AWS resources and IAM permissions
This document describes the resources and IAM permissions that are deployed within the customer’s AWS account by Clumio through CloudFormation or Terraform, in order to enable global visibility, risk assessment, and data protection operations within the customer’s AWS account.
AWS resources
Clumio creates the following resources in your AWS account:
- Clumio SNS Topic
- Clumio SNS Topic Policy
- Clumio Event Rule
- Clumio IAM Policy
- Clumio IAM Role
Security
Using permissions boundary with Clumio IAM permissions
Most of the permissions listed below are restricted to the resources relevant to Clumio. Customers looking for more granular control over the deployed IAM permissions by Clumio can leverage a custom Permissions Boundary policy with the Clumio IAM Role.
Using permissions boundary with CloudFormation
Provide the Permissions Boundary ARN during the Clumio CloudFormation deployment stack.
Using Permissions Boundary with Terraform
Use the "permissions_boundary_arn" input parameter for the Terraform module. Further details can be found on the Terraform Registry page.
IAM roles and permissions
Base permissions
The following IAM roles and policies are created irrespective of the asset type enabled while generating the template.
Resource Name: ClumioBasePolicy (Permissions used by Clumio to list AWS account details)
iam:ListAccountAliases
Resource Name: ClumioDriftDetectPolicy (Permissions used by Clumio to detect stack changes)
cloudformation:DescribeStacks
cloudformation:DescribeStackResources
cloudformation:DetectStackResourceDrift
iam:GetServiceLinkedRoleDeletionStatus
iam:ListInstanceProfilesForRole
iam:SimulatePrincipalPolicy
iam:GetContextKeysForPrincipalPolicy
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:ListRoleTags
iam:GetRolePolicy
iam:GetRole
sns:GetTopicAttributes
sns:ListSubscriptionsByTopic
sns:ListTagsForResource
events:DescribeEventBus
events:ListTagsForResource
events:DescribeRule
events:ListTargetsByRule
Resource Name: ClumioSupportRole (Permissions used by Clumio to create AWS support cases)
sts:AssumeRole
Resource Name: ClumioSupportPolicy (Permissions used by Clumio to create AWS support cases)
support:*
support:ResolveCase
Resource Name: ClumioEventPubPolicy (Permissions used by Clumio to leverage SNS service)
SNS:Publish
SNS:Subscribe
SNS:ListSubscriptionsByTopic
Resource Name: ClumioIAMRole
sts:AssumeRole
Resource Name: ClumioKMSManagedPolicy (Permissions used by Clumio to backup/restore encrypted assets)
kms:DescribeKey
kms:Encrypt
kms:Decrypt
kms:ReEncrypt*
kms:GenerateDataKey*
kms:DescribeKey
kms:CreateGrant
Asset Level Permissions
Depending on the asset type enabled, the following IAM roles and policies are added to the existing base permissions.
EBS/EC2
Permissions used by Clumio for EC2 Protect and Discover Service
Resource Name: ClumioEc2ProtectManagedPolicy
ec2:CreateSnapshots
ec2:CreateSnapshot
ec2:CreateTags
ec2:DeleteTags
ec2:DeleteSnapshot
ec2:CreateVolume
ec2:DeleteVolume
ec2:AttachVolume
ec2:DetachVolume
ec2:StartInstances
ec2:StopInstances
ec2:DeleteNetworkInterface
ec2:AssociateAddress
ec2:DisassociateAddress
ec2:DescribeVpcs
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces
ec2:DescribeKeyPairs
ec2:DescribeElasticGpus
ec2:DescribeSubnets
iam:GetRole
iam:ListRoles
iam:GetInstanceProfile
iam:ListInstanceProfiles
elastic-inference:DescribeAccelerators
elastic-inference:DescribeAcceleratorOfferings
ec2:DescribeCapacityReservations
ec2:RegisterImage
ec2:DeregisterImage
iam:PassRole
ec2:TerminateInstances
ec2:RunInstances
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
ebs:GetSnapshotBlock
ebs:PutSnapshotBlock
ebs:StartSnapshot
ebs:CompleteSnapshot
Resource Name: ClumioDiscoverPolicy
ec2:DescribeImageAttribute
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeInstanceCreditSpecifications
ec2:DescribeInstanceTypeOfferings
ec2:DescribeTags
ec2:DescribeSnapshots
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
ec2:DescribeFastSnapshotRestores
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeVolumeAttribute
ec2:DescribeVolumeStatus
ec2:DescribeVolumes
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
kms:DescribeKey
RDS
Permissions used by Clumio for RDS Protect and Discover Service
Resource Name: ClumioRdsProtectPolicy
rds:DescribeDBSubnetGroups
rds:CreateDBInstance
rds:CreateDBSnapshot
rds:CreateDBClusterSnapshot
rds:RestoreDBInstanceFromDBSnapshot
rds:RestoreDBInstanceToPointInTime
rds:RestoreDBClusterFromSnapshot
rds:RestoreDBClusterToPointInTime
rds:ModifyDBCluster
rds:ModifyDBInstance
rds:ModifyDBClusterSnapshotAttribute
rds:ModifyDBSnapshotAttribute
rds:CopyDBClusterSnapshot
rds:CopyDBSnapshot
rds:RemoveTagsFromResource
rds:ListTagsForResource
rds:AddTagsToResource
rds:CreateOptionGroup
rds:CreateDBParameterGroup
rds:ModifyOptionGroup
rds:DeleteDBCluster
rds:DeleteDBInstance
rds:DeleteDBClusterSnapshot
rds:DeleteDBSnapshot
Resource Name: ClumioDiscoverPolicy
rds:DescribeDBClusters
rds:DescribeDBClusterSnapshotAttributes
rds:DescribeDBClusterSnapshots
rds:DescribeDBInstanceAutomatedBackups
rds:DescribeDBInstances
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
rds:DescribeGlobalClusters
rds:ListTagsForResource
rds:DescribeOptionGroups
rds:DescribeOptionGroupOptions
cloudwatch:GetMetricStatistics
S3
Permissions used by Clumio for S3 Protect and Discover Service
Resource Name: ClumioS3ProtectPolicy
cloudwatch:GetMetricStatistics
s3:ListBucket
s3:PutObject*
s3:DeleteObject
organizations:DescribeOrganization
events:DescribeRule
events:PutRule
events:DeleteRule
events:PutTargets
events:RemoveTargets
events:ListTargetsByRule
events:PutEvents
Resource Name: ClumioDiscoverPolicy
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetEncryptionConfiguration
s3:GetBucketVersioning
s3:GetBucketPolicy
s3:GetBucketTagging
s3:GetReplicationConfiguration
s3:GetInventoryConfiguration
s3:PutInventoryConfiguration
s3:ListBucket*
s3:GetObject*
s3:PutBucketNotification
EC2 MSSQL
Permissions used by Clumio for EC2 Protect Service
Enabling EC2 is mandatory to enable EC2 MSSQL as EC2 MSSQL also requires some of the EC2 permissions.
Resource Name: ClumioEC2MSSQLProtectPolicy
ssm:GetCommandInvocation
ec2:DescribeInstances
iam:GetInstanceProfile
ssm:SendCommand
ssm:CancelCommand
iam:GetRole
iam:PassRole
Resource Name: ClumioEC2MSSQLSSMInstancePolicy
ssm:DescribeAssociation
ssm:GetDeployablePatchSnapshotForInstance
ssm:GetDocument
ssm:DescribeDocument
ssm:GetManifest
ssm:GetParameter
ssm:GetParameters
ssm:ListAssociations
ssm:ListInstanceAssociations
ssm:PutInventory
ssm:PutComplianceItems
ssm:PutConfigurePackageResult
ssm:UpdateAssociationStatus
ssm:UpdateInstanceAssociationStatus
ssm:UpdateInstanceInformation
ssmmessages:CreateControlChannel
ssmmessages:CreateDataChannel
ssmmessages:OpenControlChannel
ssmmessages:OpenDataChannel
ec2messages:AcknowledgeMessage
ec2messages:DeleteMessage
ec2messages:FailMessage
ec2messages:GetEndpoint
ec2messages:GetMessages
ec2messages:SendReply
s3:PutObject
s3:GetObject
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:PutLogEvents
Resource Name: ClumioEC2MSSQLSSMInstanceRoleV2
sts:AssumeRole
Resource Name: ClumioSSMNotificationRole
sts:AssumeRole
Resource Name: ClumioSSMNotificationPolicy
sns:Publish
Dynamo DB
Permissions used by Clumio for DynamoDB Protect and Discover Service
Resource Name: ClumioWarmProtectDynamoDbPolicy
dynamodb:BatchWriteItem
dynamodb:CreateBackup
dynamodb:DeleteItem
dynamodb:DeleteTable
dynamodb:DescribeTable
dynamodb:DescribeContinuousBackups
dynamodb:DescribeTimeToLive
dynamodb:GetItem
dynamodb:ListTagsOfResource
dynamodb:PutItem
dynamodb:Query
dynamodb:RestoreTableFromBackup
dynamodb:RestoreTableToPointInTime
dynamodb:Scan
dynamodb:TagResource
dynamodb:UntagResource
dynamodb:UpdateContinuousBackups
dynamodb:UpdateItem
dynamodb:UpdateTable
dynamodb:UpdateTimeToLive
dynamodb:DeleteBackup
dynamodb:DescribeBackup
dynamodb:ListBackups
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DeleteScalingPolicy
application-autoscaling:DeregisterScalableTarget
application-autoscaling:PutScalingPolicy
application-autoscaling:RegisterScalableTarget
iam:PassRole (for exactly one role - AWSServiceRoleForApplicationAutoScaling_DynamoDBTable)
iam:CreateServiceLinkedRole (for exactly one role - AWSServiceRoleForApplicationAutoScaling_DynamoDBTable)
Resource Name: ClumioDynamoDbSecureVaultPolicy
dynamodb:CreateTable
dynamodb:CreateTableReplica
dynamodb:ExportTableToPointInTime
dynamodb:UpdateTableReplicaAutoScaling
dynamodb:DescribeStream
dynamodb:GetRecords
dynamodb:GetShardIterator
dynamodb:DescribeExport
s3:AbortMultipartUpload
s3:PutObject
s3:PutObjectAcl
dynamodb:ImportTable
dynamodb:DescribeImport
dynamodb:ListImports
s3:GetObject
s3:ListBucket
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:PutLogEvents
logs:PutRetentionPolicy
Resource Name: ClumioDiscoverPolicy
dynamodb:DescribeBackup
dynamodb:DescribeContinuousBackups
dynamodb:DescribeGlobalTable
dynamodb:DescribeGlobalTableSettings
dynamodb:DescribeTable
dynamodb:DescribeTableReplicaAutoScaling
dynamodb:ListBackups
dynamodb:ListGlobalTables
dynamodb:ListTables
dynamodb:ListTagsOfResource
Resource Name: ClumioIAMPermissionsBoundary
dynamodb:*
kms:*
Note: Restricting required permissions may impact the working of Clumio Discover and Protect services.
Contact [email protected] in case of any clarifications or questions.
Updated 9 months ago