AWS resources and IAM permissions

This document describes the resources and IAM permissions that are deployed within the customer’s AWS account by Clumio through CloudFormation or Terraform, in order to enable global visibility, risk assessment, and data protection operations within the customer’s AWS account.

AWS resources

Clumio creates the following resources in your AWS account:

  • Clumio SNS Topic
  • Clumio SNS Topic Policy
  • Clumio Event Rule
  • Clumio IAM Policy
  • Clumio IAM Role

Security

Using permissions boundary with Clumio IAM permissions

Most of the permissions listed below are restricted to the resources relevant to Clumio. Customers looking for more granular control over the deployed IAM permissions by Clumio can leverage a custom Permissions Boundary policy with the Clumio IAM Role. 

Using permissions boundary with CloudFormation

Provide the Permissions Boundary ARN during the Clumio CloudFormation deployment stack as shown in the screenshot attached below.

Screen_Shot_2022-11-18_at_6.55.31_PM.png

Using Permissions Boundary with Terraform

Use the "permissions_boundary_arn" input parameter for the Terraform module. Further details can be found on the Terraform Registry page. 

IAM roles and permissions

Base permissions

The following IAM roles and policies are created irrespective of the asset type enabled while generating the template.

Resource Name: ClumioBasePolicy (Permissions used by Clumio to list AWS account details)

 iam:ListAccountAliases

Resource Name: ClumioDriftDetectPolicy (Permissions used by Clumio to detect stack changes)

cloudformation:DescribeStacks  
cloudformation:DescribeStackResources  
cloudformation:DetectStackResourceDrift  
iam:GetServiceLinkedRoleDeletionStatus  
iam:ListInstanceProfilesForRole  
iam:SimulatePrincipalPolicy  
iam:GetContextKeysForPrincipalPolicy  
iam:ListAttachedRolePolicies  
iam:ListRolePolicies  
iam:ListRoleTags  
iam:GetRolePolicy  
iam:GetRole  
sns:GetTopicAttributes  
sns:ListSubscriptionsByTopic  
sns:ListTagsForResource  
events:DescribeEventBus  
events:ListTagsForResource  
events:DescribeRule  
events:ListTargetsByRule

Resource Name: ClumioSupportRole (Permissions used by Clumio to create AWS support cases)

 sts:AssumeRole

Resource Name: ClumioSupportPolicy (Permissions used by Clumio to create AWS support cases)

 support:*  
 support:ResolveCase

Resource Name: ClumioEventPubPolicy (Permissions used by Clumio to leverage SNS service)

SNS:Publish  
SNS:Subscribe  
SNS:ListSubscriptionsByTopic

Resource Name: ClumioIAMRole

sts:AssumeRole

Resource Name: ClumioKMSManagedPolicy (Permissions used by Clumio to backup/restore encrypted assets)

kms:DescribeKey  
kms:Encrypt  
kms:Decrypt  
kms:ReEncrypt*  
kms:GenerateDataKey*  
kms:DescribeKey  
kms:CreateGrant

Asset Level Permissions

Depending on the asset type enabled, the following IAM roles and policies are added to the existing base permissions.

EBS/EC2 (Permissions used by Clumio for EC2 Protect and Discover Service)

Resource Name: ClumioEc2ProtectManagedPolicy

ec2:CreateSnapshots  
ec2:CreateSnapshot  
ec2:CreateTags  
ec2:DeleteTags  
ec2:DeleteSnapshot  
ec2:CreateVolume  
ec2:DeleteVolume  
ec2:AttachVolume  
ec2:DetachVolume  
ec2:StartInstances  
ec2:StopInstances  
ec2:DeleteNetworkInterface  
ec2:AssociateAddress  
ec2:DisassociateAddress  
ec2:DescribeVpcs  
ec2:DescribeAddresses  
ec2:DescribeNetworkInterfaces  
ec2:DescribeKeyPairs  
ec2:DescribeElasticGpus  
ec2:DescribeSubnets  
iam:GetRole  
iam:ListRoles  
iam:GetInstanceProfile  
iam:ListInstanceProfiles  
elastic-inference:DescribeAccelerators  
elastic-inference:DescribeAcceleratorOfferings  
ec2:DescribeCapacityReservations  
ec2:RegisterImage  
ec2:DeregisterImage  
iam:PassRole  
ec2:TerminateInstances  
ec2:RunInstances  
ebs:ListChangedBlocks  
ebs:ListSnapshotBlocks  
ebs:GetSnapshotBlock  
ebs:PutSnapshotBlock  
ebs:StartSnapshot  
ebs:CompleteSnapshot

Resource Name: ClumioDiscoverPolicy

ec2:DescribeImageAttribute  
ec2:DescribeImages  
ec2:DescribeInstanceAttribute  
ec2:DescribeInstanceStatus  
ec2:DescribeInstances  
ec2:DescribeInstanceTypes  
ec2:DescribeInstanceCreditSpecifications  
ec2:DescribeInstanceTypeOfferings  
ec2:DescribeTags  
ec2:DescribeSnapshots  
ec2:DescribeAvailabilityZones  
ec2:DescribeSecurityGroups  
ec2:DescribeFastSnapshotRestores  
ec2:DescribeSnapshotAttribute  
ec2:DescribeSnapshots  
ec2:DescribeVolumeAttribute  
ec2:DescribeVolumeStatus  
ec2:DescribeVolumes  
ebs:ListChangedBlocks  
ebs:ListSnapshotBlocks  
kms:DescribeKey

 

RDS (Permissions used by Clumio for RDS Protect and Discover Service)

Resource Name: ClumioRdsProtectPolicy 

rds:DescribeDBSubnetGroups  
rds:CreateDBInstance  
rds:CreateDBSnapshot  
rds:CreateDBClusterSnapshot  
rds:RestoreDBInstanceFromDBSnapshot  
rds:RestoreDBInstanceToPointInTime  
rds:RestoreDBClusterFromSnapshot  
rds:RestoreDBClusterToPointInTime  
rds:ModifyDBCluster  
rds:ModifyDBInstance  
rds:ModifyDBClusterSnapshotAttribute  
rds:ModifyDBSnapshotAttribute  
rds:CopyDBClusterSnapshot  
rds:CopyDBSnapshot  
rds:RemoveTagsFromResource  
rds:ListTagsForResource  
rds:AddTagsToResource  
rds:CreateOptionGroup  
rds:CreateDBParameterGroup  
rds:ModifyOptionGroup  
rds:DeleteDBCluster  
rds:DeleteDBInstance  
rds:DeleteDBClusterSnapshot  
rds:DeleteDBSnapshot

Resource Name: ClumioDiscoverPolicy

rds:DescribeDBClusters  
rds:DescribeDBClusterSnapshotAttributes  
rds:DescribeDBClusterSnapshots  
rds:DescribeDBInstanceAutomatedBackups  
rds:DescribeDBInstances  
rds:DescribeDBSnapshotAttributes  
rds:DescribeDBSnapshots  
rds:DescribeGlobalClusters  
rds:ListTagsForResource  
rds:DescribeOptionGroups  
rds:DescribeOptionGroupOptions  
cloudwatch:GetMetricStatistics

 

S3 (Permissions used by Clumio for S3 Protect and Discover Service)

Resource Name: ClumioS3ProtectPolicy

cloudwatch:GetMetricStatistics  
s3:ListBucket  
s3:PutObject*  
s3:DeleteObject  
organizations:DescribeOrganization  
events:DescribeRule  
events:PutRule  
events:DeleteRule  
events:PutTargets  
events:RemoveTargets  
events:ListTargetsByRule  
events:PutEvents

Resource Name: ClumioDiscoverPolicy

s3:ListAllMyBuckets  
s3:GetBucketLocation  
s3:GetEncryptionConfiguration  
s3:GetBucketVersioning  
s3:GetBucketPolicy  
s3:GetBucketTagging  
s3:GetReplicationConfiguration  
s3:GetInventoryConfiguration  
s3:PutInventoryConfiguration  
s3:ListBucket*  
s3:GetObject*  
s3:PutBucketNotification

 

EC2 MSSQL (**Permissions used by Clumio for EC2 Protect Service)**

(Enabling EC2 is mandatory to enable EC2 MSSQL as EC2 MSSQL also requires some of the EC2 permissions)

Resource Name: ClumioEC2MSSQLProtectPolicy

ssm:GetCommandInvocation  
ec2:DescribeInstances  
iam:GetInstanceProfile  
ssm:SendCommand  
ssm:CancelCommand  
iam:GetRole  
iam:PassRole

Resource Name: ClumioEC2MSSQLSSMInstancePolicy

ssm:DescribeAssociation  
ssm:GetDeployablePatchSnapshotForInstance  
ssm:GetDocument  
ssm:DescribeDocument  
ssm:GetManifest  
ssm:GetParameter  
ssm:GetParameters  
ssm:ListAssociations  
ssm:ListInstanceAssociations  
ssm:PutInventory  
ssm:PutComplianceItems  
ssm:PutConfigurePackageResult  
ssm:UpdateAssociationStatus  
ssm:UpdateInstanceAssociationStatus  
ssm:UpdateInstanceInformation  
ssmmessages:CreateControlChannel  
ssmmessages:CreateDataChannel  
ssmmessages:OpenControlChannel  
ssmmessages:OpenDataChannel  
ec2messages:AcknowledgeMessage  
ec2messages:DeleteMessage  
ec2messages:FailMessage  
ec2messages:GetEndpoint  
ec2messages:GetMessages  
ec2messages:SendReply  
s3:PutObject  
s3:GetObject  
logs:CreateLogGroup  
logs:CreateLogStream  
logs:DescribeLogGroups  
logs:DescribeLogStreams  
logs:PutLogEvents

Resource Name: ClumioEC2MSSQLSSMInstanceRoleV2

sts:AssumeRole

Resource Name: ClumioSSMNotificationRole

sts:AssumeRole

Resource Name: ClumioSSMNotificationPolicy

sns:Publish

 

Dynamo DB**(Permissions used by Clumio for DynamoDB Protect and Discover Service)**

Resource Name: ClumioWarmProtectDynamoDbPolicy

dynamodb:BatchWriteItem  
dynamodb:CreateBackup  
dynamodb:DeleteItem  
dynamodb:DeleteTable  
dynamodb:DescribeTable  
dynamodb:DescribeContinuousBackups  
dynamodb:DescribeTimeToLive  
dynamodb:GetItem  
dynamodb:ListTagsOfResource  
dynamodb:PutItem  
dynamodb:Query  
dynamodb:RestoreTableFromBackup  
dynamodb:RestoreTableToPointInTime  
dynamodb:Scan  
dynamodb:TagResource  
dynamodb:UntagResource  
dynamodb:UpdateContinuousBackups  
dynamodb:UpdateItem  
dynamodb:UpdateTable  
dynamodb:UpdateTimeToLive  
dynamodb:DeleteBackup  
dynamodb:DescribeBackup  
dynamodb:ListBackups  
application-autoscaling:DescribeScalableTargets  
application-autoscaling:DescribeScalingPolicies  
application-autoscaling:DeleteScalingPolicy  
application-autoscaling:DeregisterScalableTarget  
application-autoscaling:PutScalingPolicy  
application-autoscaling:RegisterScalableTarget  
iam:PassRole (for exactly one role - AWSServiceRoleForApplicationAutoScaling_DynamoDBTable)  
iam:CreateServiceLinkedRole (for exactly one role - AWSServiceRoleForApplicationAutoScaling_DynamoDBTable)

Resource Name: ClumioDynamoDbSecureVaultPolicy

dynamodb:CreateTable  
dynamodb:CreateTableReplica  
dynamodb:ExportTableToPointInTime  
dynamodb:UpdateTableReplicaAutoScaling  
dynamodb:DescribeStream  
dynamodb:GetRecords  
dynamodb:GetShardIterator  
dynamodb:DescribeExport  
s3:AbortMultipartUpload  
s3:PutObject  
s3:PutObjectAcl  
dynamodb:ImportTable  
dynamodb:DescribeImport  
dynamodb:ListImports  
s3:GetObject  
s3:ListBucket  
logs:CreateLogGroup  
logs:CreateLogStream  
logs:DescribeLogGroups  
logs:DescribeLogStreams  
logs:PutLogEvents  
logs:PutRetentionPolicy

Resource Name: ClumioDiscoverPolicy

dynamodb:DescribeBackup  
dynamodb:DescribeContinuousBackups  
dynamodb:DescribeGlobalTable  
dynamodb:DescribeGlobalTableSettings  
dynamodb:DescribeTable  
dynamodb:DescribeTableReplicaAutoScaling  
dynamodb:ListBackups  
dynamodb:ListGlobalTables  
dynamodb:ListTables  
dynamodb:ListTagsOfResource

Resource Name: ClumioIAMPermissionsBoundary

dynamodb:*  
kms:*

 


Note: Restricting required permissions may impact the working of Clumio Discover and Protect services.


Contact [email protected] in case of any clarifications or questions.