installed roles Recovery Instances, Source Servers and post-launch actions. Attach this policy to your users or roles. **Permissions details** This policy includes the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DRSReadOnlyAccess1", "Effect": "Allow", "Action": [ "drs:DescribeJobLogItems", "drs:DescribeJobs", "drs:DescribeRecoveryInstances", "drs:DescribeRecoverySnapshots", "drs:DescribeReplicationConfigurationTemplates", "drs:DescribeSourceServers", "drs:GetFailbackReplicationConfiguration", "drs:GetLaunchConfiguration", "drs:GetReplicationConfiguration", "drs:ListExtensibleSourceServers", "drs:ListStagingAccounts", "drs:ListTagsForResource", "drs:ListLaunchActions" ], "Resource": "*" }, { "Sid": "DRSReadOnlyAccess2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets" ], "Resource": "*" }, { "Sid": "DRSReadOnlyAccess4", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "DRSReadOnlyAccess5", "Effect": "Allow", "Action": "ssm:ListCommandInvocations", "Resource": "*" }, { "Sid": "DRSReadOnlyAccess6", "Effect": "Allow", "Action": "ssm:GetParameter", "Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*" }, { "Sid": "DRSReadOnlyAccess7", "Effect": "Allow", "Action": [ "ssm:DescribeDocument", "ssm:GetDocument" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-CreateImage", "arn:aws:ssm:*:*:document/AWSMigration-ValidateNetworkConnectivity", "arn:aws:ssm:*:*:document/AWSMigration-VerifyMountedVolumes", "arn:aws:ssm:*:*:document/AWSMigration-ValidateHttpResponse", "arn:aws:ssm:*:*:document/AWSMigration-ValidateDiskSpace", "arn:aws:ssm:*:*:document/AWSMigration-VerifyProcessIsRunning", "arn:aws:ssm:*:*:document/AWSMigration-LinuxTimeSyncSetting", "arn:aws:ssm:*:*:document/AWSEC2-ApplicationInsightsCloudwatchAgentInstallAndConfigure" ] }, { "Sid": "DRSReadOnlyAccess8", "Effect": "Allow", "Action": [ "ssm:GetAutomationExecution" ], "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } } ] } ``` ------ ## Resource-based policies Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy. ## Access control lists (ACLs) Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*. ## Other policy types AWS supports additional policy types that can set the maximum permissions granted by more common policy types: + **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. + **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*. + **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ## Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*. # Using service-linked roles for AWS Elastic Disaster Recovery Using service-linked roles AWS Elastic Disaster Recovery uses AWS Identity and Access Management (IAM)[service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS Elastic Disaster Recovery. Service-linked roles are predefined by AWS Elastic Disaster Recovery and include all the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up AWS Elastic Disaster Recovery easier because you don’t have to manually add the necessary permissions. AWS Elastic Disaster Recovery defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Elastic Disaster Recovery can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. You can delete a service-linked role only after first deleting their related resources. This protects your AWS Elastic Disaster Recovery resources because you can't inadvertently remove permission to access the resources. For information about other services that support service-linked roles, see [AWS Services That Work with IAM ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. ## Service-linked role permissions for AWS Elastic Disaster Recovery AWS Elastic Disaster Recovery uses the service-linked role named **AWSServiceRoleForElasticDisasterRecovery**. This role includes a managed IAM policy [AWSElasticDisasterRecoveryServiceRolePolicy](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md) with scoped permissions that AWS Elastic Disaster Recovery needs to run in your account. The AWSServiceRoleForElasticDisasterRecovery service-linked role trusts the following services to assume the role: `drs.amazonaws.com` The role permissions policy allows AWS Elastic Disaster Recovery to complete the following actions on the specified resources. For the full policy definition, see [AWSElasticDisasterRecoveryServiceRolePolicy](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md). You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions ](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. ## Creating a service-linked role for AWS Elastic Disaster Recovery You don't need to manually create a service-linked role. When you configure the Replication Configuration Template for AWS Elastic Disaster Recovery, a service-linked role is automatically created. AWS Elastic Disaster Recovery automatically creates the IAM service-linked role, which you can see in the IAM console. You don't need to manually create or configure this role. If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create the first new replication configuration template in AWS Elastic Disaster Recovery, it creates the service-linked role for you again. In the AWS CLI or the AWS API, create a service-linked role with the AWS Elastic Disaster Recovery service name. For more information, see [Creating a Service-Linked Role ](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again. ## Editing a service-linked role for AWS Elastic Disaster Recovery AWS Elastic Disaster Recovery does not allow you to edit the AWSServiceRoleForElasticDisasterRecovery service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a service-linked role for AWS Elastic Disaster Recovery If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it. **Note** If AWS Elastic Disaster Recovery is using the role when you try to delete the resources, the deletion might fail. If that happens, wait for a few minutes and try the operation again. **To clean up AWS Elastic Disaster Recovery resources used by AWSServiceRoleForElasticDisasterRecovery ** Resources can be cleaned up without stopping any AWS Elastic Disaster Recovery services. Cleaning up AWS Elastic Disaster Recovery resources will cause AWS Elastic Disaster Recovery to stop working. To clean up resources, you should disconnect all source servers, terminate all Recovery Instances, and delete all replication and launch configuration templates from AWS Elastic Disaster Recovery. For more information, see [Cleaning up a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. **To manually delete the service-linked role using IAM ** Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForElasticDisasterRecovery service-linked role. For more information, see [Deleting a service-linked role ](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported AWS Regions for AWS Elastic Disaster Recovery service-linked roles AWS Elastic Disaster Recovery supports using service-linked roles in all of the [AWS Regions where the service is available](supported-regions.md). ## Policy structure An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows: ``` { "Statement": [ { "Effect": "effect", "Action": "action", "Resource": "arn", "Condition": { "condition": { "key": "value" } } } ] } ``` There are various elements that make up a statement: + **Effect:** The effect can be `Allow` or `Deny`. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows. + **Action**: The action is the specific AWS Elastic Disaster Recovery API action for which you are granting or denying permission. + **Resource**: The resource that's affected by the action. For AWS Elastic Disaster Recovery, you must specify "\$1" as the resource. + **Condition**: Conditions are optional. They can be used to control when your policy is in effect. # Resilience in AWS Elastic Disaster Recovery Resilience The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). # Infrastructure security in AWS Elastic Disaster Recovery Infrastructure security As a managed service, AWS Elastic Disaster Recovery is protected by the AWS global network security procedures that are described in the [Amazon Web Services: Overview of Security Processes](https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf) whitepaper. You use AWS published API calls to access AWS Elastic Disaster Recovery through the network. Clients must support Transport Layer Security (TLS) 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes. All parties involved in the communication authenticate each other using TLS, IAM policies and tokens. The communication between the Agents and the replication server are based on TLS 1.2 only with the highest standard of cipher suite (PFS, ECDHE). Requests between the agent and AWS Elastic Disaster Recovery as well as between the replication server and AWS Elastic Disaster Recovery are signed using an access key ID and a secret access key that is associated with an IAM principal. Additionally, requests must be signed using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) (AWS STS) to generate temporary security credentials to sign requests. AWS Elastic Disaster Recovery customers must ensure that they manually delete their access keys after installing the AWS Replication Agent and successful recovery. AWS does not delete these keys automatically. AWS Elastic Disaster Recovery does delete the keys from source servers after they are disconnected from the service. If you want your keys to automatically stop working at a certain date after you have finished using them so that you do not have to worry about manually deleting them, you can do so though the [IAM permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) and the [aws:CurrentTime global context key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-currenttime). AWS Elastic Disaster Recovery customers should use [Amazon EBS encryption.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) AWS Elastic Disaster Recovery customers should secure their replication servers by reducing their exposure to the public internet. This can be done through: 1. Using Security Groups to only allow permitted IP addresses to connect to the replication servers. [Learn more about Security Groups.](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) 1. Using a VPN to connect to the replication servers, such as the AWS site-to-site VPN. [Learn more about the AWS Site-to-site VPN.](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) AWS Elastic Disaster Recovery creates and uses the "aws-replication" user within the Source server. The AWS Elastic Disaster Recovery replication server and AWS Replication Agent run under this user. Although this is not a root user, this user needs to be part of the disk group that grants this user full read and write permissions to block devices. **Note** AWS Elastic Disaster Recovery only uses these permissions to read from block devices. AWS Elastic Disaster Recovery customers should only grant access to the AWS Elastic Disaster Recovery Failback Client to trusted administrators in order to prevent unauthorized entities from gaining access to your systems through the client. ## AWS GovCloud AWS GovCloud (US) are isolated AWS Regions designed to allow U.S. government agencies and customers to move sensitive workloads into [ the cloud](https://aws.amazon.com/what-is-cloud-computing/). + AWS GovCloud (US) uses FIPS 140-2 approved cryptographic modules for all AWS service API endpoints, unless otherwise indicated in the [ Service Endpoints](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html) section. + AWS GovCloud (US) is appropriate for all types of Controlled Unclassified Information (CUI) and unclassified data. For more details, see [ Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance ](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-itar.html). + The AWS GovCloud (US) Regions are physically isolated and have logical network isolation from all other AWS Regions. + AWS restricts all physical and logical access for those staff supporting AWS GovCloud (US) to US Citizens. AWS allows only vetted U.S. citizens with distinct access controls separate from other AWS Regions to administer AWS GovCloud (US). Any customer data fields that are defined as outside of the ITAR boundary (such as S3 bucket names) are explicitly documented in the service-specific section as not permitted to contain export-controlled data. + AWS GovCloud (US) authentication is completely isolated from commercial regions. # Compliance validation for AWS Elastic Disaster Recovery Compliance validation Third-party auditors assess the security and compliance of AWS Elastic Disaster Recovery as part of multiple AWS compliance programs. For a list of AWS services in scope of specific compliance programs, see [AWS Services in Scope by Compliance Program ](https://aws.amazon.com/compliance/services-in-scope/) . For general information, see [AWS Compliance Programs ](https://aws.amazon.com/compliance/programs/) . You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html) . Your compliance responsibility when using AWS Elastic Disaster Recovery is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance: + [Security and Compliance Quick Start Guides ](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS. + [Architecting for HIPAA Security and Compliance Whitepaper ](https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.html) – This whitepaper describes how companies can use AWS to create HIPAA-compliant applications. + [AWS Compliance Resources ](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location. + [Evaluating Resources with Rules ](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide* – AWS Config; assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations. + [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices. # Cross-service confused deputy prevention The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that AWS Elastic Disaster Recovery gives another service to the resource. If you use both global condition context keys, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement. The value of `aws:SourceArn` must be "arn:aws:drs:\$1:123456789012:source-server/\$1" The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the resource. If you don't know the full ARN of the resource or if you are specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcards (`*`) for the unknown portions of the ARN. For example, `arn:aws:servicename::123456789012:* ` . The following example shows how you can use the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in AWS Elastic Disaster Recovery to prevent the confused deputy problem. IAM Roles that are created by AWS Elastic Disaster Recovery in your account already contain the confused deputy mitigation. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "drs.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:drs:*:123456789012:source-server/*" } } } } ``` ------