# Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
## Identity-based policies
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as a user, role, or group. These policies control what actions that identity can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Creating IAM Policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the IAM User Guide.
Identity-based policies can be further categorized as inline policies or managed policies. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies include AWS managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see [ Choosing Between Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline) in the IAM User Guide.
# Using identity-based policies
By default, IAM users and roles don't have permission to create or modify AWS Elastic Disaster Recovery resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the users or groups that require those permissions. To learn how to attach policies to a user or group, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the IAM User Guide. To learn how to create an IAM identity-based policy using example JSON policy documents, see [Creating policies on the JSON tab in the IAM User Guide.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor)
**Topics**
+ [Customer-managed policies in AWS Elastic Disaster Recovery](customer_managed_policies_drs.md)
+ [Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess](customer_managed_policies_drs_full_access.md)
+ [Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess\$1v2](customer_managed_policies_drs_full_access_v2.md)
+ [Launch Actions Policy - AWSElasticDisasterRecoveryLaunchActionsPolicy](customer_managed_policies_launch_actions.md)
+ [Console Read-Only Access Policy - AWSElasticDisasterRecoveryReadOnlyAccess](customer_managed_policies_drs_readonly.md)
# Customer-managed policies in AWS Elastic Disaster Recovery
You can create your own custom IAM policies to allow permissions for AWS Elastic Disaster Recovery actions and resources. You can attach these custom policies to the users, roles, or groups that require those permissions. You can also create your own custom IAM policies for integration between AWS Elastic Disaster Recovery and other AWS services. The following example IAM policies grant permissions for various AWS Elastic Disaster Recovery actions. Use them to limit AWS Elastic Disaster Recovery access for your users and roles.
# Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess
This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and Amazon EC2 information. Attach this policy to your users or roles.
**Permissions details**
This policy includes the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConsoleFullAccess1",
"Effect": "Allow",
"Action": [
"drs:*"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess2",
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess3",
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:DescribeKeyPairs",
"ec2:DescribeCapacityReservations",
"ec2:DescribeHosts"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess4",
"Effect": "Allow",
"Action": "license-manager:ListLicenseConfigurations",
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess5",
"Effect": "Allow",
"Action": "resource-groups:ListGroups",
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess6",
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess7",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess8",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole",
"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "ConsoleFullAccess9",
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess10",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
},
{
"Sid": "ConsoleFullAccess11",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate"
],
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
},
{
"Sid": "ConsoleFullAccess12",
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess13",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenshot"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess14",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess15",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess16",
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "arn:aws:ec2:*:*:vpc/*"
},
{
"Sid": "ConsoleFullAccess17",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess18",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess19",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess20",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess21",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:StartInstances",
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenshot"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
}
}
},
{
"Sid": "ConsoleFullAccess22",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess23",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess24",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess25",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:launch-template/*"
],
"Condition": {
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess26",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateSecurityGroup",
"CreateVolume",
"CreateSnapshot",
"RunInstances"
]
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess27",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateLaunchTemplate"
]
}
}
},
{
"Sid": "ConsoleFullAccess28",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStacks"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess29",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess30",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
}
]
}
```
------
# Console Full Access Policy - AWSElasticDisasterRecoveryConsoleFullAccess\$1v2
Allows full administrative access to AWS Elastic Disaster Recovery (AWS DRS) Console. Attach this policy to your users or roles.
**Permissions details**
This policy includes permissions to do the following:
+ `drs` – All APIs.
+ `kms` – List aliases and describe keys.
+ `ec2` – Describe account attributes, availability zones, images, instance (including types, statuses, type offerings), subnets, volumes, ebs encryption by default, ebs default kms key id, key/pairs, capacity reservations and hosts. Describe, create and delete snapshots. Describe and create launch templates. Start, run, stop and terminate instances. Describe and modify instance attributes. Create, attach and detach volumes. Describe, create, modify and delete launch template version. Create and delete tags. Get console output and screenshots. Describe and create security groups. Authorize and revoke security group egress. Authorize security group ingress.
+ `license manager` – List license configurations.
+ `resource groups` – List groups.
+ `elastic load balancing` – Describe load balancers.
+ `iam` – List instance profiles and roles, passRole.
+ `cloudformation` – Describe and list stacks.
+ `s3` – Get bucket location and list all my buckets.
+ `ssm` – Describe instance information, send command, start automation execution. List documents and command invocations. Get and put parameters. Describe and get document. Get automation executions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConsoleFullAccess1",
"Effect": "Allow",
"Action": [
"drs:*"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess2",
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess3",
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:DescribeKeyPairs",
"ec2:DescribeCapacityReservations",
"ec2:DescribeHosts"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess4",
"Effect": "Allow",
"Action": "license-manager:ListLicenseConfigurations",
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess5",
"Effect": "Allow",
"Action": "resource-groups:ListGroups",
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess6",
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess7",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess8",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole",
"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole",
"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "ConsoleFullAccess9",
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess10",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
},
{
"Sid": "ConsoleFullAccess11",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate"
],
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
},
{
"Sid": "ConsoleFullAccess12",
"Effect": "Allow",
"Action":
[
"ec2:DeleteVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess13",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenshot"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess14",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess15",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess16",
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "arn:aws:ec2:*:*:vpc/*"
},
{
"Sid": "ConsoleFullAccess17",
"Effect": "Allow",
"Action":
[
"ec2:CreateSecurityGroup"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess18",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess19",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess20",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess21",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:StartInstances",
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenshot"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
}
}
},
{
"Sid": "ConsoleFullAccess22",
"Effect": "Allow",
"Action":
[
"ec2:AttachVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool":
{
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess23",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition":
{
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess24",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false"
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess25",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:launch-template/*"
],
"Condition":
{
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess26",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateSecurityGroup",
"CreateVolume",
"CreateSnapshot",
"RunInstances"
]
},
"Bool": {
"aws:ViaAWSService": "true"
}
}
},
{
"Sid": "ConsoleFullAccess27",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateLaunchTemplate"
]
}
}
},
{
"Sid": "ConsoleFullAccess28",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStacks"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess29",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess30",
"Effect": "Allow",
"Action": [
"ssm:DescribeInstanceInformation",
"ssm:DescribeParameters"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
}
}
},
{
"Sid": "ConsoleFullAccess31",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWS-CreateImage",
"arn:aws:ssm:*:*:document/AWSMigration-ValidateNetworkConnectivity",
"arn:aws:ssm:*:*:document/AWSMigration-VerifyMountedVolumes",
"arn:aws:ssm:*:*:document/AWSMigration-ValidateHttpResponse",
"arn:aws:ssm:*:*:document/AWSMigration-ValidateDiskSpace",
"arn:aws:ssm:*:*:document/AWSMigration-VerifyProcessIsRunning",
"arn:aws:ssm:*:*:document/AWSMigration-LinuxTimeSyncSetting",
"arn:aws:ssm:*:*:document/AWSEC2-ApplicationInsightsCloudwatchAgentInstallAndConfigure",
"arn:aws:ssm:*:*:automation-execution/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
}
}
},
{
"Sid": "ConsoleFullAccess32",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
},
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
},
{
"Sid": "ConsoleFullAccess33",
"Effect": "Allow",
"Action": [
"ssm:ListDocuments",
"ssm:ListCommandInvocations"
],
"Resource": "*"
},
{
"Sid": "ConsoleFullAccess34",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:PutParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "ConsoleFullAccess35",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:GetDocument"
],
"Resource": "arn:aws:ssm:*:*:document/*"
},
{
"Sid": "ConsoleFullAccess36",
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "ssm.amazonaws.com"
}
}
},
{
"Sid": "ConsoleFullAccess37",
"Effect": "Allow",
"Action": [
"ssm:GetAutomationExecution"
],
"Resource": "arn:aws:ssm:*:*:automation-execution/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
}
]
}
```
------
# Launch Actions Policy - AWSElasticDisasterRecoveryLaunchActionsPolicy
This policy allows you to use Amazon SSM and additional services required permissions to run post-launch actions in AWS Elastic Disaster Recovery (AWS DRS). Attach this policy to your IAM roles or users.
**Permissions details**
This policy includes the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LaunchActionsPolicy1",
"Effect": "Allow",
"Action": [
"ssm:DescribeInstanceInformation"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
}
}
},
{
"Sid": "LaunchActionsPolicy2",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:*:document/*",
"arn:aws:ssm:*:*:automation-execution/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LaunchActionsPolicy3",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*::document/AWS-*",
"arn:aws:ssm:*::document/AWSCodeDeployAgent-*",
"arn:aws:ssm:*::document/AWSConfigRemediation-*",
"arn:aws:ssm:*::document/AWSConformancePacks-*",
"arn:aws:ssm:*::document/AWSDisasterRecovery-*",
"arn:aws:ssm:*::document/AWSDistroOTel-*",
"arn:aws:ssm:*::document/AWSDocs-*",
"arn:aws:ssm:*::document/AWSEC2-*",
"arn:aws:ssm:*::document/AWSEC2Launch-*",
"arn:aws:ssm:*::document/AWSFIS-*",
"arn:aws:ssm:*::document/AWSFleetManager-*",
"arn:aws:ssm:*::document/AWSIncidents-*",
"arn:aws:ssm:*::document/AWSKinesisTap-*",
"arn:aws:ssm:*::document/AWSMigration-*",
"arn:aws:ssm:*::document/AWSNVMe-*",
"arn:aws:ssm:*::document/AWSNitroEnclavesWindows-*",
"arn:aws:ssm:*::document/AWSObservabilityExporter-*",
"arn:aws:ssm:*::document/AWSPVDriver-*",
"arn:aws:ssm:*::document/AWSQuickSetupType-*",
"arn:aws:ssm:*::document/AWSQuickStarts-*",
"arn:aws:ssm:*::document/AWSRefactorSpaces-*",
"arn:aws:ssm:*::document/AWSResilienceHub-*",
"arn:aws:ssm:*::document/AWSSAP-*",
"arn:aws:ssm:*::document/AWSSAPTools-*",
"arn:aws:ssm:*::document/AWSSQLServer-*",
"arn:aws:ssm:*::document/AWSSSO-*",
"arn:aws:ssm:*::document/AWSSupport-*",
"arn:aws:ssm:*::document/AWSSystemsManagerSAP-*",
"arn:aws:ssm:*::document/AmazonCloudWatch-*",
"arn:aws:ssm:*::document/AmazonCloudWatchAgent-*",
"arn:aws:ssm:*::document/AmazonECS-*",
"arn:aws:ssm:*::document/AmazonEFSUtils-*",
"arn:aws:ssm:*::document/AmazonEKS-*",
"arn:aws:ssm:*::document/AmazonInspector-*",
"arn:aws:ssm:*::document/AmazonInspector2-*",
"arn:aws:ssm:*::document/AmazonInternal-*",
"arn:aws:ssm:*::document/AwsEnaNetworkDriver-*",
"arn:aws:ssm:*::document/AwsVssComponents-*",
"arn:aws:ssm:*:*:automation-execution/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
}
}
},
{
"Sid": "LaunchActionsPolicy4",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
},
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
},
{
"Sid": "LaunchActionsPolicy5",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"drs.amazonaws.com"
]
}
}
},
{
"Sid": "LaunchActionsPolicy6",
"Effect": "Allow",
"Action": [
"ssm:ListDocuments",
"ssm:ListCommandInvocations"
],
"Resource": "*"
},
{
"Sid": "LaunchActionsPolicy7",
"Effect": "Allow",
"Action": [
"ssm:ListDocumentVersions",
"ssm:GetDocument",
"ssm:DescribeDocument"
],
"Resource": "arn:aws:ssm:*:*:document/*"
},
{
"Sid": "LaunchActionsPolicy8",
"Effect": "Allow",
"Action": [
"ssm:GetAutomationExecution"
],
"Resource": "arn:aws:ssm:*:*:automation-execution/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
},
{
"Sid": "LaunchActionsPolicy9",
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecoveryService-*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "ssm.amazonaws.com"
}
}
},
{
"Sid": "LaunchActionsPolicy10",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:PutParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecoveryService-*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LaunchActionsPolicy11",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceWithLaunchActionsRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": "drs.amazonaws.com"
}
}
}
]
}
```
------
# Console Read-Only Access Policy - AWSElasticDisasterRecoveryReadOnlyAccess
You can attach the AWSElasticDisasterRecoveryReadOnlyAccess policy to your IAM identities.
This policy provides permissions to all read-only public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as some read-only APIs of IAM, EC2 and SSM in order to list and view installed roles, Recovery Instances, Source Servers and post-launch actions. Attach this policy to your users or roles.
**Permissions details**
This policy includes the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DRSReadOnlyAccess1",
"Effect": "Allow",
"Action": [
"drs:DescribeJobLogItems",
"drs:DescribeJobs",
"drs:DescribeRecoveryInstances",
"drs:DescribeRecoverySnapshots",
"drs:DescribeReplicationConfigurationTemplates",
"drs:DescribeSourceServers",
"drs:GetFailbackReplicationConfiguration",
"drs:GetLaunchConfiguration",
"drs:GetReplicationConfiguration",
"drs:ListExtensibleSourceServers",
"drs:ListStagingAccounts",
"drs:ListTagsForResource",
"drs:ListLaunchActions"
],
"Resource": "*"
},
{
"Sid": "DRSReadOnlyAccess2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "DRSReadOnlyAccess4",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
},
{
"Sid": "DRSReadOnlyAccess5",
"Effect": "Allow",
"Action": "ssm:ListCommandInvocations",
"Resource": "*"
},
{
"Sid": "DRSReadOnlyAccess6",
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:*:parameter/ManagedByAWSElasticDisasterRecovery-*"
},
{
"Sid": "DRSReadOnlyAccess7",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:GetDocument"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWS-CreateImage",
"arn:aws:ssm:*:*:document/AWSMigration-ValidateNetworkConnectivity",
"arn:aws:ssm:*:*:document/AWSMigration-VerifyMountedVolumes",
"arn:aws:ssm:*:*:document/AWSMigration-ValidateHttpResponse",
"arn:aws:ssm:*:*:document/AWSMigration-ValidateDiskSpace",
"arn:aws:ssm:*:*:document/AWSMigration-VerifyProcessIsRunning",
"arn:aws:ssm:*:*:document/AWSMigration-LinuxTimeSyncSetting",
"arn:aws:ssm:*:*:document/AWSEC2-ApplicationInsightsCloudwatchAgentInstallAndConfigure"
]
},
{
"Sid": "DRSReadOnlyAccess8",
"Effect": "Allow",
"Action": [
"ssm:GetAutomationExecution"
],
"Resource": "arn:aws:ssm:*:*:automation-execution/*",
"Condition": {
"Null": {
"aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false"
}
}
}
]
}
```
------
## Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
## Access control lists (ACLs)
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.
## Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
## Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.