Permissions file details

Clumio generates a permissions file based on the asset types selected when you manually on-board your AWS account to Clumio. The policies attached to each of the entities grants Clumio specific permissions to access your account and selected resources within it to protect your AWS assets. 

Note: Permissions required for RDS and MS SQL on EC2 will be added in upcoming revisions.

The tables below contain descriptions of permissions that Clumio requires to perform an inventory of the selected assets  and backup and restore operations. Based on your selections, you will see all of the following entities or a subset of them in the permissions file. 

 

ClumioIAMRole

This is the role Clumio will assume in a customer account to provide Cloud Inventory, Backup and Restore features. This role is required, without it, Clumio cannot protect any AWS assets.

Action(s)Permission statement
sts:AssumeRoleThis role can only be assumed by a single intermediate role within Clumio’s control plane

 

ClumioBasePolicy

This policy grants Clumio access for basic validation and to obtain basic information. The permissions defined in this policy are required for Clumio to list and validate protection policies for AWS assets.

Action(s)Permission statement
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:GetRolePolicy
List all policies (managed and inline) for ClumioIAMRole and ClumioSupportRole.

Required to validate policies
iam:ListAccountAliasesRequired to fetch account alias for the customer's account.
sns:GetTopicAttributes
events:DescribeRule
Required to validate SNS topic and rule created in customer's account.
iam:GetRoleFetch role details for S3 Continuous Backup Role.

Required to validate S3 role details.
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:GetRolePolicy
List all policies for ClumioS3ContinuousBackupEventBridgeRole. Required to validate policies
iam:GetPolicy
iam:GetPolicyVersion
Fetch policy definitions for s3, DynamoDB, or EC2 managed policies. Required for S3, DynamoDB, and EC2 policy validation

 

ClumioInventoryPolicy

This policy is required to grant Clumio access for inventory related actions.

Action(s)Permission statement
backup:ListProtectedResourcesRequired to allow Clumio insight into other AWS-backed up resources.
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetEncryptionConfiguration
s3:GetBucketVersioning
s3:GetBucketPolicy
s3:GetBucketTagging
s3:GetReplicationConfiguration
s3:GetLifecycleConfiguration
s3:GetBucketLogging
Required to list all S3 buckets and relevant information.
cloudwatch:GetMetricStatisticsRequired to get Cloudwatch Metrics for S3 buckets.
dynamodb:DescribeBackup
dynamodb:DescribeContinuousBackups- dynamodb:DescribeTable
dynamodb:DescribeTableReplicaAutoScaling
dynamodb:ListBackups
dynamodb:ListTables
dynamodb:ListTagsOfResource
Required to list all DynamoDB tables and relevant information.
dynamodb:DescribeGlobalTable
dynamodb:DescribeGlobalTableSettings
dynamodb:ListGlobalTables
Required to list DynamoDB global tables and relevant information.
ec2:DescribeImageAttribute
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeInstanceCreditSpecifications
ec2:DescribeInstanceTypeOfferings
ec2:DescribeTags
ec2:DescribeSnapshots
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
Required to list EC2 resources and relevant information.
ec2:DescribeFastSnapshotRestore
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeVolumeAttribute
ec2:DescribeVolumeStatus
ec2:DescribeVolumes
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
kms:DescribeKey
Required to list EBS resources and relevant information.

ClumioKMSPolicy

This policy is required to grant Clumio access to customer keys and Clumio’s keys during backup and restore operations.

Action(s)Permission statement
kms:DescribeKey
kms:Encrypt
kms:Decrypt
kms:ReEncryptFrom
kms:ReEncryptTo
kms:GenerateDataKey
kms:GenerateDataKeyPair
kms:GenerateDataKeyPairWithoutPlaintext
kms:GenerateDataKeyWithoutPlaintext
kms:CreateGrant
Required in order to access customers' keys during backup and restore operations, if objects in the customers' bucket are encrypted. 
Also, required while copying large objects directly between the customer's bucket and Clumio’s arena bucket.

ClumioS3BackupPolicy

This policy contains permissions required for S3 continuous backups.

Action(s)Permission statement
cloudwatch:GetMetricStatisticsRequired to get Cloudwatch metrics for S3 buckets.
s3:ListBucket
s3:PutObject
s3:PutObjectAcl
s3:PutObjectTagging
Required to allow Clumio backups.
organizations:DescribeOrganizationRequired to allow Clumio to only have to add one policy for the entire AWS org. Otherwise, Clumio would have to create policies for each account.
s3:GetInventoryConfiguration
s3:PutInventoryConfiguration
s3:ListBucket
s3:ListBucketVersions
s3:ListBucketMultipartUploads
s3:GetObject
s3:GetObjectTagging
s3:GetObjectVersionTagging
s3:GetObjectVersion
Required to get S3 bucket and object information in preparation for S3 backup and S3 continuous backup.
s3:GetBucketNotification
s3:PutBucketNotification
Required to set up S3 bucket event notifications in customer buckets to forward to EventBridge for continuous backup.
events:DescribeRule
events:PutRule
events:DeleteRule
events:PutTargets
events:RemoveTargets
events:ListTargetsByRule
Required to configure an EventBridge rule to forward customer bucket events to Clumio arena bucket for continuous backup.
iam:PassRoleRequired for continuous backup, as EventBridge requires all new cross account event bus targets to add IAM Roles. This allows Clumio to pass in the Continuous Backup role.

ClumioS3RestorePolicy

This policy contains permissions required to restore S3 assets.

Action(s)Permission statement
s3:PutObject
s3:PutObjectAcl
s3:PutObjectTagging
s3:DeleteObject
Required to allow Clumio to modify customer bucket contents during restore.

ClumioDynamoDbBackupPolicy

This policy contains permissions required for DynamoDB Snap and SecureVault backups.

Action(s)Permission statement
dynamodb:ExportTableToPointInTime
dynamodb:UpdateTable
Required during seed backup to export the table data to S3 and enable streams.
dynamodb:DescribeStream
dynamodb:GetRecords
dynamodb:GetShardIterator
Required during incremental backups to use streams to capture the incremental data.
dynamodb:DescribeExportRequired during seed backup to export the table data to S3.
s3:AbortMultipartUpload
s3:PutObject
s3:PutObjectAcl
Required during seed backup to upload table data to S3.
kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKey
kms:ReEncryptFrom
kms:ReEncryptTo
Required to decrypt the items in the encrypted table and encrypt the S3 files.
dynamodb:CreateBackup
dynamodb:DescribeTable
dynamodb:DescribeContinuousBackups
dynamodb:DescribeTimeToLive
dynamodb:ListTagsOfResource
dynamodb:UpdateContinuousBackups
Required to backup table data and configuration information.
dynamodb:DeleteBackup
dynamodb:DescribeBackup
Required to delete backups during expiry or failed backups cleanup.
dynamodb:ListBackupsRequired to list snap backups.
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
Required to backup autoscaling configuration information.

ClumioDynamoDbRestorePolicy

The policy contains permissions required to restore DynamoDB Snap and SecureVault backups

Action(s)Permission statement
kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKey
kms:ReEncryptFrom
kms:ReEncryptTo
Required to decrypt the S3 files and encrypt the restored table items.
dynamodb:CreateTable
dynamodb:CreateTableReplica
dynamodb:UpdateTableReplicaAutoScaling
Required to restore table data, the global table replica and then update them with the same backup configuration.
dynamodb:ImportTable
dynamodb:DescribeImport
Required to restore to a new table from S3 files.
s3:GetObject
s3:ListBucket
Required to restore to a new table from S3 files.
logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:PutLogEvents
logs:PutRetentionPolicy
Required by the ImportTable API used during restores.
dynamodb:BatchWriteItem
dynamodb:DeleteItem
dynamodb:GetItem
dynamodb:PutItem
dynamodb:Query
dynamodb:Scan
dynamodb:TagResource
dynamodb:UntagResource
dynamodb:UpdateItem
dynamodb:UpdateTimeToLive
Required to restore from a snap.
dynamodb:DeleteTableRequired to delete table during failed restore cleanup.
dynamodb:DescribeTable
dynamodb:RestoreTableFromBackup
dynamodb:RestoreTableToPointInTime
Required to restore from a snap.
application-autoscaling:PutScalingPolicy
application-autoscaling:RegisterScalableTarget
Required to restore autoscaling settings of the DynamoDB table provisioned throughput.
iam:PassRoleRequired for cross-region snap and PITR restores with autoscaling settings.
iam:CreateServiceLinkedRole AWSServiceRoleForApplicationAutoScaling_DynamoDBTable is automatically created when the RegisterScalableTarget API is called.

ClumioEC2BackupPolicy

The Clumio Managed IAM policy for EBS and EC2 backups. This is a generic policy used to identify Clumio created resources in the customer account. Most of the policy statements in the ClumioEc2BackupPolicy use tag based conditions to provide access to the actions.

The following tag(s) are used: ClumioVendorTag - Vendor: Clumio

Action(s)Permission statement
ec2:CreateSnapshots
ec2:CreateSnapshot
Required to take point in time snapshots of a given volume or instance for backup.
The actions are allowed only if the operation has ClumioVendorTag in the request.
ec2:CreateSnapshots
ec2:CreateSnapshot
Allow CreateSnapshot(s) on any instance or volume in the AWS account. 
The resulting snapshot is tagged with ClumioVendorTag per the statements in AllowStartSnapshotWithClumioRequestTag.
ec2:DeleteSnapshotRequired to delete snapshots in the following cases:
- Clumio maintains only one snapshot per volume per storage tier. During incremental backup, older snapshots taken by previous backups are deleted.
- When a backup expires, snapshots associated with the backup(if any) are deleted.

This action is allowed only if it is tagged with a ClumioVendorTag.
ec2:RegisterImageRequired to register an image of a given EC2 instance in aws_snapshot backup operations.
This action is allowed on a snapshot only if it is tagged with ClumioVendorTag.
ec2:DeregisterImageRequired to let Clumio AWS backup to deregister the image registered at the time of backup, if backup fails after the image has been registered.
This action is allowed only if the image has been tagged with ClumioVendorTag.
ec2:CreateTagsDeny direct CreateTags operation. Allow tag creation only if it is associated with CreateSnapshot(s) operations.
Allow CreateTags operation on an image only if one of the request tags is ClumioVendorTag.
ec2:DeleteTagsAllow Delete Tags on an image or snapshot only if the resource is tagged with ClumioVendorTag.
ebs:GetSnapshotBlock
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
Allow read operations on a given snapshot. Clumio backup uses these operations to retrieve the data in a snapshot.
ec2:DescribeCapacityReservations
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces
ec2:DescribeVpcs
ec2:DescribeElasticGpus
ec2:DescribeSubnets
ec2:DescribeKeyPairs
elastic-inference:DescribeAcceleratorOfferings
elastic-inference:DescribeAccelerators
Allow 'describe' operations on resources which could be associated with an EC2 instance.
iam:GetInstanceProfileAllow read on a given instance profile.
iam:GetRoleAllow read on a given role.

ClumioEC2RestorePolicy

This is the Clumio Managed IAM policy for EBS and EC2 restore operations. Most of the policy statements used in ClumioEc2RestorePolicy use tag based conditions to provide access to the actions.

The following tags are used in the tag based conditions:

  1. ClumioVendorTag - Vendor: Clumio
    This is a generic used to identify Clumio created resources in the customer account.
  2. ClumioRestoreTag - clumio.restore.tag : "*"
    During the process of EC2/EBS Restore, this particular tag is intermittently applied to the resources until the completion of the restore.
Action(s)Permission statement
ebs:StartSnapshotA Clumio restore task invokes StartSnapshot to restore a snapshot with the following steps:
- starts a snapshot
- puts the snapshot data of the volume to be restored in the snapshot
- completes the snapshot.

Allow StartSnapshot action only if the request contains ClumioVendorTag.
ebs:CompleteSnapshot
ebs:PutSnapshotBlock
Clumio restore task invokes CompleteSnapshot to restore a snapshot.
Snapshot operations are allowed only on snapshots with ClumioVendorTag.
ec2:CreateSnapshots
ec2:CreateSnapshot
Clumio restore uses CreateSnapshot(s) operations to generate an AMI of a restored instance/volume.
Allow create snapshot with ClumioRestoreTag for volume restore.
ec2:CreateVolumeClumio restore invokes CreateVolume to create a restored volume.
Allow CreateVolume only if the operation request contains ClumioRestoreTag.
ec2:DeleteVolumeClumio restore deletes the restored volume in case restore fails after the volume has been created.
Allow DeleteVolume only if the volume is tagged with ClumioRestoreTag.
ec2:AttachVolumeClumio restore attaches the restored volumes to the restored instance or the instance specified in EC2 restore volumes request.
ec2:DetachVolume
ec2:AttachVolume
AttachVolume attaches an EBS volume to an EC2 instance. There is no condition for this operation. This is to facilitate the following:
- Allow attaching a volume which was not restored by Clumio to a Clumio restored EC2 instance.
- Allow attaching a Clumio restored volume to an EC2 instance which was not restored by Clumio.

DetachVolume allows Clumio to detach a volume only from a Clumio restored EC2 instance.
ec2:RegisterImageClumio restore uses RegisterImage operation to create an AMI, in case of a restore as an AMI image.
RegisterImage can be performed only on a Clumio restored snapshot.
ec2:DeregisterImageClumio restore de-registers the image if the restore operation has failed after the register image operation.
DeregisterImage can be performed only on a Clumio restored snapshot.
ec2:RunInstancesClumio restore uses run instance operation to launch a restored instance with the required resources.
ec2:StartInstances
ec2:StopInstances
ec2:TerminateInstances
Clumio restore performs instance based operations such as  StartInstances, StopInstances and TerminateInstances at various steps in the instance restore task.
Allow the listed instance operations on instances with ClumioRestoreTag.
ec2:DeleteNetworkInterfaceClumio restore deletes the network interface created while launching the restored instance in case restore failure after launching the instance.
DeleteNetworkInterface is allowed only if the interface is tagged with ClumioRestoreTag.
ec2:AssociateAddress
ec2:DisassociateAddress
Clumio restore associates addresses with the network interfaces after restoring the instance.
If the restore fails after association of address to the network interfaces step, then the DisassociateAddress operation is performed.
The AssociateAddress or DisassociateAddress operations are performed only on instances and network interfaces tagged with ClumioRestoreTag.
ec2:CreateTagsClumio intends to create tags only on Clumio created resources so as to avoid extending Clumio Role’s access to other existing resources by allowing CreateTags operation.
Deny direct CreateTags operation. 
Allow tag creation on listed resources only if they are associated with CreateAction operations other than CreateTags.
Clumio creates images using the RegisterImage operation which does not support CreateTags as a dependent operation. Therefore, access to CreateTags is required by Clumio restore.
Allow CreateTags operation only on an image only if one of the request tags is ClumioRestoreTag.
ec2:DeleteTagsDeleteTags is a delete operation which should be allowed only on resources which have been created by Clumio operations to avoid accidental deletion of tags.
Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioRestoreTag.
iam:PassRoleAccess for PassRole is required to attach an instance profile to the restored instance.
ebs:GetSnapshotBlock
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
Allow read operations on a given snapshot. Clumio restore uses these operations to read the data in a snapshot.
iam:GetInstanceProfileRestore uses the GetInstanceProfile operation to validate the instance profile to be attached to the restored instance.
iam:GetRoleRestore uses GetRole operation to validate the given AWS role.
ec2:DescribeCapacityReservations
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces
ec2:DescribeVpcs
ec2:DescribeElasticGpus
ec2:DescribeSubnets
ec2:DescribeKeyPairs
elastic-inference:DescribeAcceleratorOfferings
elastic-inference:DescribeAccelerators
Restore uses the listed EC2 describe operations to validate the restored instances.

 

ClumioDriftDetectPolicy

This policy grants Clumio read permissions to detect changes in resources in an account.

Action(s)Permission statement
cloudformation:DescribeStacks
cloudformation:DescribeStackResources
cloudformation:DetectStackResourceDrift
iam:GetServiceLinkedRoleDeletionStatus
iam:ListInstanceProfilesForRole
iam:SimulatePrincipalPolicy
iam:GetContextKeysForPrincipalPolicy
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:ListRoleTags
iam:GetRolePolicy
iam:GetRole
sns:GetTopicAttributes
sns:ListSubscriptionsByTopic
sns:ListTagsForResource
events:DescribeEventBus
events:ListTagsForResource
events:DescribeRule
events:ListTargetsByRule
Read permissions required to detect changes in resources in a customer's account.

ClumioSupportRole

This role is optional in the manual onboarding flow. The Support role can be assumed only by a single role in the Clumio control plane. 

The role requires the following policy.

ClumioSupportPolicy

Action(s)Permission statement
support:AddAttachmentsToSet
support:AddCommunicationToCase
support:CreateCase
support:DescribeAttachment
support:DescribeCases
support:DescribeCommunications
support:DescribeCreateCaseOptions
support:DescribeServices
support:DescribeSeverityLevels
support:DescribeSupportedLanguages
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorCheckResult
support:DescribeTrustedAdvisorChecks
support:DescribeTrustedAdvisorCheckSummaries
Required to allow Clumio Support to create cases to proactively fix any issues with backup and restore operations.

ClumioS3ContinuousBackupEventBridgeRole

This role is required if you select the S3 asset type to apply Clumio protection and want to use Clumio’s S3 continuous backup feature. It contains the following policy.

ClumioS3ContinuousBackupEventBridgePolicy

Action(s)Permission statement
events:PutEventsAllows for S3 events from an on-boarded AWS account to be forwarded to Eventbridge.

ClumioEventPub

This SNS topic notifies Clumio services about any new events in the customer’s resource inventory. The ARN for this topic is required to be passed as the target ARN for the event rules. It contains the following policy.

ClumioEventPubPolicy

This policy provides security to the inventory topic.

Action(s)Permission statement
SNS:PublishAny resource in a customer account can publish to this topic.
SNS:SubscribeClumio control plane resources can subscribe to this topic.
SNS:ListSubscriptionsByTopicRequired to list subscriptions associated with this topic.
SNS:PublishRequired so that EventBridge rules in a customer account can publish to this topic.

Contact [email protected] in case of any clarifications or questions.