Permissions file details

Clumio generates a permissions file based on the asset types selected when you manually on-board your AWS account to Clumio. The policies attached to each of the entities grant Clumio specific permissions to access your account and selected resources within it to protect your AWS assets. 

The tables below contain the permissions that Clumio requires to perform an inventory of the selected assets  and backup and restore operations. Based on your asset selections, you will see all of the following entities or a subset of them in the permissions file. 

ClumioIAMRole

This is the role Clumio will assume in a customer account to provide cloud inventory, backup and restore features. This role is required, without it, Clumio cannot protect any AWS assets.

Trust policies

Action(s)Permission statement
sts:AssumeRoleAllow
This role can only be assumed by a single intermediate role within Clumio’s control plane

Inline policies

ClumioInventoryPolicy

This policy is required to grant Clumio access for inventory related actions.

Action(s)Permission statement
backup:ListProtectedResourcesRequired to allow Clumio insight into other AWS-backed up resources.
backup:ListBackupVaults Allow Clumio to retrieve AWS Backup vaults.
backup:ListRecoveryPointsByBackupVaultAllow Clumio to list recovery points in AWS Backup vaults.
backup:DescribeRecoveryPointAllow Clumio to get recovery point information.
cloudwatch:GetMetricStatisticsRequired to get Cloudwatch metrics for S3 buckets and DynamoDB tables.
dynamodb:DescribeBackup
dynamodb:DescribeContinuousBackups- dynamodb:DescribeTable
dynamodb:DescribeTableReplicaAutoScaling
dynamodb:ListBackups
dynamodb:ListTables
dynamodb:ListTagsOfResource
Required to list all DynamoDB tables and relevant information.
dynamodb:DescribeGlobalTable
dynamodb:DescribeGlobalTableSettings
dynamodb:ListGlobalTables
Required to list DynamoDB global tables and relevant information.
ec2:DescribeImageAttribute
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeInstanceCreditSpecifications
ec2:DescribeInstanceTypeOfferings
ec2:DescribeTags
ec2:DescribeSnapshots
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
Required to list EC2 resources and relevant information.
ec2:DescribeFastSnapshotRestore
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeLockedSnapshots
ec2:DescribeVolumeAttribute
ec2:DescribeVolumeStatus
ec2:DescribeVolumes
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
kms:DescribeKey
Required to list EBS resources and relevant information.
rds:DescribeDBClustersRequired to describe RDS clusters for Clumio inventory synchronization.
rds:DescribeDBClusterSnapshotAttributes
rds:DescribeDBClusterSnapshots
Required to describe RDS cluster snapshots for Clumio Convert and during restore operations.
rds:DescribeDBInstancesRequired to describe RDS instances for Clumio inventory synchronization.
rds:DescribeDBInstanceAutomatedBackupsRequired to describe RDS snapshots for point-in-time backups.
rds:DescribeDBSnapshotAttributesRequired to describe RDS instance snapshot attributes for Clumio Convert.
rds:DescribeDBSnapshotsRequired to describe the RDS instance snapshot for Clumio Convert and during restore.
rds:DescribeGlobalClustersRequired to describe RDS global clusters for Clumio inventory synchronization.
rds:DescribeOptionGroups
rds:DescribeOptionGroupOptions
Required to describe RDS option groups.
rds:ListTagsForResourceRequired to list RDS cluster or instance tags for Clumio invemtory synchronization.
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetEncryptionConfiguration
s3:GetBucketVersioning
s3:GetBucketPolicy
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetReplicationConfiguration
s3:GetLifecycleConfiguration
s3:GetBucketLogging s3:GetBucketObjectLockConfiguration
Required to list all S3 buckets and relevant information.
s3:PutStorageLensConfiguration
s3:PutStorageLensConfigurationTagging s3:DeleteStorageLensConfiguration
s3:GetStorageLensConfiguration
s3:ListStorageLensConfigurations
s3:GetStorageLensConfigurationTagging
Storage lens permissions to retrieve S3 object-level metrics.
s3:GetMultiRegionAccessPointGet a single multi-region access point.
s3:ListMultiRegionAccessPointsList all S3 multi-region access points.
cloudwatch:GetMetricStatisticsGet CloudWatch Metrics for S3 buckets

ClumioKMSPolicy

This policy is required to grant Clumio access to customer keys and Clumio’s keys during backup and restore operations.

Action(s)Permission statement
kms:DescribeKey
kms:Encrypt
kms:Decrypt
kms:ReEncryptFrom
kms:ReEncryptTo
kms:GenerateDataKey
kms:GenerateDataKeyPair
kms:GenerateDataKeyPairWithoutPlaintext
kms:GenerateDataKeyWithoutPlaintext
Required in order to access customers' keys during backup and restore operations, if objects in the customers' bucket are encrypted. 
Also, required while copying large objects directly between the customer's bucket and Clumio’s arena bucket.

ClumioBaseValidationPolicy

This policy is required to validate permissions for Clumio base managed policy.

Action(s)Permission statement
iam:GetPolicy
iam:GetPolicyVersion
Fetches policy definitions for s3, DynamoDB, or EC2 managed policies.
Required to validate S3, DynamoDB, and EC2 policies.

ClumioDriftDetectPolicy

This policy grants Clumio read permissions to detect changes to resources in an account.

Action(s)Permission statement
cloudformation:DescribeStacks
cloudformation:DescribeStackResources
cloudformation:DetectStackResourceDrift
iam:GetServiceLinkedRoleDeletionStatus
iam:ListInstanceProfilesForRole
iam:SimulatePrincipalPolicy
iam:GetContextKeysForPrincipalPolicy
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:ListRoleTags
iam:GetRolePolicy
iam:GetRole
sns:GetTopicAttributes
sns:ListSubscriptionsByTopic
sns:ListTagsForResource sns:GetDataProtectionPolicy
events:DescribeEventBus
events:ListTagsForResource
events:DescribeRule
events:ListTargetsByRule
Read permissions required to detect changes in resources in a customer's account.

Managed policies

ClumioBaseManagedPolicy

This policy grants Clumio access for basic validation and to obtain basic information. The permissions defined in this policy are required for Clumio to list and validate protection policies for AWS assets.

Action(s)Permission statement
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:GetRolePolicy
List all policies (managed and inline) for ClumioIAMRole and ClumioSupportRole.

Required to validate policies
iam:ListAccountAliasesRequired to fetch account alias for a customer account.
sns:GetTopicAttributes
events:DescribeRule
Required to validate SNS topic and rule created in a customer account.
organizations:DescribeOrganizationRequired to allow Clumio to only have to add one policy for the entire AWS organization. Otherwise, Clumio would have to create policies for each account.
account:ListRegions
account:GetRegionOptStatus
Lists AWS regions and whether they are enabled or not
Specifies which regions your AWS account can use
iam:GetPolicy
iam:GetPolicyVersion
Gets policy definitions for s3, DynamoDB, or EC2 managed policies.
Required to validate S3, DynamoDB, and EC2 policies.
ssm:GetDocumentGets contents of the specified AWS Systems Manager document.
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:GetRolePolicy
Permissions to list all policies for ClumioS3ContinuousBackupEventBridgeRole.
Required to validate policies
iam:GetRole
iam:GetPolicyVersion
Permissions to fetch role details for S3 Continuous Backup Role.
Required to validate S3 role details.
sns:DecodeAuthorizationMessagePermissions to decode authorization error messages.

ClumioDynamoDbBackupPolicy

This policy contains permissions required for DynamoDB Snap and SecureVault backups.

Action(s)Permission statement
dynamodb:ExportTableToPointInTime
dynamodb:UpdateTable
Required during seed backup to export the table data to S3 and enable streams.
dynamodb:DescribeStream
dynamodb:GetRecords
dynamodb:GetShardIterator
Required during incremental backups to use streams to capture the incremental data.
dynamodb:DescribeExportRequired during seed backup to export the table data to S3.
s3:AbortMultipartUpload
s3:PutObject
s3:PutObjectAcl
Required during seed backup to upload table data to S3.
kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKey
kms:ReEncryptFrom
kms:ReEncryptTo
Required to decrypt the items in the encrypted table and encrypt the S3 files.
dynamodb:CreateBackup
dynamodb:DescribeTable
dynamodb:DescribeContinuousBackups
dynamodb:DescribeTimeToLive
dynamodb:ListTagsOfResource
dynamodb:UpdateContinuousBackups
Required to backup table data and configuration information.
dynamodb:DeleteBackup
dynamodb:DescribeBackup
Required to delete backups during expiry or failed backups cleanup.
dynamodb:ListBackupsRequired to list snap backups.
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
Required to backup autoscaling configuration information.

ClumioDynamoDbRestorePolicy

The policy contains permissions required to restore DynamoDB Snap and SecureVault backups

Action(s)Permission statement
kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKey
kms:ReEncryptFrom
kms:ReEncryptTo
Required to decrypt the S3 files and encrypt the restored table items.
dynamodb:CreateTable
dynamodb:CreateTableReplica
dynamodb:UpdateTableReplicaAutoScaling
Required to restore table data, the global table replica and then update them with the same backup configuration.
dynamodb:ImportTable
dynamodb:DescribeImport
Required to restore to a new table from S3 files.
s3:GetObject
s3:ListBucket
Required to restore to a new table from S3 files.
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:PutLogEvents
logs:PutRetentionPolicy
Required by the ImportTable API used during restores.
dynamodb:BatchWriteItem
dynamodb:DeleteItem
dynamodb:GetItem
dynamodb:PutItem
dynamodb:Query
dynamodb:Scan
dynamodb:TagResource
dynamodb:UntagResource
dynamodb:UpdateItem
dynamodb:UpdateTimeToLive
Required to restore from a snap.
dynamodb:DeleteTableRequired to delete table during failed restore cleanup.
dynamodb:DescribeTable
dynamodb:RestoreTableFromBackup
dynamodb:RestoreTableToPointInTime
Required to restore from a snap.
application-autoscaling:PutScalingPolicy
application-autoscaling:RegisterScalableTarget
Required to restore autoscaling settings of the DynamoDB table provisioned throughput.
iam:PassRoleRequired for cross-region snap and PITR restores with autoscaling settings.
iam:CreateServiceLinkedRole AWSServiceRoleForApplicationAutoScaling_DynamoDBTable is automatically created when the RegisterScalableTarget API is called.

ClumioEC2BackupPolicy

The Clumio Managed IAM policy for EBS and EC2 backups. This is a generic policy used to identify Clumio created resources in the customer account. Most of the policy statements in the ClumioEc2BackupPolicy use tag based conditions to provide access to the actions.

The following tag(s) are used: ClumioVendorTag - Vendor: Clumio

Action(s)Permission statement
ec2:CreateSnapshots
ec2:CreateSnapshot
Required to take point in time snapshots of a given volume or instance for backup.
The actions are allowed only if the operation has ClumioVendorTag in the request.
ec2:CreateSnapshots
ec2:CreateSnapshot
Allow CreateSnapshot(s) on any instance or volume in the AWS account. 
The resulting snapshot is tagged with ClumioVendorTag per the statements in AllowStartSnapshotWithClumioRequestTag.
ec2:DeleteSnapshotRequired to delete snapshots in the following cases:

- Clumio maintains only one snapshot per volume per storage tier. During incremental backup, older snapshots taken by previous backups are deleted.
- When a backup expires, snapshots associated with the backup(if any) are deleted.This action is allowed only if it is tagged with a ClumioVendorTag.
ec2:RegisterImageRequired to register an image of a given EC2 instance in aws_snapshot backup operations.
This action is allowed on a snapshot only if it is tagged with ClumioVendorTag.
ec2:RegisterImageno description
ec2:DeregisterImageRequired to let Clumio AWS backup to deregister the image registered at the time of backup, if backup fails after the image has been registered.
This action is allowed only if the image has been tagged with ClumioVendorTag.
ec2:CreateTagsDeny direct CreateTags operation. Allow tag creation only if it is associated with CreateSnapshot(s) operations.
Allow CreateTags operation on an image only if one of the request tags is ClumioVendorTag.
ec2:CreateTagsno description
ec2:DeleteTagsAllow Delete Tags on an image or snapshot only if the resource is tagged with ClumioVendorTag.
ebs:GetSnapshotBlock
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
Allow read operations on a given snapshot. Clumio backup uses these operations to retrieve the data in a snapshot.
ec2:DescribeCapacityReservations
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces
ec2:DescribeVpcs
ec2:DescribeElasticGpus
ec2:DescribeSubnets
ec2:DescribeKeyPairs
elastic-inference:DescribeAcceleratorOfferings
elastic-inference:DescribeAccelerators
Allow 'describe' operations on resources which could be associated with an EC2 instance.
iam:GetInstanceProfileAllow read on a given instance profile.
iam:GetRoleAllow read on a given role.

ClumioEC2RestorePolicy

This is the Clumio Managed IAM policy for EBS and EC2 restore operations. Most of the policy statements used in ClumioEc2RestorePolicy use tag based conditions to provide access to the actions.

The following tags are used in the tag based conditions:

  1. ClumioVendorTag - Vendor: Clumio
    This is a generic used to identify Clumio created resources in the customer account.
  2. ClumioRestoreTag - clumio.restore.tag : "*"
    During the process of EC2/EBS Restore, this particular tag is intermittently applied to the resources until the completion of the restore.
Action(s)Permission statement
ebs:StartSnapshotA Clumio restore task invokes StartSnapshot to restore a snapshot with the following steps:

- starts a snapshot
- puts the snapshot data of the volume to be restored in the snapshot
- completes the snapshot.Allow StartSnapshot action only if the request contains ClumioVendorTag.
ebs:CompleteSnapshot
ebs:PutSnapshotBlock
Clumio restore task invokes CompleteSnapshot to restore a snapshot.
Snapshot operations are allowed only on snapshots with ClumioVendorTag.
ec2:CreateSnapshots
ec2:CreateSnapshot
Clumio restore uses CreateSnapshot(s) operations to generate an AMI of a restored instance/volume.
Allow create snapshot with ClumioRestoreTag for volume restore.
ec2:CreateVolumeClumio restore invokes CreateVolume to create a restored volume.
Allow CreateVolume only if the operation request contains ClumioRestoreTag.
ec2:DeleteVolumeClumio restore deletes the restored volume in case restore fails after the volume has been created.
Allow DeleteVolume only if the volume is tagged with ClumioRestoreTag.
ec2:AttachVolumeClumio restore attaches the restored volumes to the restored instance or the instance specified in EC2 restore volumes request.
ec2:DetachVolume
ec2:AttachVolume
AttachVolume attaches an EBS volume to an EC2 instance. There is no condition for this operation. This is to facilitate the following:

- Allow attaching a volume which was not restored by Clumio to a Clumio restored EC2 instance.
- Allow attaching a Clumio restored volume to an EC2 instance which was not restored by Clumio.DetachVolume allows Clumio to detach a volume only from a Clumio restored EC2 instance.
ec2:RegisterImageClumio restore uses RegisterImage operation to create an AMI, in case of a restore as an AMI image.
RegisterImage can be performed only on a Clumio restored snapshot.
ec2:DeregisterImageClumio restore de-registers the image if the restore operation has failed after the register image operation.
DeregisterImage can be performed only on a Clumio restored snapshot.
ec2:RunInstancesClumio restore uses run instance operation to launch a restored instance with the required resources.
ec2:StartInstances
ec2:StopInstances
ec2:TerminateInstances
Clumio restore performs instance based operations such as  StartInstances, StopInstances and TerminateInstances at various steps in the instance restore task.
Allow the listed instance operations on instances with ClumioRestoreTag.
ec2:DeleteNetworkInterfaceClumio restore deletes the network interface created while launching the restored instance in case restore failure after launching the instance.
DeleteNetworkInterface is allowed only if the interface is tagged with ClumioRestoreTag.
ec2:AssociateAddress
ec2:DisassociateAddress
Clumio restore associates addresses with the network interfaces after restoring the instance.
If the restore fails after association of address to the network interfaces step, then the DisassociateAddress operation is performed.
The AssociateAddress or DisassociateAddress operations are performed only on instances and network interfaces tagged with ClumioRestoreTag.
ec2:CreateTagsClumio intends to create tags only on Clumio created resources so as to avoid extending Clumio Role’s access to other existing resources by allowing CreateTags operation.
Deny direct CreateTags operation. 
Allow tag creation on listed resources only if they are associated with CreateAction operations other than CreateTags.
Clumio creates images using the RegisterImage operation which does not support CreateTags as a dependent operation. Therefore, access to CreateTags is required by Clumio restore.
Allow CreateTags operation only on an image only if one of the request tags is ClumioRestoreTag.
ec2:DeleteTagsDeleteTags is a delete operation which should be allowed only on resources which have been created by Clumio operations to avoid accidental deletion of tags.
Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioRestoreTag.
iam:PassRoleAccess for PassRole is required to attach an instance profile to the restored instance.
ebs:GetSnapshotBlock
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
Allow read operations on a given snapshot. Clumio restore uses these operations to read the data in a snapshot.
iam:GetInstanceProfileRestore uses the GetInstanceProfile operation to validate the instance profile to be attached to the restored instance.
iam:GetRoleRestore uses GetRole operation to validate the given AWS role.
ec2:DescribeCapacityReservations
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces
ec2:DescribeVpcs
ec2:DescribeElasticGpus
ec2:DescribeSubnets
ec2:DescribeKeyPairs
elastic-inference:DescribeAcceleratorOfferings
elastic-inference:DescribeAccelerators
Restore uses the listed EC2 describe operations to validate the restored instances.

ClumioEC2MSSQLBackupRestorePolicy

Grants access to Clumio for SQL on EC2 protection.

Action(s)Permission statement
ssm:GetCommandInvocationRead permission to view SSM command execution details.
iam:GetInstanceProfileRead permission to retrieve information about the Instance Profile attached to the EC2 Instance.
ec2:DescribeInstancesDescribes specified instances or all instances.
ssm:SendCommandWrite permission, allows Clumio to run commands using SSM on an EC2 instance.
ssm:CancelCommandWrite permission, allows Clumio to cancel running SSM commands on an EC2 instance
ssm:SendCommandAllows Clumio to run SSM documents on an EC2 instance.
iam:GetRoleAllows Clumio to obtain SSM Notification Role details.
iam:PassRoleAllows Clumio to pass SSM Notification Role to SSM service.
ec2:CreateVolumeCreates an EBS volume with a Clumio vendor tag (required) when additional space is not available.
ec2:DetachVolume
ec2:AttachVolume
Allows Clumio to attach or detach an EBS volume.
ec2:DetachVolume
ec2:AttachVolume
Allows Clumio to attach or detach an EBS volume with an EC2 instance.
ec2:DeleteVolumeAllows Clumio to delete the additional EBS volume.
ec2:CreateTagsAllows Clumio to create vendor tags for an attached EBS volume.
ec2:DeleteTagsAllows Clumio to remove vendor tags of an attached EBS volume.

ClumioRdsBackupPolicy

Grants access to Clumio for RDS Snap and SecureVault in-region and cross-region backups

Action(s)Permission statement
rds:CopyDBClusterSnapshot
rds:ModifyDBClusterSnapshotAttribute
Copies a snapshot of a database cluster.
Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.
rds:CopyDBSnapshot
rds:ModifyDBSnapshotAttribute
Copies the specified database snapshot.
rds:CreateDBClusterSnapshotCreates a snapshot of a database cluster.
rds:DescribeDBClusterSnapshotsReturns information about database cluster snapshots.
rds:CreateDBSnapshotCreates a snapshot of a database instance.
rds:DescribeDBSubnetGroupsReturns a list of DBSubnetGroup descriptions.
rds:AddTagsToResourceAdds metadata tags to an Amazon RDS resource.
rds:ModifyOptionGroupModifies an existing option group.
rds:ModifyDBClusterModifies the settings of an Amazon Aurora database cluster or a Multi-AZ database cluster.
rds:ModifyDBInstanceModifies settings for a database instance.
ec2:DescribeSecurityGroupsDescribes the specified security groups or all of your security groups.
rds:ListTagsForResourceLists all tags on an Amazon RDS resource.
rds:DeleteDBClusterSnapshotDeletes a database cluster snapshot.
rds:DeleteDBSnapshotDeletes a database snapshot.
kms:CreateGrantRequired during backup and restore of an RDS instance or cluster.

ClumioRdsRestorePolicy

Action(s)Permission statement
rds:ListTagsForResourceRequired to identify a Clumio restored instance or cluster for cleanup.
rds:CreateDBInstanceRequired to restore an RDS instance in an RDS cluster.
rds:CreateDBParameterGroupRequired to restore the parameter group configuration.
rds:RestoreDBInstanceFromDBSnapshotRequired to restore an RDS instance from the snapshot.
rds:RestoreDBInstanceToPointInTimeRequired to restore a RDS instance from its point in time configuration.
rds:RestoreDBClusterFromSnapshotRequired to restore the RDS cluster from the snapshot.
rds:RestoreDBClusterToPointInTimeRequired to restore a RDS cluster from its point in time configuration.
rds:RemoveTagsFromResourceRequired to remove the Clumio tag from a restored RDS instance or cluster.
rds:AddTagsToResourceRequired to identify the Clumio restored instance or cluster for cleanup.
rds:CreateOptionGroupRequired to restore an option group in Clumio restored instance/cluster.
Wildcard required in resource ARN for cross-region restores.
rds:CreateDBInstanceReadReplicaRequired to restore the read-replicas for Clumio restored instance/cluster.
Wildcard is used for regions so that Clumio can create read-replicas in the regions not connected to Clumio.
rds:DeleteDBClusterRequired to clean up a Clumio-created RDS cluster on failure.
rds:DeleteDBInstanceRequired to clean up a Clumio-created RDS instance on failure.
rds:AddRoleToDBClusterRequired to associate IAM role(s) for a Clumio restored cluster.
rds:AddRoleToDBInstanceRequired to associate IAM role(s) for a Clumio restored instance.
iam:PassRoleRequired to pass the associated IAM role(s) to a Clumio restored instance or cluster.

ClumioS3BackupPolicy

This policy contains permissions required for S3 continuous backups.

Action(s)Permission statement
cloudwatch:GetMetricStatisticsRequired to get Cloudwatch metrics for S3 buckets.
s3:ListBucket
s3:PutObject
s3:PutObjectAcl
s3:PutObjectTagging
Required to allow Clumio backups.
organizations:DescribeOrganizationRequired to allow Clumio to only have to add one policy for the entire AWS organization. Otherwise, Clumio would have to create policies for each account.
s3:GetInventoryConfiguration
s3:PutInventoryConfiguration
s3:ListBucket
s3:ListBucketVersions
s3:ListBucketMultipartUploads
s3:GetObject
s3:GetObjectTagging
s3:GetObjectVersionTagging
s3:GetObjectVersion
Required to get S3 bucket and object information in preparation for S3 backup and S3 continuous backup.
s3:GetBucketNotification
s3:PutBucketNotification
Required to set up S3 bucket event notifications in customer buckets to forward to EventBridge for continuous backup.
events:DescribeRule
events:PutRule
events:DeleteRule
events:PutTargets
events:RemoveTargets
events:ListTargetsByRule
Required to configure an EventBridge rule to forward customer bucket events to Clumio arena bucket for continuous backup.
iam:PassRoleRequired for continuous backup, as EventBridge requires all new cross account event bus targets to add IAM Roles. This allows Clumio to pass in the Continuous Backup role.

ClumioS3RestorePolicy

This policy contains permissions required to restore S3 assets.

Action(s)Permission statement
s3:PutObject
s3:PutObjectAcl
s3:PutObjectTagging
s3:DeleteObject
Required to allow Clumio to modify customer bucket contents during restore.

ClumioEC2MSSQLSSMInstanceRoleV2

An instance profile that is assigned to EC2 instances, if those instances do not have any role attached to them, to allow the System manager access to customer EC2 instances.

Trust policies

Action(s)Permission statement
sts:AssumeRoleRole is attached to the EC2 instance and used to perform SSM agent API operations.

Inline policies

ClumioEC2MSSQLSSMInstancePolicy

Action(s)Permission statement
ec2:DescribeInstances
ec2:CreateSnapshot
ec2:CreateTags
ssm:DescribeInstanceProperties
ssm:RegisterManagedInstance
ssm:GetManifest
ssm:PutConfigurePackageResult
Required to allow the SSM agent to perform API operations. Resource for these actions must be a wildcard character.
sm:DescribeDocumentParametersRequired to allow the SSM agent to perform API operations while executing SSM documents.
ssm:UpdateInstanceAssociationStatusWrite permission to update instance association status.
ssm:ListInstanceAssociations
ssm:UpdateInstanceInformation
Required to allow the SSM agent to perform API operations related to the Instance and Managed Instance.
ssmmessages:CreateControlChannel
ssmmessages:CreateDataChannel
ssmmessages:OpenControlChannel
ssmmessages:OpenDataChannel
Required to allow the AmazonSSM agent to perform API operations while interacting with the Session Manager.
ec2messages:AcknowledgeMessage
ec2messages:DeleteMessage
ec2messages:FailMessage ec2messages:GetEndpoint
ec2messages:GetMessages ec2messages:SendReply
Required to allow the AmazonSSM agent to perform API operations while interacting with Amazon Message Delivery Service.
Resource for EC2 messages must be a wildcard character.

ClumioS3ContinuousBackupEventBridgeRole

This role is required if you select the S3 asset type to apply Clumio protection and want to use Clumio’s S3 continuous backup feature.

Trust policies

Action(s)Permission statement
sts:AssumeRoleRequired by EventBridge for new cross account event bus targets to add IAM roles
This passes in that role, and is necessary for continuous backup.

Inline policies

ClumioS3ContinuousBackupEventBridgePolicy

Action(s)Permission statement
events:PutEventsAllows S3 events from an on-boarded AWS account to be forwarded to Eventbridge.

ClumioSSMNotificationRole

This role is used to publish SNS notifications about the SSM agent.

Trust policies

Action(s)Permission statement
sts:AssumeRoleRole required to publish SNS notifications about the SSM agent.

Inline policies

ClumioSSMNotificationPolicy

Action(s)Permission statement
sns:PublishAllow Clumio SSM Notification Role to publish messages to SNS Topic in the control plane account.

ClumioSupportRole

This role is optional in the manual onboarding flow.

Trust policies

Action(s)Permission statement
sts:AssumeRoleThis role can only be assumed by a single role in the Clumio control plane.

Inline policies

ClumioSupportPolicy

Action(s)Permission statement
support:AddAttachmentsToSet
support:AddCommunicationToCase
support:CreateCase
support:DescribeAttachment
support:DescribeCases
support:DescribeCommunications
support:DescribeCreateCaseOptions
support:DescribeServices
support:DescribeSeverityLevels
support:DescribeSupportedLanguages
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorCheckResult
support:DescribeTrustedAdvisorChecks
support:DescribeTrustedAdvisorCheckSummaries
Allows Clumio Support to create cases to proactively fix any issues with backup and restore operations.

ClumioEventPub

This SNS topic notifies Clumio services about any new events in the customer’s resource inventory. The ARN for this topic is required to be passed as the target ARN for the event rules. It contains the following policy.

ClumioEventPubPolicy

This policy provides security to the inventory topic.

Action(s)Permission statement
SNS:PublishAny resource in a customer account can publish to this topic.
SNS:SubscribeClumio control plane resources can subscribe to this topic.
SNS:ListSubscriptionsByTopicRequired to list subscriptions associated with this topic.
SNS:PublishRequired so that EventBridge rules in a customer account can publish to this topic.

Contact [email protected] in case of any clarifications or questions.