Clumio generates a permissions file based on the asset types selected when you manually on-board your AWS account to Clumio. The policies attached to each of the entities grants Clumio specific permissions to access your account and selected resources within it to protect your AWS assets.
Note: Permissions required for RDS and MS SQL on EC2 will be added in upcoming revisions.
The tables below contain descriptions of permissions that Clumio requires to perform an inventory of the selected assets and backup and restore operations. Based on your selections, you will see all of the following entities or a subset of them in the permissions file.
This is the role Clumio will assume in a customer account to provide Cloud Inventory, Backup and Restore features. This role is required, without it, Clumio cannot protect any AWS assets.
|This role can only be assumed by a single intermediate role within Clumio’s control plane
This policy grants Clumio access for basic validation and to obtain basic information. The permissions defined in this policy are required for Clumio to list and validate protection policies for AWS assets.
|List all policies (managed and inline) for ClumioIAMRole and ClumioSupportRole.
Required to validate policies
|Required to fetch account alias for the customer's account.
|Required to validate SNS topic and rule created in customer's account.
|Fetch role details for S3 Continuous Backup Role.
Required to validate S3 role details.
|List all policies for ClumioS3ContinuousBackupEventBridgeRole. Required to validate policies
|Fetch policy definitions for s3, DynamoDB, or EC2 managed policies. Required for S3, DynamoDB, and EC2 policy validation
This policy is required to grant Clumio access for inventory related actions.
|Required to allow Clumio insight into other AWS-backed up resources.
|Required to list all S3 buckets and relevant information.
|Required to get Cloudwatch Metrics for S3 buckets.
|Required to list all DynamoDB tables and relevant information.
|Required to list DynamoDB global tables and relevant information.
|Required to list EC2 resources and relevant information.
|Required to list EBS resources and relevant information.
This policy is required to grant Clumio access to customer keys and Clumio’s keys during backup and restore operations.
|Required in order to access customers' keys during backup and restore operations, if objects in the customers' bucket are encrypted.
Also, required while copying large objects directly between the customer's bucket and Clumio’s arena bucket.
This policy contains permissions required for S3 continuous backups.
|Required to get Cloudwatch metrics for S3 buckets.
|Required to allow Clumio backups.
|Required to allow Clumio to only have to add one policy for the entire AWS org. Otherwise, Clumio would have to create policies for each account.
|Required to get S3 bucket and object information in preparation for S3 backup and S3 continuous backup.
|Required to set up S3 bucket event notifications in customer buckets to forward to EventBridge for continuous backup.
|Required to configure an EventBridge rule to forward customer bucket events to Clumio arena bucket for continuous backup.
|Required for continuous backup, as EventBridge requires all new cross account event bus targets to add IAM Roles. This allows Clumio to pass in the Continuous Backup role.
This policy contains permissions required to restore S3 assets.
|Required to allow Clumio to modify customer bucket contents during restore.
This policy contains permissions required for DynamoDB Snap and SecureVault backups.
|Required during seed backup to export the table data to S3 and enable streams.
|Required during incremental backups to use streams to capture the incremental data.
|Required during seed backup to export the table data to S3.
|Required during seed backup to upload table data to S3.
|Required to decrypt the items in the encrypted table and encrypt the S3 files.
|Required to backup table data and configuration information.
|Required to delete backups during expiry or failed backups cleanup.
|Required to list snap backups.
|Required to backup autoscaling configuration information.
The policy contains permissions required to restore DynamoDB Snap and SecureVault backups
|Required to decrypt the S3 files and encrypt the restored table items.
|Required to restore table data, the global table replica and then update them with the same backup configuration.
|Required to restore to a new table from S3 files.
|Required to restore to a new table from S3 files.
|Required by the ImportTable API used during restores.
|Required to restore from a snap.
|Required to delete table during failed restore cleanup.
|Required to restore from a snap.
|Required to restore autoscaling settings of the DynamoDB table provisioned throughput.
|Required for cross-region snap and PITR restores with autoscaling settings.
|AWSServiceRoleForApplicationAutoScaling_DynamoDBTable is automatically created when the RegisterScalableTarget API is called.
The Clumio Managed IAM policy for EBS and EC2 backups. This is a generic policy used to identify Clumio created resources in the customer account. Most of the policy statements in the ClumioEc2BackupPolicy use tag based conditions to provide access to the actions.
The following tag(s) are used: ClumioVendorTag - Vendor: Clumio
|Required to take point in time snapshots of a given volume or instance for backup.
The actions are allowed only if the operation has ClumioVendorTag in the request.
|Allow CreateSnapshot(s) on any instance or volume in the AWS account.
The resulting snapshot is tagged with ClumioVendorTag per the statements in AllowStartSnapshotWithClumioRequestTag.
|Required to delete snapshots in the following cases:
- Clumio maintains only one snapshot per volume per storage tier. During incremental backup, older snapshots taken by previous backups are deleted.
- When a backup expires, snapshots associated with the backup(if any) are deleted.
This action is allowed only if it is tagged with a ClumioVendorTag.
|Required to register an image of a given EC2 instance in aws_snapshot backup operations.
This action is allowed on a snapshot only if it is tagged with ClumioVendorTag.
|Required to let Clumio AWS backup to deregister the image registered at the time of backup, if backup fails after the image has been registered.
This action is allowed only if the image has been tagged with ClumioVendorTag.
|Deny direct CreateTags operation. Allow tag creation only if it is associated with CreateSnapshot(s) operations.
Allow CreateTags operation on an image only if one of the request tags is ClumioVendorTag.
|Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioVendorTag.
|Allow read operations on a given snapshot. Clumio backup uses these operations to retrieve the data in a snapshot.
|Allow 'describe' operations on resources which could be associated with an EC2 instance.
|Allow read on a given instance profile.
|Allow read on a given role.
This is the Clumio Managed IAM policy for EBS and EC2 restore operations. Most of the policy statements used in ClumioEc2RestorePolicy use tag based conditions to provide access to the actions.
The following tags are used in the tag based conditions:
- ClumioVendorTag - Vendor: Clumio
This is a generic used to identify Clumio created resources in the customer account.
- ClumioRestoreTag - clumio.restore.tag : "*"
During the process of EC2/EBS Restore, this particular tag is intermittently applied to the resources until the completion of the restore.
|A Clumio restore task invokes StartSnapshot to restore a snapshot with the following steps:
- starts a snapshot
- puts the snapshot data of the volume to be restored in the snapshot
- completes the snapshot.
Allow StartSnapshot action only if the request contains ClumioVendorTag.
|Clumio restore task invokes CompleteSnapshot to restore a snapshot.
Snapshot operations are allowed only on snapshots with ClumioVendorTag.
|Clumio restore uses CreateSnapshot(s) operations to generate an AMI of a restored instance/volume.
Allow create snapshot with ClumioRestoreTag for volume restore.
|Clumio restore invokes CreateVolume to create a restored volume.
Allow CreateVolume only if the operation request contains ClumioRestoreTag.
|Clumio restore deletes the restored volume in case restore fails after the volume has been created.
Allow DeleteVolume only if the volume is tagged with ClumioRestoreTag.
|Clumio restore attaches the restored volumes to the restored instance or the instance specified in EC2 restore volumes request.
|AttachVolume attaches an EBS volume to an EC2 instance. There is no condition for this operation. This is to facilitate the following:
- Allow attaching a volume which was not restored by Clumio to a Clumio restored EC2 instance.
- Allow attaching a Clumio restored volume to an EC2 instance which was not restored by Clumio.
DetachVolume allows Clumio to detach a volume only from a Clumio restored EC2 instance.
|Clumio restore uses RegisterImage operation to create an AMI, in case of a restore as an AMI image.
RegisterImage can be performed only on a Clumio restored snapshot.
|Clumio restore de-registers the image if the restore operation has failed after the register image operation.
DeregisterImage can be performed only on a Clumio restored snapshot.
|Clumio restore uses run instance operation to launch a restored instance with the required resources.
|Clumio restore performs instance based operations such as StartInstances, StopInstances and TerminateInstances at various steps in the instance restore task.
Allow the listed instance operations on instances with ClumioRestoreTag.
|Clumio restore deletes the network interface created while launching the restored instance in case restore failure after launching the instance.
DeleteNetworkInterface is allowed only if the interface is tagged with ClumioRestoreTag.
|Clumio restore associates addresses with the network interfaces after restoring the instance.
If the restore fails after association of address to the network interfaces step, then the DisassociateAddress operation is performed.
The AssociateAddress or DisassociateAddress operations are performed only on instances and network interfaces tagged with ClumioRestoreTag.
|Clumio intends to create tags only on Clumio created resources so as to avoid extending Clumio Role’s access to other existing resources by allowing CreateTags operation.
Deny direct CreateTags operation.
Allow tag creation on listed resources only if they are associated with CreateAction operations other than CreateTags.
Clumio creates images using the RegisterImage operation which does not support CreateTags as a dependent operation. Therefore, access to CreateTags is required by Clumio restore.
Allow CreateTags operation only on an image only if one of the request tags is ClumioRestoreTag.
|DeleteTags is a delete operation which should be allowed only on resources which have been created by Clumio operations to avoid accidental deletion of tags.
Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioRestoreTag.
|Access for PassRole is required to attach an instance profile to the restored instance.
|Allow read operations on a given snapshot. Clumio restore uses these operations to read the data in a snapshot.
|Restore uses the GetInstanceProfile operation to validate the instance profile to be attached to the restored instance.
|Restore uses GetRole operation to validate the given AWS role.
|Restore uses the listed EC2 describe operations to validate the restored instances.
This policy grants Clumio read permissions to detect changes in resources in an account.
|Read permissions required to detect changes in resources in a customer's account.
This role is optional in the manual onboarding flow. The Support role can be assumed only by a single role in the Clumio control plane.
The role requires the following policy.
|Required to allow Clumio Support to create cases to proactively fix any issues with backup and restore operations.
This role is required if you select the S3 asset type to apply Clumio protection and want to use Clumio’s S3 continuous backup feature. It contains the following policy.
|Allows for S3 events from an on-boarded AWS account to be forwarded to Eventbridge.
This SNS topic notifies Clumio services about any new events in the customer’s resource inventory. The ARN for this topic is required to be passed as the target ARN for the event rules. It contains the following policy.
This policy provides security to the inventory topic.
|Any resource in a customer account can publish to this topic.
|Clumio control plane resources can subscribe to this topic.
|Required to list subscriptions associated with this topic.
|Required so that EventBridge rules in a customer account can publish to this topic.
Contact [email protected] in case of any clarifications or questions.
Updated 3 months ago