IAM permissions required to deploy the Clumio service

The Clumio “Connect AWS Environment” process involves deploying Clumio resources in your AWS account so that Clumio can connect to the selected AWS account/region to perform SecureVault Backup, Snap, and restore tasks. You can connect the Clumio Service to your AWS account using either of the following deployment methods:

  • CloudFormation Stack
  • Terraform

The Clumio CloudFormation/Terraform templates are designed around the "least privileges" model, following standard AWS Identity and Access Management (IAM) security guidelines.

Before you connect your AWS environment, verify the permission requirements below to ensure the connection process runs smoothly.

After you have met all the requirements, you are ready to connect your AWS environment by logging in to Clumio and going to AWS > Accounts and select either CloudFormation or Terraform to connect your AWS account.

Permission requirements

Verify the minimum set of IAM Permissions required to deploy the Clumio Service in your AWS Environment:

IAM Permissions required to deploy the Clumio service through CloudFormation

Verify the IAM user who is creating the Clumio CloudFormation stack has the permissions to deploy CloudFormation templates. The permission set defined in the IAM policy should grant the following permissions to the IAM user:

  • Create, update, and delete Clumio CloudFormation templates.
  • Select the IAM CloudFormation service role that has permissions to create AWS resources as defined in the Clumio CloudFormation template.

This sample template grants CloudFormation create actions to the IAM user who is creating the Clumio CloudFormation stack:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "iam:PassRole",
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "allowS3TemplateAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

If you attach the policy to an existing IAM user, the permission set defined in the policy may conflict with the permission sets defined by existing policies linked to the IAM user. Review the existing policy set first to address any potential conflicts caused by explicitly deny permissions.

Create IAM CloudFormation service role

Create an IAM CloudFormation service role and grant it permissions to deploy the AWS resources defined by the Clumio CloudFormation stack.

Use the CloudFormation service role to explicitly specify the actions that AWS CloudFormation can perform, which might not always be the same actions that you or other IAM users can do. For example, you might have administrative privileges, but you can limit AWS CloudFormation access to only Amazon EC2 actions. refer to AWS documentation to learn more about using the AWS IAM service role.

The following template can be used to create the IAM policy for the CloudFormation service role so that IAM users can use this role to allow the CloudFormation template to deploy the required AWS resources. To do this, use the template to create an IAM policy and attach the policy to the AWS CloudFormation Service role. This grants the CloudFormation service role the required permissions to deploy the Clumio resources defined in the template.

Placeholder text in the template:

  • <AWS_Account_ID> The account in which the CloudFormation stack will be created.
  • <CLUMIO_CONTROL_PLANE_ACCOUNT_ID> Clumio’s AWS account ID (use * if not known, or contact [email protected])
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "events",
			"Effect": "Allow",
			"Action": [
				"events:DeleteRule",
				"events:DescribeRule",
				"events:DisableRule",
				"events:EnableRule",
				"events:ListRules",
				"events:ListTagsForResource",
				"events:ListTargetsByRule",
				"events:PutRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": [
				"arn:aws:events:*:<AWS_Account_ID>:rule/Clumio*"
			]
		},
		{
			"Sid": "iamall",
			"Effect": "Allow",
			"Action": [
				"iam:GetInstanceProfile",
				"iam:AddRoleToInstanceProfile",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:DeleteInstanceProfile",
				"iam:CreateInstanceProfile",
				"iam:GetRole",
				"iam:GetPolicy",
				"iam:DetachRolePolicy"
			],
			"Resource": "*"
		},
		{
			"Sid": "iam",
			"Effect": "Allow",
			"Action": [
				"iam:CreatePolicy",
				"iam:DeletePolicy",
				"iam:AttachRolePolicy",
				"iam:CreateRole",
				"iam:CreateServiceLinkedRole",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:GetPolicyVersion",
				"iam:GetRolePolicy",
				"iam:ListAttachedRolePolicies",
				"iam:ListInstanceProfiles",
				"iam:ListInstanceProfilesForRole",
				"iam:ListPolicies",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"iam:PassRole",
				"iam:PutRolePolicy",
				"iam:TagPolicy",
				"ssm:CreateDocument",
				"ssm:DeleteDocument",
				"ssm:ListDocuments",
				"ssm:DescribeDocument",
				"ssm:GetDocument",
				"ssm:UpdateDocument",
				"ssm:UpdateDocumentMetadata"
			],
			"Resource": [
				"arn:aws:iam::<AWS_Account_ID>:role/Clumio*",
				"arn:aws:iam::<AWS_Account_ID>:role/StackSet*",
				"arn:aws:iam::<AWS_Account_ID>:role/clumio/Clumio*",
				"arn:aws:iam::<AWS_Account_ID>:policy/clumio/Clumio*",
				"arn:aws:iam::<AWS_Account_ID>:policy/Clumio*",
				"arn:aws:iam::<AWS_Account_ID>:policy/clumio/*",
				"arn:aws:iam::<AWS_Account_ID>:policy/*",
				"arn:aws:iam::<AWS_Account_ID>:instance-profile/Clumio*"
			]
		},
		{
			"Sid": "ssm",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateDocument",
				"ssm:DeleteDocument",
				"ssm:ListDocuments",
				"ssm:DescribeDocument",
				"ssm:GetDocument",
				"ssm:UpdateDocument",
				"ssm:UpdateDocumentMetadata"
			],
			"Resource": [
				"arn:aws:ssm:*:<AWS_Account_ID>:document/Clumio*"
			]
		},
		{
			"Sid": "sns",
			"Effect": "Allow",
			"Action": [
				"sns:CreateTopic",
				"sns:DeleteTopic",
				"sns:GetTopicAttributes",
				"sns:ListTagsForResource",
				"sns:ListTopics",
				"sns:Publish",
				"sns:SetTopicAttributes",
				"sns:TagResource",
				"sns:ListSubscriptionsByTopic",
				"sns:AddPermission",
				"sns:RemovePermission"
			],
			"Resource": [
				"arn:aws:sns:*:<AWS_Account_ID>:ClumioInventoryTopic*",
				"arn:aws:sns:*:<CLUMIO_CONTROL_PLANE_ACCOUNT_ID>:CustomerCF*",
				"arn:aws:sns:*:<CLUMIO_CONTROL_PLANE_ACCOUNT_ID>:*-Stack_Install_Notifier",
				"arn:aws:sns:*:<AWS_Account_ID>:SendStackNotificationsToClumio*"
			]
		},
		{
			"Sid": "cloudformation",
			"Effect": "Allow",
			"Action": [
				"cloudformation:DescribeStackEvents",
				"cloudformation:GetTemplateSummary"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "cloudformationStackSets",
			"Effect": "Allow",
			"Action": [
				"cloudformation:ListStackSetOperations",
				"cloudformation:DescribeStackSet",
				"cloudformation:DescribeStackSetOperation",
				"cloudformation:CreateStackInstances",
				"cloudformation:DeleteStackInstances",
				"cloudformation:UpdateStackInstances",
				"cloudformation:DescribeStackEvents",
				"cloudformation:GetTemplateSummary",
				"cloudformation:DeleteStackSet",
				"cloudformation:CreateStackSet",
				"cloudformation:UpdateStackSet"
			],
			"Resource": [
				"arn:aws:cloudformation:*:<AWS_Account_ID>:stackset/ClumioStackSet-*",
				"arn:aws:cloudformation:*:<AWS_Account_ID>:stackset/ClumioEventRuleStackSet-*"
			]
		},
		{
			"Sid": "allowS3TemplateAccess",
			"Effect": "Allow",
			"Action": [
				"s3:GetObject"
			],
			"Resource": [
				"*"
			]
		}
	]
}

IAM Permissions required to deploy the Clumio service through Terraform

Permission set required to deploy the Terraform Stack.

data "aws_iam_policy_document" "hello" {
  statement {
    sid       = "events"
    effect    = "Allow"
    resources = ["arn:aws:events:*:<AWS_Account_ID>:rule/Clumio*"]

    actions = [
      "events:DeleteRule",
      "events:DescribeRule",
      "events:DisableRule",
      "events:EnableRule",
      "events:ListRules",
      "events:ListTagsForResource",
      "events:ListTargetsByRule",
      "events:PutRule",
      "events:PutTargets",
      "events:RemoveTargets",
    ]
  }

  statement {
    sid       = "iamall"
    effect    = "Allow"
    resources = ["*"]

    actions = [
      "iam:GetInstanceProfile",
      "iam:AddRoleToInstanceProfile",
      "iam:RemoveRoleFromInstanceProfile",
      "iam:DeleteInstanceProfile",
      "iam:CreateInstanceProfile",
      "iam:GetRole",
      "iam:GetPolicy",
      "iam:DetachRolePolicy",
    ]
  }

  statement {
    sid    = "iam"
    effect = "Allow"

    resources = [
      "arn:aws:iam::<AWS_Account_ID>:role/clumio/Clumio*",
      "arn:aws:iam::<AWS_Account_ID>:policy/clumio/Clumio*",
      "arn:aws:iam::<AWS_Account_ID>:policy/Clumio*",
      "arn:aws:iam::<AWS_Account_ID>:policy/clumio/*",
      "arn:aws:iam::<AWS_Account_ID>:policy/*",
      "arn:aws:iam::<AWS_Account_ID>:instance-profile/Clumio*",
    ]

    actions = [
      "iam:CreatePolicy",
      "iam:DeletePolicy",
      "iam:AttachRolePolicy",
      "iam:CreateRole",
      "iam:CreateServiceLinkedRole",
      "iam:DeleteRole",
      "iam:DeleteRolePolicy",
      "iam:GetPolicyVersion",
      "iam:GetRolePolicy",
      "iam:ListAttachedRolePolicies",
      "iam:ListInstanceProfiles",
      "iam:ListInstanceProfilesForRole",
      "iam:ListPolicies",
      "iam:ListPolicyVersions",
      "iam:ListRolePolicies",
      "iam:PassRole",
      "iam:PutRolePolicy",
      "iam:TagPolicy",
    ]
  }

  statement {
    sid    = "sns"
    effect = "Allow"

    resources = [
      "arn:aws:sns:*:<AWS_Account_ID>:ClumioInventoryTopic*",
      "arn:aws:sns:*:*:CustomerCF*",
    ]

    actions = [
      "sns:CreateTopic",
      "sns:DeleteTopic",
      "sns:GetTopicAttributes",
      "sns:ListTagsForResource",
      "sns:ListTopics",
      "sns:Publish",
      "sns:SetTopicAttributes",  
      "sns:TagResource",
    ]
  }
}

Contact [email protected] in case of any clarifications or questions.