# AWS managed policies for AWS Elastic Disaster Recovery AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. # AWS managed policy: AWSElasticDisasterRecoveryAgentPolicy AWSElasticDisasterRecoveryAgentPolicy This policy gives the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to replicate source servers to AWS, permissions to communicate with AWS DRS to receive instructions and to send logs and metrics. **Important** This policy is designed exclusively for the AWS Replication Agent. We do not recommend that you attach this policy to your IAM users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryAgentPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryAgentPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryAgentInstallationPolicy AWSElasticDisasterRecoveryAgentInstallationPolicy This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryAgentInstallationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryAgentInstallationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryConversionServerPolicy AWSElasticDisasterRecoveryConversionServerPolicy This policy is attached to the AWS Elastic Disaster Recovery Conversion Server's instance role. This policy allows AWS Elastic Disaster Recovery (AWS DRS) Conversion Servers, which are EC2 instances launched by AWS DRS, to communicate with the DRS service. An IAM role with this policy is attached (as an EC2 Instance Profile) by DRS to the DRS Conversion Servers, which are automatically launched and terminated by DRS when needed. DRS Conversion Servers are used by AWS Elastic Disaster Recovery when users choose to recover source servers using the AWS DRS console, CLI, or API. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryConversionServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryConversionServerPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryFailbackPolicy AWSElasticDisasterRecoveryFailbackPolicy This policy allows using the AWS Elastic Disaster Recovery Failback Client, which is used to fail back Recovery Instances to your original source infrastructure. This policy is also used by AWS Elastic Disaster Recovery to refresh credentials for the Failback Client. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryFailbackPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryFailbackPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryFailbackInstallationPolicy AWSElasticDisasterRecoveryFailbackInstallationPolicy You can attach the AWSElasticDisasterRecoveryFailbackInstallationPolicy policy to your IAM identities. This policy allows installing the AWS Elastic Disaster Recovery Failback Client, which is used to failback Recovery Instances back to your original source infrastructure. Attach this policy to your users or roles whose credentials you provide when running the AWS Elastic Disaster Recovery Failback Client. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryFailbackInstallationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryFailbackInstallationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryConsoleFullAccess AWSElasticDisasterRecoveryConsoleFullAccess This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and EC2 information. It also includes EC2 actions that allow to launch, delete, or modify replication servers and recovery instances. These EC2 actions are limited only to resources which the service creates with a specific AWS-only tag. Attach this policy to your users or roles. AWSElasticDisasterRecoveryConsoleFullAccess includes access to your AWS managed keys. However, it does not include access to your customer managed keys, so if you use CMK you will need to add a policy statement to allow the usage of your KMS keys. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryConsoleFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryConsoleFullAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryReadOnlyAccess AWSElasticDisasterRecoveryReadOnlyAccess You can attach the AWSElasticDisasterRecoveryReadOnlyAccess policy to your IAM identities. This policy provides permissions to all read-only public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as some read-only APIs of other AWS services that are required to make full read-only use of the DRS console. This includes: + **AWS Elastic Disaster Recovery (read-only)** – View all DRS resources such as Source Servers, Recovery Instances, Recovery Snapshots, and post-launch actions. + **IAM (read-only)** – List IAM roles in your account. + **EC2 (read-only)** – View EC2 instance details, launch templates, security groups, and subnets related to your recovery environment. + **SSM (read-only)** – View Systems Manager configurations such as post-launch action settings and automation executions. Attach this policy to your users or roles. This policy is ideal for team members who need visibility into your disaster recovery setup, such as auditors or monitoring teams, without the ability to make changes. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryReadOnlyAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryReplicationServerPolicy AWSElasticDisasterRecoveryReplicationServerPolicy This policy is attached to the AWS Elastic Disaster Recovery replication server’s instance role. This policy allows the AWS Elastic Disaster Recovery (AWS DRS) replication servers, which are Amazon EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service, and to create EBS snapshots in your AWS account. An IAM role with this policy is attached (as an EC2 instance profile) by AWS DRS to the AWS DRS replication servers which are automatically launched and terminated by AWS DRS, as needed. AWS DRS replication servers are used to facilitate data replication from your external servers to AWS, as part of the recovery process managed by AWS DRS. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryReplicationServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryReplicationServerPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryRecoveryInstancePolicy AWSElasticDisasterRecoveryRecoveryInstancePolicy This policy is attached to the instance role of AWS Elastic Disaster Recovery's recovery instance. This policy allows the AWS Elastic Disaster Recovery (AWS DRS) recovery instance, which are EC2 instances launched by AWS DRS - to communicate with the AWS DRS service, and to be able to failback to their original source infrastructure. An IAM role with this policy is attached (as an Amazon EC2 Instance Profile) by AWS DRS to the AWS DRS recovery instances. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryRecoveryInstancePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryRecoveryInstancePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryServiceRolePolicy AWSElasticDisasterRecoveryServiceRolePolicy This policy allows AWS Elastic Disaster Recovery to manage AWS resources on your behalf. This policy is attached to the [AWSServiceRoleForElasticDisasterRecovery](using-service-linked-roles.md) role. **Permissions details** This policy includes permissions to do the following: + ec2 – Retrieve and modify resources needed to support failover and failback of source servers and source networks. + cloudwtach – Retrieve disk usage to allow cost optimization + iam – Acquire the permissions required for recovery + kms – Allow using encrypted volumes + drs – Retrieve tags and set tags for DRS resources, create DRS resources on failover **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryServiceRolePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryStagingAccountPolicy AWSElasticDisasterRecoveryStagingAccountPolicy This policy allows read-only access to AWS Elastic Disaster Recovery (AWS DRS) resources such as source servers and jobs. It also allows creating a converted snapshot and sharing that EBS snapshot with a specified account. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryStagingAccountPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryStagingAccountPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2 AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2 This policy is used by AWS Elastic Disaster Recovery (AWS DRS) to recover source servers into a separate target account and to allow failing back. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryStagingAccountPolicy_v2.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryEc2InstancePolicy AWSElasticDisasterRecoveryEc2InstancePolicy This policy allows installing and using the AWS Replication Agent, which is used by AWS Elastic Disaster Recovery (AWS DRS) to recover source servers that run on EC2 (cross-Region, cross-AZ or cross-Account). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryEc2InstancePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryEc2InstancePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryCrossAccountReplicationPolicy AWSElasticDisasterRecoveryCrossAccountReplicationPolicy This policy allows AWS Elastic Disaster Recovery (DRS) to support cross-account replication and cross-account failback. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryNetworkReplicationPolicy AWSElasticDisasterRecoveryNetworkReplicationPolicy This policy allows AWS Elastic Disaster Recovery (DRS) to support network replication. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryNetworkReplicationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryNetworkReplicationPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryLaunchActionsPolicy AWSElasticDisasterRecoveryLaunchActionsPolicy You can attach the AWSElasticDisasterRecoveryLaunchActionsPolicy policy to your IAM identities. This policy allows you to use Amazon SSM and additional services required permissions to run post-launch actions in AWS Elastic Disaster Recovery (AWS DRS). Attach this policy to your IAM roles or users. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryLaunchActionsPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryLaunchActionsPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 You can attach the **AWSElasticDisasterRecoveryConsoleFullAccess\$1v2** policy to your IAM identities. Allows full administrative access to AWS Elastic Disaster Recovery (AWS DRS) Console. Attach this policy to your users or roles. **Permissions details** This policy includes permissions to do the following: + `drs` – All apis. + `kms` – List aliases and describe keys. + `ec2` – Describe account attributes, availability zones, images, instance (including types, statuses, type offerings), subnets, volumes, ebs encryption by default, ebs default kms key id, key/pairs, capacity reservations and hosts. Describe, create and delete snapshots. Describe and create launch templates. Start, run, stop and terminate instances. Describe and modify instance attributes. Create, attach and detach volumes. Describe, create, modify and delete launch template version. Create and delete tags. Get console output and screenshots. Describe and create security groups. Authorize and revoke security group egress. Authorize security group ingress. + `license manager` – List license configurations. + `resource groups` – List groups. + `elastic load balancing` – Describe load balancers.. + `iam` – List instance profiles and roles, passRole. + `cloudformation` – Describe and list stacks. + `s3` – Get bucket location and list all my buckets. + `ssm` – Describe instance information, send command, start automation execution. List documents and command invocations. Get and put parameters. Describe and get document. Get automation executions. **Permissions details** To view the policy permission details see [AWSElasticDisasterRecoveryConsoleFullAccess\$1v2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticDisasterRecoveryConsoleFullAccess_v2.html) in the AWS Managed Policy Reference Guide. ## Elastic Disaster Recovery updates for AWS managed policies Updates View details about updates to AWS managed policies for AWS Elastic Disaster Recovery since March 1, 2021. **AWS Elastic Disaster Recovery policy updates** | Change | Description | Date | | --- | --- | --- | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Updated policies to reflect changes in SSM. | July 3, 2025 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of AWSElasticDisasterRecoveryServiceRolePolicy, AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 and AWSElasticDisasterRecoveryConsoleFullAccess managed policies to support a change in authentication with EBS APIs. | January 6, 2025 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 and AWSElasticDisasterRecoveryLaunchActionsPolicy managed policies, to support additional parameter types in SSM Parameters Store for post-launch actions. | May 19, 2024 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– Updated policy | Created revision of the AWSElasticDisasterRecoveryServiceRolePolicy policy, to support replicating marketplace licenses to launched instances. | January 28, 2024 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– Updated policy | Created revision of the AWSElasticDisasterRecoveryCrossAccountReplicationPolicy policy, to support replicating marketplace licenses to launched instances. | January 28, 2024 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of managed policies to support managed prefix lists for DRS network replication and recovery. | January 3rd, 2024 | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/drs/latest/userguide/security-iam-awsmanpol.html) | Created new revisions of managed policies to support DRS to GovCloud and added Sid to statements in managed policies | November 27, 2023 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– Updated policy | Created revision of AWSElasticDisasterRecoveryCrossAccountReplicationPolicy to support DRS in GovCloud | November 27, 2023 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy with additional read-only permissions for post-launch actions. | November 27, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess\$1v2 ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess_v2.md) New policy | AWS Elastic Disaster Recovery added a new policy. This policy provides access to use DRS console. Attach this policy to your IAM roles or users. | November 27, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance. | October 15, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance. | October 15, 2023 | | [AWSElasticDisasterRecoveryLaunchActionsPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryLaunchActionsPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow launching into an existing instance tagged with a specific AWS-only key-value pair. | October 15, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow sending installation result metrics to AWS Elastic Disaster Recovery. | October 10, 2023 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow sending installation result metrics to AWS Elastic Disaster Recovery. | October 10, 2023 | | [AWSElasticDisasterRecoveryLaunchActionsPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryLaunchActionsPolicy.md) New policy | AWS Elastic Disaster Recovery added a new policy. This policy provides access to use post-launch actions. Attach this policy to your IAM roles or users. | September 13, 2023 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy with new read-only APIs for post-launch actions. | September 13, 2023 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | This policy was updated to allow network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | This policy was updated to support network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryNetworkReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryNetworkReplicationPolicy.md)– New policy | This policy is used by AWS Elastic Disaster Recovery (DRS) to support network replication. | June 13, 2023 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– Updated policy | This policy was updated to support network replication and recovery. | June 13, 2023 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– New policy | This policy is used by AWS Elastic Disaster Recovery (DRS) to support replication and failback. | May 14, 2023 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– Updated policy | This policy was updated to support failback by the agent after reverse replication. | May 14, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | This policy was updated to support replication by the agent. | May 14, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | This policy was updated to support default EC2 launch templates and bulk editing of source server EC2 launch templates. | April 19, 2023 | | [AWSElasticDisasterRecoveryCrossAccountReplicationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryCrossAccountReplicationPolicy.md)– New policy | This policy is used by AWS Elastic Disaster Recovery (DRS) to support cross-account replication and cross-account failback. | May 7, 2023 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– Updated policy | This policy was updated to support cross-account failback by the agent after reverse replication. | May 7, 2023 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | This policy was updated to support cross-account replication by the agent. | May 7, 2023 | | [AWSElasticDisasterRecoveryConsoleFullAccess](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | This policy was updated to support default EC2 launch templates and bulk editing of source server EC2 launch templates. | April 16, 2023 | | [AWSElasticDisasterRecoveryAgentPolicy](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentPolicy.md) – Updated policy | This policy was updated to support the kernel upgrade feature. | April 1, 2023 | | [AWSElasticDisasterRecoveryStagingAccountPolicy\$1v2 ](security-iam-awsmanpol-AWSElasticDisasterRecoveryStagingAccountPolicy_v2.md)– New policy | This policy was updated to support the kernel upgrade feature. | December 11, 2022 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to properly support agent installation on Recovery Instances. This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. | November 14, 2022 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated this policy to include permissions which allow DRS Recovery Instances that originated from EC2 instances to replicate back to their origin locations in a failback scenario. As an additional security mechanism, Elastic Disaster Recovery will block requests that are not targeted at the source server the EC2 instance is associated with. | October 24, 2022 | | [AWSElasticDisasterRecoveryAgentInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to include resource tagging. This policy allows installing the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery (AWS DRS) to recover external servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. | June 28, 2022 | | [AWSElasticDisasterRecoveryFailbackInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryFailbackInstallationPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated this policy to include a new permission (drs:UpdateAgentReplicationInfoForDrs). This permission is needed to complete the failback process in some cases. | June 22, 2022 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow DRS to call cloudwatch:GetMetricData and also ec2:ModifyVolume on EBS volumes of the replication server in order to support the automatic volume type selection feature. | June 21st, 2022 | | [AWSElasticDisasterRecoveryReplicationServerPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReplicationServerPolicy.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow replication servers to call drs:NotifyVolumeEventForDrs and drs:SendVolumeStatsForDrs. | June 21st, 2022 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy to allow listing IAM roles. | May 26th, 2022 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated the policy with new read-only APIs of DRS and also added a permission that allows to list IAM roles. | May 26th, 2022 | | [AWSElasticDisasterRecoveryEc2InstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryEc2InstancePolicy.md)– Updated policy | AWS Elastic Disaster Recovery added a new policy. This policy allows installing and using the AWS Replication Agent, which is used by AWS Elastic Disaster Recovery (DRS) to recover source servers that run on EC2 (cross-region or cross-AZ). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances. | April 6, 2022 | | [AWSElasticDisasterRecoveryReadOnlyAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md)– Updated policy | AWS Elastic Disaster Recovery updated this policy. | April 3, 2022 | | [AWSElasticDisasterRecoveryStagingAccountPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryStagingAccountPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows read-only access to AWS Elastic Disaster Recovery (DRS) resources such as source servers and jobs. It also allows creating a converted snapshot and sharing that EBS snapshot with a specified account. | February 24, 2022 | | [AWSElasticDisasterRecoveryAgentPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryAgentPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows using the AWS Replication Agent, which is used with AWS Elastic Disaster Recovery to recover source servers to AWS. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryConversionServerPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConversionServerPolicy.md) New policy | AWS Elastic Disaster Recovery added a new policy. This policy is attached to the AWS Elastic Disaster Recovery Conversion server’s instance role. This policy allows Elastic Disaster Recovery (DRS) Conversion Servers, which are EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service. An IAM role with this policy is attached (as an EC2 Instance Profile) by DRS to the DRS Conversion Servers, which are automatically launched and terminated by DRS, when needed. We do not recommend that you attach this policy to your users or roles. AWS DRS conversion servers are used by AWS Elastic Disaster Recovery when users choose to recover source servers using the Elastic Disaster Recovery console, CLI, or API. | November 17, 2021 | | [AWSElasticDisasterRecoveryFailbackPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryFailbackPolicy.md) - New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows using the AWS Elastic Disaster Recovery Failback Client, which is used to failback Recovery Instances back to your original source infrastructure. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryFailbackInstallationPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryFailbackInstallationPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. You can attach the AWSElasticDisasterRecoveryFailbackInstallationPolicy policy to your IAM identities. This policy allows installing the AWS Elastic Disaster Recovery Failback Client, which is used to failback recovery instances back to your original source infrastructure. Attach this policy to your users or roles whose credentials you provide when running the EAWS Elastic Disaster Recovery Failback Client. | November 17, 2021 | | [AWSElasticDisasterRecoveryConsoleFullAccess ](security-iam-awsmanpol-AWSElasticDisasterRecoveryConsoleFullAccess.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and Amazon EC2 information. Attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryReplicationServerPolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryReplicationServerPolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy is attached to the Elastic Disaster Recovery Replication server’s instance role. This policy allows the Elastic Disaster Recovery (DRS) Replication Servers, which are EC2 instances launched by Elastic Disaster Recovery, to communicate with the DRS service, and to create EBS snapshots in your AWS account. An IAM role with this policy is attached (as an EC2 Instance Profile) by Elastic Disaster Recovery to the DRS Replication Servers which are automatically launched and terminated by DRS, as needed. DRS Replication Servers are used to facilitate data replication from your external servers to AWS, as part of the recovery process managed by DRS. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryRecoveryInstancePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryRecoveryInstancePolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy is attached to the instance role of Elastic Disaster Recovery's Recovery Instance. This policy allows the Elastic Disaster Recovery (DRS) Recovery Instance, which are EC2 instances launched by Elastic Disaster Recovery - to communicate with the DRS service, and to be able to failback to their original source infrastructure. An IAM role with this policy is attached (as an EC2 Instance Profile) by Elastic Disaster Recovery to the DRS recovery instances. We do not recommend that you attach this policy to your users or roles. | November 17, 2021 | | [AWSElasticDisasterRecoveryServiceRolePolicy ](security-iam-awsmanpol-AWSElasticDisasterRecoveryServiceRolePolicy.md)– New policy | AWS Elastic Disaster Recovery added a new policy. This policy allows Elastic Disaster Recovery to manage AWS resources on your behalf. | November 17, 2021 | | AWS Elastic Disaster Recovery started tracking changes | AWS Elastic Disaster Recovery started tracking changes for AWS managed policies. | November 17, 2021 |