Connect to AWS

Appranix requires a way to be authenticated and authorized to connect to the customer AWS account to provide resilience for their cloud application environment.

Prerequisites

For onboarding the AWS account in Appranix, a few roles and permissions in AWS should be enabled through an AWS stack. The onboarding user should have the below listed permissions in the AWS account to create a Role Stack for Appranix in AWS.

• AWSCloudFormationFullAccess
• IAMFullAccess

Add a New AWS Cloud Connection in Appranix

1. Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "AWS Cloud"
2. Fill in the Name and Description for the Cloud Connection
3. Select the operational regions where your protection and recovery operations need to be done
4. Enable the services required and click next
5. Select the "IAM permission" type for the Cloud Connection
6. Select the CloudFormation launch region, where the Appranix permission stack needs to be created
7. After choosing the IAM permission, launch the CloudFormation template in your AWS console
8. After the execution, copy the Role ARN number from the output section of the CloudFormation screen
9. All the discovered resources will be displayed in the Cloud Connection page, once the discover sync is completed successfully

If you have technical challenges in the above steps, you may have problems with one or more of the following items

1. Permission to launch CloudFormation
2. You don't have permission to create an IAM role
3. If the copied ARN from the output is not valid, it is possibly a copy-paste error
4. The newly created role is removed or blocked before the discovery process
5. There is a network outage or AWS response delay that causes the discovery to delay longer due to Exponential Backoff

Cloud Connection Dashboard and Actions

After successfully completing the Cloud Connection discovery process, all selected operational region resources will be listed at the bottom of your Cloud Connection summary page.

Additionally, the following options can be accessed under the Cloud Connection Actions,

Edit: This option allows users to refine their Cloud Connection settings with flexibility. Users can update the Cloud Connection name, add new operational regions, and modify the selection of cloud services to be discovered.

Disable: With the disable option, users gain control over their Cloud Connection discovery process. This functionality enables users to temporarily suspend Cloud Connection discovery and reactivate it when needed.

Shared Cloud Connection: Facilitating Cross-Tenant recovery, this feature enables users to seamlessly share Cloud Connections between two distinct AWS accounts. Click here to configure Shared Cloud Connection.

Map Kms Key: The KMS Key mapping option facilitates the mapping of source and recovery region or account disk encryption keys. Click here to know more.

Manage AWS Permissions: This feature grants users to effortlessly update Cloud Connection permissions as required.

Download Report: Enhancing visibility and insights, this option generates a comprehensive summary report file detailing Cloud Connection resources, regions, and additional relevant details.

Delete: Users can utilize the delete option to permanently remove selected Cloud Connections.

Sync Now: This option triggers immediate Cloud Connection discovery when needed.

AWS IAM Permissions

Appranix gets four sets of permissions during Cloud Connection creation.

• Discovery
• Protection
• Recovery
• Reset

EC2 Discovery Access

       Action:
       - ec2:DescribeAddresses
       - ec2:DescribeInstances
       - ec2:DescribeInstanceAttribute
       - ec2:DescribeRegions
       - ec2:DescribeDhcpOptions
       - ec2:DescribeClientVpnConnections
       - ec2:DescribeVpcEndpointServices
       - ec2:DescribeSnapshots
       - ec2:DescribeAddressesAttribute
       - ec2:DescribeVpcAttribute
       - ec2:DescribeInternetGateways
       - ec2:DescribeNetworkInterfaces
       - ec2:DescribeAvailabilityZones
       - ec2:DescribeNetworkInterfaceAttribute
       - ec2:DescribeVolumes
       - ec2:DescribeNetworkInterfacePermissions
       - ec2:DescribeVpcEndpointConnections
       - ec2:DescribeNetworkAcls
       - ec2:DescribeRouteTables
       - ec2:DescribeClientVpnEndpoints
       - ec2:DescribeVpnConnections
       - ec2:DescribeSnapshotAttribute
       - ec2:DescribeTags
       - ec2:DescribeVpcPeeringConnections
       - ec2:DescribeNatGateways
       - ec2:DescribeCustomerGateways
       - ec2:DescribeVolumeAttribute
       - ec2:DescribeSecurityGroups
       - ec2:DescribeImages
       - ec2:DescribeSecurityGroupRules
       - ec2:DescribeVpcs
       - ec2:DescribeImageAttribute
       - ec2:DescribeInstanceTypes
       - ec2:DescribeVpcEndpoints
       - ec2:DescribeSubnets
       - ec2:DescribeVpnGateways
       - ec2:DescribeKeyPairs
       - ec2:DescribeHosts
       - ec2:DescribeLaunchTemplates
       - ec2:DescribeLaunchTemplateVersions
       - ec2:DescribeManagedPrefixLists
       - ec2:GetManagedPrefixListEntries

Loadbalancer Discovery Access

      permissions:
      - elasticloadbalancing:Describe

Loadbalancer V2 Discovery Access

     permissions:
     - elasticloadbalancing:Describe

KMS Discovery Access

     permissions:
     - kms:ListKeys
     - kms:ListAliases
     - kms:DescribeKey

ACM Discovery Access

     permissions:
     - acm:DescribeCertificate
     - acm:ListCertificates
     - acm:ListTagsForCertificate

RDS Discovery Access

     permissions:
     - rds:Describe
     - rds:ListTagsForResource

EFS Discovery Access

     permissions:
     - elasticfilesystem:Describe
     - elasticfilesystem:ListTagsForResource

FSx Discovery Access

     permissions:
     - fsx:Describe
     - fsx:ListTagsForResource

Route53 Discovery Access

     permissions:
     - route53:Get
     - route53:List
     - ec2:DescribeVpcs

Lambda Discovery Access

     permissions:
     - lambda:List
     - lambda:Get

S3 Discovery Access

     permissions:
     - s3:List
     - s3:Get
     - s3:Describe

SQS Discovery Access

     permissions:
     - sqs:List
     - sqs:Get

DynamoDB Discovery Access

     permissions:
     - dynamoDb:List
     - dynamoDb:Describe

SNS Discovery Access

     permissions:
     - sns:List
     - sns:Get

CloudWatch Discovery Access

     permissions:
     - cloudWatch:DescribeAlarms
     - cloudWatch:ListTagsForResource
     - cloudWatch:ListMetrics

SSM Discovery Access

     permissions:
     - ssm:DescribeParameters
     - ssm:ListTagsForResource
     - ssm:GetParameters
     - ssm:ListDocuments
     - ssm:DescribeDocument

Secrets Manager Discovery Access

     permissions:
     - secretsmanager:DescribeSecret
     - secretsmanager:ListSecretVersionIds
     - secretsmanager:ListSecrets
     - secretsmanager:GetResourcePolicy

EKS Discovery Access

     permissions:
     - eks:Describe
     - eks:List

ElasticBeanStalk Discovery Access

     permissions:
     - elasticbeanstalk:Describe
     - elasticbeanstalk:ListTagsForResource

AutoScaling Discovery Access

     permissions:
     - autoscaling:Describe

DocumentDB Discovery Access

     permissions:
     - documentDb:Describe
     - documentDb:ListTagsForResource

Waf Discovery Access

     permissions:
     - wafv2:List
     - wafv2:Get
     - cognito-idp:ListResourcesForWebACL
     - apprunner:ListAssociatedServicesForWebAcl
     - ec2:DescribeVerifiedAccessInstanceWebAclAssociations

EC2 Protection Access

     permissions:
     - ec2:DescribeImages
     - ec2:CopySnapshot
     - ec2:CreateTags
     - ec2:CreateSnapshots
     - ec2:DescribeImageAttribute
     - ec2:RegisterImage
     - ec2:CreateSnapshot
     - ec2:ImportSnapshot
     - ec2:DescribeSnapshotAttribute
     - ec2:ModifySnapshotAttribute
     - ec2:CreateImage
     - ec2:CopyImage
     - ec2:ImportImage
     - ec2:DescribeSnapshots
     - ebs:ListSnapshotBlocks
     - ebs:ListChangedBlocks

Backup Service Access For Resource Protection

     permissions:
     - backup:TagResource
     - backup:ListCopyJobs
     - backup:PutBackupVaultAccessPolicy
     - backup:ListTags
     - backup:ListBackupJobs
     - backup:StartBackupJob
     - backup:DescribeCopyJob
     - backup:DescribeBackupJob
     - backup:CopyIntoBackupVault
     - backup:GetBackupVaultAccessPolicy
     - backup:CreateBackupVault
     - backup:ListBackupVaults
     - backup:UpdateRecoveryPointLifecycle
     - backup:GetRecoveryPointRestoreMetadata
     - backup:DescribeRecoveryPoint
     - backup:DescribeBackupVault
     - backup:StopBackupJob
     - backup:UntagResource
     - backup:ListRecoveryPointsByBackupVault
     - backup:StartCopyJob
     - dynamodb:StartAwsBackupJob

Backup Storage Access For Resource Protection

     permissions:
     - backup-storage:Mount
     - backup-storage:MountCapsule

Pass Role For Backup Service Access

     permissions:
     - iam:PassRole

KMS Access For Encrypted Resource Protection

     permissions:
     - kms:ListKeys
     - kms:Decrypt
     - kms:Encrypt
     - kms:ListAliases
     - kms:ReEncryptTo
     - kms:DescribeKey
     - kms:RetireGrant
     - kms:CreateGrant
     - kms:ReEncryptFrom
     - kms:GenerateDataKey

RDS Protection Access

     permissions:
     - rds:DescribeDBClusterSnapshotAttributes
     - rds:AddTagsToResource
     - rds:DescribeDBSnapshots
     - rds:CopyDBSnapshot
     - rds:CopyDBClusterSnapshot
     - rds:DescribeDBSnapshotAttributes
     - rds:ModifyDBSnapshot
     - rds:ListTagsForResource
     - rds:CreateDBSnapshot
     - rds:DescribeDBClusterSnapshots
     - rds:DescribeOptionGroupOptions
     - rds:CreateDBClusterSnapshot
     - rds:ModifyDBClusterSnapshotAttribute
     - rds:ModifyDBSnapshotAttribute
     - rds:DescribeOptionGroups

RDS Option Group Write Access

     permissions:
     - rds:DeleteOptionGroup
     - rds:ModifyOptionGroup
     - rds:CreateOptionGroup

EFS Protection Access

     permissions:
     - elasticfilesystem:DescribeFileSystems
     - elasticfilesystem:DescribeTags
     - elasticfilesystem:DescribeBackupPolicy
     - elasticfilesystem:Backup
     - elasticfilesystem:TagResource
     - elasticfilesystem:CreateTags

FSx Protection Access

     permissions:
     - fsx:DescribeFileSystems
     - fsx:DescribeBackups
     - fsx:DescribeSnapshots
     - fsx:ListTagsForResource
     - fsx:CreateBackup
     - fsx:CopyBackup
     - fsx:CreateSnapshot
     - fsx:UpdateSnapshot
     - fsx:TagResource

Route53 Protection Access

     permissions:
     - route53:Get
     - route53:List
     - ec2:DescribeVpcs

EC2 Retention Access

     permissions:
     - ec2:DeregisterImage
     - ec2:DeleteSnapshot
     - ec2:DeleteTags
     - ec2:DescribeSnapshots
     - ec2:DescribeTags
     - ec2:DescribeSnapshotAttribute
     - ec2:DescribeImages
     - ec2:DescribeImageAttribute

Backup Service Access For Resource Retention

     permissions:
     - backup:UntagResource
     - backup:ListRecoveryPointsByBackupVault
     - backup:ListTags
     - backup:ListBackupJobs
     - backup:DescribeBackupJob
     - backup:DeleteRecoveryPoint
     - backup:ListBackupVaults
     - backup:GetRecoveryPointRestoreMetadata
     - backup:DescribeBackupVault
     - backup:DescribeRecoveryPoint
     - backup:StopBackupJob
     - backup:ListRecoveryPointsByResource
     - backup:DeleteBackupVault
     - backup:DeleteBackupVaultAccessPolicy

RDS Retention Access

     permissions:
     - rds:DescribeDBClusterSnapshotAttributes
     - rds:DescribeDBSnapshots
     - rds:DeleteDBSnapshot
     - rds:DescribeDBSnapshotAttributes
     - rds:DeleteDBClusterSnapshot
     - rds:ListTagsForResource
     - rds:DescribeDBClusterSnapshots
     - rds:RemoveTagsFromResource
     - rds:DeleteOptionGroup
     - rds:ModifyOptionGroup

Fsx Retention Access

     permissions:
     - fsx:DescribeFileSystems
     - fsx:DescribeBackups
     - fsx:DescribeSnapshots
     - fsx:ListTagsForResource
     - fsx:DeleteBackup
     - fsx:DeleteSnapshot
     - fsx:UntagResource

EC2 Recovery Access

     permissions:
     - ec2:Describe*
     - ec2:CreateDhcpOptions
     - ec2:AuthorizeSecurityGroupIngress
     - ec2:ModifyVolumeAttribute
     - ec2:AttachInternetGateway
     - ec2:StartInstances
     - ec2:CreateNetworkInterfacePermission
     - ec2:RevokeSecurityGroupEgress
     - ec2:CreateRoute
     - ec2:CreateInternetGateway
     - ec2:ModifyAddressAttribute
     - ec2:CreateTags
     - ec2:ModifyNetworkInterfaceAttribute
     - ec2:RunInstances
     - ec2:ModifySecurityGroupRules
     - ec2:StopInstances
     - ec2:AssignPrivateIpAddresses
     - ec2:CreateVolume
     - ec2:ReplaceNetworkAclAssociation
     - ec2:RevokeSecurityGroupIngress
     - ec2:CreateNetworkInterface
     - ec2:CreateDefaultVpc
     - ec2:CreateSubnet
     - ec2:ModifyVpcEndpoint
     - ec2:CreateVpnConnection
     - ec2:AttachVolume
     - ec2:ModifyVpcEndpointServicePermissions
     - ec2:CreateNatGateway
     - ec2:RunScheduledInstances
     - ec2:CreateVpc
     - ec2:ModifyImageAttribute
     - ec2:CreateSubnetCidrReservation
     - ec2:ModifySubnetAttribute
     - ec2:CreateDefaultSubnet
     - ec2:RebootInstances
     - ec2:AssociateDhcpOptions
     - ec2:AssignIpv6Addresses
     - ec2:ImportInstance
     - ec2:AttachVpnGateway
     - ec2:ImportSnapshot
     - ec2:CreateVpnConnectionRoute
     - ec2:AllocateHosts
     - ec2:CreateImage
     - ec2:CopyImage
     - ec2:AssociateVpcCidrBlock
     - ec2:ReplaceRoute
     - ec2:AssociateRouteTable
     - ec2:ReplaceNetworkAclEntry
     - ec2:CreateVpnGateway
     - ec2:ImportImage
     - ec2:CreateVpcPeeringConnection
     - ec2:ModifyVolume
     - ec2:UpdateSecurityGroupRuleDescriptionsEgress
     - ec2:RegisterImage
     - ec2:CreateRouteTable
     - ec2:AssociateSubnetCidrBlock
     - ec2:CreateEgressOnlyInternetGateway
     - ec2:AssociateAddress
     - ec2:DeleteNetworkInterfacePermission
     - ec2:CreateSecurityGroup
     - ec2:CreateNetworkAcl
     - ec2:ModifyVpcAttribute
     - ec2:ModifyInstanceAttribute
     - ec2:AuthorizeSecurityGroupEgress
     - ec2:AllocateAddress
     - ec2:CreateVpcEndpoint
     - ec2:AttachNetworkInterface
     - ec2:CreateNetworkAclEntry
     - ec2:CreateKeyPair
     - ec2:ImportKeyPair

Loadbalancer Recovery Access

     permissions:
     - elasticloadbalancing:Describe
     - elasticloadbalancing:Set
     - elasticloadbalancing:AttachLoadBalancerToSubnets
     - elasticloadbalancing:ConfigureHealthCheck
     - elasticloadbalancing:AddTags
     - elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer
     - elasticloadbalancing:Modify
     - elasticloadbalancing:Register
     - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
     - elasticloadbalancing:AddListenerCertificates
     - elasticloadbalancing:Create

Loadbalancer V2 Recovery Access

     permissions:
     - elasticloadbalancing:Set*
     - elasticloadbalancing:Modify*
     - elasticloadbalancing:Register*
     - elasticloadbalancing:Add*
     - elasticloadbalancing:Create*

ACM Discovery Access

     permissions:
     - acm:DescribeCertificate
     - acm:ListCertificates
     - acm:ListTagsForCertificate

KMS Access For Encrypted Resource Recovery

     permissions:
     - kms:ListKeys
     - kms:Decrypt
     - kms:Encrypt
     - kms:ListAliases
     - kms:ReEncryptTo
     - kms:DescribeKey
     - kms:RetireGrant
     - kms:CreateGrant
     - kms:ReEncryptFrom
     - kms:GenerateDataKey

Sns Recovery Access

     permissions:
     - sns:List
     - sns:Get
     - sns:CreateTopic
     - sns:TagResource
     - sns:PutDataProtectionPolicy
     - sns:SetTopicAttributes
     - sns:Subscribe
     - logs:CreateLogDelivery
     - logs:GetLogDelivery
     - logs:UpdateLogDelivery
     - logs:DeleteLogDelivery
     - logs:ListLogDeliveries
     - logs:PutResourcePolicy
     - logs:Describe
     - s3:PutBucketPolicy
     - s3:GetBucketPolicy

Cloud Formation Stack Create And Update Access

     permissions:
     - cloudformation:CreateUploadBucket
     - cloudformation:CancelUpdateStack
     - cloudformation:UpdateStackInstances
     - cloudformation:ListTypes
     - cloudformation:UpdateTerminationProtection
     - cloudformation:DescribeStackResource
     - cloudformation:UpdateStackSet
     - cloudformation:CreateChangeSet
     - cloudformation:ContinueUpdateRollback
     - cloudformation:EstimateTemplateCost
     - cloudformation:DescribeStackEvents
     - cloudformation:UpdateStack
     - cloudformation:DescribeChangeSet
     - cloudformation:ListStackResources
     - cloudformation:SetStackPolicy
     - cloudformation:ListStacks
     - cloudformation:DescribeType
     - cloudformation:DescribeStackResources
     - cloudformation:GetTemplateSummary
     - cloudformation:DescribeStacks
     - cloudformation:RollbackStack
     - cloudformation:CreateStack
     - cloudformation:GetTemplate
     - cloudformation:TagResource
     - cloudformation:ValidateTemplate
     - cloudformation:ListChangeSets
     - cloudformation:ListTypeVersions

RDS Recovery Access

      permissions:
      - rds:AuthorizeDBSecurityGroupIngress
      - rds:StartDBCluster
      - rds:ModifyOptionGroup
      - rds:RestoreDBClusterFromSnapshot
      - rds:RemoveRoleFromDBCluster
      - rds:CreateOptionGroup
      - rds:CreateDBSubnetGroup
      - rds:StopDBInstanceAutomatedBackupsReplication
      - rds:ModifyCustomDBEngineVersion
      - rds:ModifyDBParameterGroup
      - rds:Describe*
      - rds:CreateDBInstance
      - rds:ModifyDBInstance
      - rds:ModifyDBClusterParameterGroup
      - rds:AddTagsToResource
      - rds:CreateDBClusterEndpoint
      - rds:StopDBCluster
      - rds:CreateDBParameterGroup
      - rds:StartDBInstanceAutomatedBackupsReplication
      - rds:StopDBInstance
      - rds:PromoteReadReplica
      - rds:StartDBInstance
      - rds:RebootDBCluster
      - rds:ModifyCertificates
      - rds:ListTagsForResource
      - rds:CreateDBSecurityGroup
      - rds:RestoreDBInstanceFromDBSnapshot
      - rds:RebootDBInstance
      - rds:CreateDBCluster
      - rds:ModifyDBClusterEndpoint
      - rds:ModifyDBCluster
      - rds:CreateDBClusterParameterGroup
      - rds:CreateDBInstanceReadReplica
      - rds:PromoteReadReplicaDBCluster
      - rds:RemoveRoleFromDBInstance
      - rds:ModifyDBSubnetGroup

EFS Recovery Access

      permissions:
      - elasticfilesystem:ModifyMountTargetSecurityGroups
      - elasticfilesystem:Describe*
      - elasticfilesystem:Restore
      - elasticfilesystem:CreateFileSystem
      - elasticfilesystem:ListTagsForResource
      - elasticfilesystem:ClientWrite
      - elasticfilesystem:TagResource
      - elasticfilesystem:CreateTags
      - elasticfilesystem:CreateMountTarget
      - elasticfilesystem:ClientMount
      - elasticfilesystem:PutLifecycleConfiguration
      - elasticfilesystem:Backup
      - elasticfilesystem:PutBackupPolicy
      - elasticfilesystem:ClientRootAccess
      - elasticfilesystem:CreateAccessPoint
      - elasticfilesystem:PutFileSystemPolicy
      - elasticfilesystem:UpdateFileSystem

Backup Service Access For Resource Recovery

      permissions:
      - backup:ListTags
      - backup:ListBackupJobs
      - backup:DescribeBackupJob
      - backup:DescribeRestoreJob
      - backup:ListRestoreJobs
      - backup:GetBackupVaultAccessPolicy
      - backup:ListBackupVaults
      - backup:GetRecoveryPointRestoreMetadata
      - backup:DescribeRecoveryPoint
      - backup:DescribeBackupVault
      - backup:ListRecoveryPointsByResource
      - backup:StartRestoreJob
      - backup:ListRecoveryPointsByBackupVault
      - dynamoDb:RestoreTableFromAwsBackup

Backup Storage Access For Resource Recovery

      permissions:
      - backup-storage:Mount
      - backup-storage:MountCapsule

Pass Role For Resource recovery Access

      permissions:
      - iam:PassRole

Lambda Function Create And Invoke Access

      permissions:
      - lambda:CreateFunction
      - lambda:TagResource
      - lambda:AddPermission
      - lambda:List
      - lambda:InvokeFunction
      - lambda:Get*
      - lambda:CreateEventSourceMapping
      - ec2:DescribeNetworkInterfaces
      - ec2:CreateNetworkInterface
      - ec2:AttachNetworkInterface
      - ec2:DeleteNetworkInterface

FSx Recovery Access

      permissions:
      - fsx:Describe
      - fsx:CreateFileSystem
      - fsx:CreateFileCache
      - fsx:CreateVolume
      - fsx:CreateStorageVirtualMachine
      - fsx:CreateFileSystemFromBackup
      - fsx:CreateVolumeFromBackup
      - fsx:RestoreVolumeFromSnapshot
      - fsx:UpdateFileSystem
      - fsx:UpdateFileCache
      - fsx:AssociateFileGateway
      - fsx:AssociateFileSystemAliases
      - fsx:TagResource

Route53 Recovery Access

      permissions:
      - route53:Get
      - route53:List
      - route53:ListResourceRecordSets
      - route53:CreateHostedZone
      - route53:ChangeResourceRecordSets
      - route53:ChangeTagsForResource
      - route53:AssociateVPCWithHostedZone
      - route53:UpdateHostedZoneComment
      - ec2:DescribeVpcs
      - ec2:DescribeRegions

SQS Recovery Access

      permissions:
      - sqs:List
      - sqs:Get
      - sqs:CreateQueue
      - sqs:TagQueue
      - sqs:SetQueueAttributes

EC2 Reset Access

      permissions:
      - ec2:Describe
      - ec2:DeleteSubnet
      - ec2:UnmonitorInstances
      - ec2:DeleteClientVpnEndpoint
      - ec2:DeleteVpcPeeringConnection
      - ec2:DeleteVpcEndpoints
      - ec2:UpdateSecurityGroupRuleDescriptionsIngress
      - ec2:DeleteRouteTable
      - ec2:DisassociateVpcCidrBlock
      - ec2:DeleteVolume
      - ec2:DeleteVpnGateway
      - ec2:UnassignIpv6Addresses
      - ec2:DeleteInternetGateway
      - ec2:UnassignPrivateIpAddresses
      - ec2:DeleteVpnConnection
      - ec2:DisableImageDeprecation
      - ec2:DetachVolume
      - ec2:UpdateSecurityGroupRuleDescriptionsEgress
      - ec2:DeleteNetworkInterface
      - ec2:DeletePublicIpv4Pool
      - ec2:DetachInternetGateway
      - ec2:StopInstances
      - ec2:DisassociateRouteTable
      - ec2:DetachVpnGateway
      - ec2:DeleteTransitGatewayRoute
      - ec2:AssociateDhcpOptions
      - ec2:DeleteDhcpOptions
      - ec2:DeleteNatGateway
      - ec2:DeleteVpc
      - ec2:DeleteTransitGateway
      - ec2:DeleteKeyPair
      - ec2:DeleteNetworkAclEntry
      - ec2:DeleteQueuedReservedInstances
      - ec2:DeleteCarrierGateway
      - ec2:DisassociateAddress
      - ec2:DeregisterImage
      - ec2:DeleteSnapshot
      - ec2:DeleteNetworkAcl
      - ec2:ReplaceNetworkAclAssociation
      - ec2:ReleaseAddress
      - ec2:DeleteEgressOnlyInternetGateway
      - ec2:TerminateInstances
      - ec2:DetachNetworkInterface
      - ec2:DeletePlacementGroup
      - ec2:DeleteRoute
      - ec2:DeprovisionPublicIpv4PoolCidr
      - ec2:DisassociateSubnetCidrBlock
      - ec2:DeleteVpnConnectionRoute
      - ec2:DeleteCustomerGateway
      - ec2:DeleteClientVpnRoute
      - ec2:DeleteSecurityGroup
      - ec2:DeleteTransitGatewayConnect

Loadbalancer Reset Access

      permissions:
      - elasticloadbalancing:Describe
      - elasticloadbalancing:Delete
      - elasticloadbalancing:ModifyListener
      - elasticloadbalancing:DetachLoadBalancerFromSubnets
      - elasticloadbalancing:DeregisterTargets
      - elasticloadbalancing:RemoveListenerCertificates
      - elasticloadbalancing:RemoveTags
      - elasticloadbalancing:ModifyRule
      - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
      - elasticloadbalancing:ModifyLoadBalancerAttributes
      - elasticloadbalancing:ModifyTargetGroupAttributes
      - elasticloadbalancing:ModifyTargetGroup
      - elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer

Loadbalancer V2 Reset Access

      permissions:
      - elasticloadbalancing:Describe
      - elasticloadbalancing:Delete
      - elasticloadbalancing:ModifyListener
      - elasticloadbalancing:DetachLoadBalancerFromSubnets
      - elasticloadbalancing:DeregisterTargets
      - elasticloadbalancing:RemoveListenerCertificates
      - elasticloadbalancing:RemoveTags
      - elasticloadbalancing:ModifyRule
      - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
      - elasticloadbalancing:ModifyLoadBalancerAttributes
      - elasticloadbalancing:ModifyTargetGroupAttributes
      - elasticloadbalancing:ModifyTargetGroup
      - elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer

Lambda Function Delete Access

      permissions:
      - lambda:RemovePermission
      - lambda:Delete

RDS Reset Access

      permissions:
      - rds:Describe
      - rds:Delete
      - rds:StopDBCluster
      - rds:RemoveRoleFromDBCluster
      - rds:StopDBInstance
      - rds:RemoveRoleFromDBInstance

EFS Reset Access

      permissions:
      - elasticfilesystem:Describe
      - elasticfilesystem:Delete
      - elasticfilesystem:UntagResource

FSx Reset Access

      permissions:
      - fsx:Describe
      - fsx:Delete
      - fsx:ListTagsForResource
      - fsx:UntagResource

SQS Reset Access

      permissions:
      - sqs:List
      - sqs:Get
      - sqs:DeleteQueue
      - sqs:UntagQueue

SSM Reset Access

      permissions:
      - ssm:DeleteParameter

DynamoDB Reset Access

      permissions:
      - dynamodb:DeleteTable

SNS Reset Access

      permissions:
      - sns:List
      - sns:Get
      - sns:DeleteTopic
      - sns:Unsubscribe
      - sns:SetTopicAttributes

Route53 Reset Access

      permissions:
      - route53:Get
      - route53:List
      - ec2:DescribeVpcs
      - route53:ListResourceRecordSets
      - route53:ChangeResourceRecordSets
      - route53:ChangeTagsForResource
      - route53:DeleteHostedZone
      - route53:DisassociateVPCFromHostedZone