Cloud Rewind requires a way to be authenticated and authorized to connect to the customer AWS account to provide resilience for their cloud application environment.
Prerequisites
For onboarding the AWS account in Cloud Rewind, a few roles and permissions in AWS should be enabled through an AWS stack. The onboarding user should have the below listed permissions in the AWS account to create a Role Stack for Cloud Rewind in AWS.
- AWSCloudFormationFullAccess
- IAMFullAccess
Add a New AWS Cloud Connection in Cloud Rewind
- Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "AWS Cloud"
- Fill in the Name and Description for the Cloud Connection
- Select the operational regions where your protection and recovery operations need to be done
- Enable the services required and click next
- Select the "IAM permission" type for the Cloud Connection
- Select the CloudFormation launch region, where the Cloud Rewind permission stack needs to be created
- After choosing the IAM permission, launch the CloudFormation template in your AWS console
- After the execution, copy the Role ARN number from the output section of the CloudFormation screen
- All the discovered resources will be displayed in the Cloud Connection page, once the discover sync is completed successfully
If you have technical challenges in the above steps, you may have problems with one or more of the following items
- Permission to launch CloudFormation
- You don't have permission to create an IAM role
- If the copied ARN from the output is not valid, it is possibly a copy-paste error
- The newly created role is removed or blocked before the discovery process
- There is a network outage or AWS response delay that causes the discovery to delay longer due to Exponential Backoff
Cloud Connection Dashboard and Actions
After successfully completing the Cloud Connection discovery process, all selected operational region resources will be listed at the bottom of your Cloud Connection summary page.
Additionally, the following options can be accessed under the Cloud Connection Actions,
Edit: This option allows users to refine their Cloud Connection settings with flexibility. Users can update the Cloud Connection name, add new operational regions, and modify the selection of cloud services to be discovered.
Disable: With the disable option, users gain control over their Cloud Connection discovery process. This functionality enables users to temporarily suspend Cloud Connection discovery and reactivate it when needed.
Shared Cloud Connection: Facilitating Cross-Tenant recovery, this feature enables users to seamlessly share Cloud Connections between two distinct AWS accounts. Click here to configure Shared Cloud Connection.
Map Kms Key: The KMS Key mapping option facilitates the mapping of source and recovery region or account disk encryption keys. Click here to know more.
Manage AWS Permissions: This feature grants users to effortlessly update Cloud Connection permissions as required.
Download Report: Enhancing visibility and insights, this option generates a comprehensive summary report file detailing Cloud Connection resources, regions, and additional relevant details.
Delete: Users can utilize the delete option to permanently remove selected Cloud Connections.
Sync Now: This option triggers immediate Cloud Connection discovery when needed.
AWS IAM Permissions
Cloud Rewind gets four sets of permissions during Cloud Connection creation.
- Discovery
- Protection
- Recovery
- Reset
Note
When a particular permission is revoked manually in the AWS portal, the set of operations associated with that role will fail.
EC2 Discovery Access
Action:
- ec2:DescribeAddresses
- ec2:DescribeInstances
- ec2:DescribeInstanceAttribute
- ec2:DescribeRegions
- ec2:DescribeDhcpOptions
- ec2:DescribeClientVpnConnections
- ec2:DescribeVpcEndpointServices
- ec2:DescribeSnapshots
- ec2:DescribeAddressesAttribute
- ec2:DescribeVpcAttribute
- ec2:DescribeInternetGateways
- ec2:DescribeNetworkInterfaces
- ec2:DescribeAvailabilityZones
- ec2:DescribeNetworkInterfaceAttribute
- ec2:DescribeVolumes
- ec2:DescribeNetworkInterfacePermissions
- ec2:DescribeVpcEndpointConnections
- ec2:DescribeNetworkAcls
- ec2:DescribeRouteTables
- ec2:DescribeClientVpnEndpoints
- ec2:DescribeVpnConnections
- ec2:DescribeSnapshotAttribute
- ec2:DescribeTags
- ec2:DescribeVpcPeeringConnections
- ec2:DescribeNatGateways
- ec2:DescribeCustomerGateways
- ec2:DescribeVolumeAttribute
- ec2:DescribeSecurityGroups
- ec2:DescribeImages
- ec2:DescribeSecurityGroupRules
- ec2:DescribeVpcs
- ec2:DescribeImageAttribute
- ec2:DescribeInstanceTypes
- ec2:DescribeVpcEndpoints
- ec2:DescribeSubnets
- ec2:DescribeVpnGateways
- ec2:DescribeKeyPairs
- ec2:DescribeHosts
- ec2:DescribeLaunchTemplates
- ec2:DescribeLaunchTemplateVersions
- ec2:DescribeManagedPrefixLists
- ec2:GetManagedPrefixListEntries
Loadbalancer Discovery Access
permissions:
- elasticloadbalancing:Describe
Loadbalancer V2 Discovery Access
permissions:
- elasticloadbalancing:Describe
KMS Discovery Access
permissions:
- kms:ListKeys
- kms:ListAliases
- kms:DescribeKey
ACM Discovery Access
permissions:
- acm:DescribeCertificate
- acm:ListCertificates
- acm:ListTagsForCertificate
RDS Discovery Access
permissions:
- rds:Describe
- rds:ListTagsForResource
EFS Discovery Access
permissions:
- elasticfilesystem:Describe
- elasticfilesystem:ListTagsForResource
FSx Discovery Access
permissions:
- fsx:Describe
- fsx:ListTagsForResource
Route53 Discovery Access
permissions:
- route53:Get
- route53:List
- ec2:DescribeVpcs
Lambda Discovery Access
permissions:
- lambda:List
- lambda:Get
S3 Discovery Access
permissions:
- s3:List
- s3:Get
- s3:Describe
SQS Discovery Access
permissions:
- sqs:List
- sqs:Get
DynamoDB Discovery Access
permissions:
- dynamoDb:List
- dynamoDb:Describe
SNS Discovery Access
permissions:
- sns:List
- sns:Get
CloudWatch Discovery Access
permissions:
- cloudWatch:DescribeAlarms
- cloudWatch:ListTagsForResource
- cloudWatch:ListMetrics
SSM Discovery Access
permissions:
- ssm:DescribeParameters
- ssm:ListTagsForResource
- ssm:GetParameters
- ssm:ListDocuments
- ssm:DescribeDocument
Secrets Manager Discovery Access
permissions:
- secretsmanager:DescribeSecret
- secretsmanager:ListSecretVersionIds
- secretsmanager:ListSecrets
- secretsmanager:GetResourcePolicy
EKS Discovery Access
permissions:
- eks:Describe
- eks:List
ElasticBeanStalk Discovery Access
permissions:
- elasticbeanstalk:Describe
- elasticbeanstalk:ListTagsForResource
AutoScaling Discovery Access
permissions:
- autoscaling:Describe
DocumentDB Discovery Access
permissions:
- documentDb:Describe
- documentDb:ListTagsForResource
Waf Discovery Access
permissions:
- wafv2:List
- wafv2:Get
- cognito-idp:ListResourcesForWebACL
- apprunner:ListAssociatedServicesForWebAcl
- ec2:DescribeVerifiedAccessInstanceWebAclAssociations
EC2 Protection Access
permissions:
- ec2:DescribeImages
- ec2:CopySnapshot
- ec2:CreateTags
- ec2:CreateSnapshots
- ec2:DescribeImageAttribute
- ec2:RegisterImage
- ec2:CreateSnapshot
- ec2:ImportSnapshot
- ec2:DescribeSnapshotAttribute
- ec2:ModifySnapshotAttribute
- ec2:CreateImage
- ec2:CopyImage
- ec2:ImportImage
- ec2:DescribeSnapshots
- ebs:ListSnapshotBlocks
- ebs:ListChangedBlocks
Backup Service Access For Resource Protection
permissions:
- backup:TagResource
- backup:ListCopyJobs
- backup:PutBackupVaultAccessPolicy
- backup:ListTags
- backup:ListBackupJobs
- backup:StartBackupJob
- backup:DescribeCopyJob
- backup:DescribeBackupJob
- backup:CopyIntoBackupVault
- backup:GetBackupVaultAccessPolicy
- backup:CreateBackupVault
- backup:ListBackupVaults
- backup:UpdateRecoveryPointLifecycle
- backup:GetRecoveryPointRestoreMetadata
- backup:DescribeRecoveryPoint
- backup:DescribeBackupVault
- backup:StopBackupJob
- backup:UntagResource
- backup:ListRecoveryPointsByBackupVault
- backup:StartCopyJob
- dynamodb:StartAwsBackupJob
Backup Storage Access For Resource Protection
permissions:
- backup-storage:Mount
- backup-storage:MountCapsule
Pass Role For Backup Service Access
permissions:
- iam:PassRole
KMS Access For Encrypted Resource Protection
permissions:
- kms:ListKeys
- kms:Decrypt
- kms:Encrypt
- kms:ListAliases
- kms:ReEncryptTo
- kms:DescribeKey
- kms:RetireGrant
- kms:CreateGrant
- kms:ReEncryptFrom
- kms:GenerateDataKey
RDS Protection Access
permissions:
- rds:DescribeDBClusterSnapshotAttributes
- rds:AddTagsToResource
- rds:DescribeDBSnapshots
- rds:CopyDBSnapshot
- rds:CopyDBClusterSnapshot
- rds:DescribeDBSnapshotAttributes
- rds:ModifyDBSnapshot
- rds:ListTagsForResource
- rds:CreateDBSnapshot
- rds:DescribeDBClusterSnapshots
- rds:DescribeOptionGroupOptions
- rds:CreateDBClusterSnapshot
- rds:ModifyDBClusterSnapshotAttribute
- rds:ModifyDBSnapshotAttribute
- rds:DescribeOptionGroups
RDS Option Group Write Access
permissions:
- rds:DeleteOptionGroup
- rds:ModifyOptionGroup
- rds:CreateOptionGroup
EFS Protection Access
permissions:
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DescribeTags
- elasticfilesystem:DescribeBackupPolicy
- elasticfilesystem:Backup
- elasticfilesystem:TagResource
- elasticfilesystem:CreateTags
FSx Protection Access
permissions:
- fsx:DescribeFileSystems
- fsx:DescribeBackups
- fsx:DescribeSnapshots
- fsx:ListTagsForResource
- fsx:CreateBackup
- fsx:CopyBackup
- fsx:CreateSnapshot
- fsx:UpdateSnapshot
- fsx:TagResource
Route53 Protection Access
permissions:
- route53:Get
- route53:List
- ec2:DescribeVpcs
EC2 Retention Access
permissions:
- ec2:DeregisterImage
- ec2:DeleteSnapshot
- ec2:DeleteTags
- ec2:DescribeSnapshots
- ec2:DescribeTags
- ec2:DescribeSnapshotAttribute
- ec2:DescribeImages
- ec2:DescribeImageAttribute
Backup Service Access For Resource Retention
permissions:
- backup:UntagResource
- backup:ListRecoveryPointsByBackupVault
- backup:ListTags
- backup:ListBackupJobs
- backup:DescribeBackupJob
- backup:DeleteRecoveryPoint
- backup:ListBackupVaults
- backup:GetRecoveryPointRestoreMetadata
- backup:DescribeBackupVault
- backup:DescribeRecoveryPoint
- backup:StopBackupJob
- backup:ListRecoveryPointsByResource
- backup:DeleteBackupVault
- backup:DeleteBackupVaultAccessPolicy
RDS Retention Access
permissions:
- rds:DescribeDBClusterSnapshotAttributes
- rds:DescribeDBSnapshots
- rds:DeleteDBSnapshot
- rds:DescribeDBSnapshotAttributes
- rds:DeleteDBClusterSnapshot
- rds:ListTagsForResource
- rds:DescribeDBClusterSnapshots
- rds:RemoveTagsFromResource
- rds:DeleteOptionGroup
- rds:ModifyOptionGroup
Fsx Retention Access
permissions:
- fsx:DescribeFileSystems
- fsx:DescribeBackups
- fsx:DescribeSnapshots
- fsx:ListTagsForResource
- fsx:DeleteBackup
- fsx:DeleteSnapshot
- fsx:UntagResource
EC2 Recovery Access
permissions:
- ec2:Describe*
- ec2:CreateDhcpOptions
- ec2:AuthorizeSecurityGroupIngress
- ec2:ModifyVolumeAttribute
- ec2:AttachInternetGateway
- ec2:StartInstances
- ec2:CreateNetworkInterfacePermission
- ec2:RevokeSecurityGroupEgress
- ec2:CreateRoute
- ec2:CreateInternetGateway
- ec2:ModifyAddressAttribute
- ec2:CreateTags
- ec2:ModifyNetworkInterfaceAttribute
- ec2:RunInstances
- ec2:ModifySecurityGroupRules
- ec2:StopInstances
- ec2:AssignPrivateIpAddresses
- ec2:CreateVolume
- ec2:ReplaceNetworkAclAssociation
- ec2:RevokeSecurityGroupIngress
- ec2:CreateNetworkInterface
- ec2:CreateDefaultVpc
- ec2:CreateSubnet
- ec2:ModifyVpcEndpoint
- ec2:CreateVpnConnection
- ec2:AttachVolume
- ec2:ModifyVpcEndpointServicePermissions
- ec2:CreateNatGateway
- ec2:RunScheduledInstances
- ec2:CreateVpc
- ec2:ModifyImageAttribute
- ec2:CreateSubnetCidrReservation
- ec2:ModifySubnetAttribute
- ec2:CreateDefaultSubnet
- ec2:RebootInstances
- ec2:AssociateDhcpOptions
- ec2:AssignIpv6Addresses
- ec2:ImportInstance
- ec2:AttachVpnGateway
- ec2:ImportSnapshot
- ec2:CreateVpnConnectionRoute
- ec2:AllocateHosts
- ec2:CreateImage
- ec2:CopyImage
- ec2:AssociateVpcCidrBlock
- ec2:ReplaceRoute
- ec2:AssociateRouteTable
- ec2:ReplaceNetworkAclEntry
- ec2:CreateVpnGateway
- ec2:ImportImage
- ec2:CreateVpcPeeringConnection
- ec2:ModifyVolume
- ec2:UpdateSecurityGroupRuleDescriptionsEgress
- ec2:RegisterImage
- ec2:CreateRouteTable
- ec2:AssociateSubnetCidrBlock
- ec2:CreateEgressOnlyInternetGateway
- ec2:AssociateAddress
- ec2:DeleteNetworkInterfacePermission
- ec2:CreateSecurityGroup
- ec2:CreateNetworkAcl
- ec2:ModifyVpcAttribute
- ec2:ModifyInstanceAttribute
- ec2:AuthorizeSecurityGroupEgress
- ec2:AllocateAddress
- ec2:CreateVpcEndpoint
- ec2:AttachNetworkInterface
- ec2:CreateNetworkAclEntry
- ec2:CreateKeyPair
- ec2:ImportKeyPair
Loadbalancer Recovery Access
permissions:
- elasticloadbalancing:Describe
- elasticloadbalancing:Set
- elasticloadbalancing:AttachLoadBalancerToSubnets
- elasticloadbalancing:ConfigureHealthCheck
- elasticloadbalancing:AddTags
- elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer
- elasticloadbalancing:Modify
- elasticloadbalancing:Register
- elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
- elasticloadbalancing:AddListenerCertificates
- elasticloadbalancing:Create
Loadbalancer V2 Recovery Access
permissions:
- elasticloadbalancing:Set*
- elasticloadbalancing:Modify*
- elasticloadbalancing:Register*
- elasticloadbalancing:Add*
- elasticloadbalancing:Create*
ACM Discovery Access
permissions:
- acm:DescribeCertificate
- acm:ListCertificates
- acm:ListTagsForCertificate
KMS Access For Encrypted Resource Recovery
permissions:
- kms:ListKeys
- kms:Decrypt
- kms:Encrypt
- kms:ListAliases
- kms:ReEncryptTo
- kms:DescribeKey
- kms:RetireGrant
- kms:CreateGrant
- kms:ReEncryptFrom
- kms:GenerateDataKey
Sns Recovery Access
permissions:
- sns:List
- sns:Get
- sns:CreateTopic
- sns:TagResource
- sns:PutDataProtectionPolicy
- sns:SetTopicAttributes
- sns:Subscribe
- logs:CreateLogDelivery
- logs:GetLogDelivery
- logs:UpdateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:PutResourcePolicy
- logs:Describe
- s3:PutBucketPolicy
- s3:GetBucketPolicy
Cloud Formation Stack Create And Update Access
permissions:
- cloudformation:CreateUploadBucket
- cloudformation:CancelUpdateStack
- cloudformation:UpdateStackInstances
- cloudformation:ListTypes
- cloudformation:UpdateTerminationProtection
- cloudformation:DescribeStackResource
- cloudformation:UpdateStackSet
- cloudformation:CreateChangeSet
- cloudformation:ContinueUpdateRollback
- cloudformation:EstimateTemplateCost
- cloudformation:DescribeStackEvents
- cloudformation:UpdateStack
- cloudformation:DescribeChangeSet
- cloudformation:ListStackResources
- cloudformation:SetStackPolicy
- cloudformation:ListStacks
- cloudformation:DescribeType
- cloudformation:DescribeStackResources
- cloudformation:GetTemplateSummary
- cloudformation:DescribeStacks
- cloudformation:RollbackStack
- cloudformation:CreateStack
- cloudformation:GetTemplate
- cloudformation:TagResource
- cloudformation:ValidateTemplate
- cloudformation:ListChangeSets
- cloudformation:ListTypeVersions
RDS Recovery Access
permissions:
- rds:AuthorizeDBSecurityGroupIngress
- rds:StartDBCluster
- rds:ModifyOptionGroup
- rds:RestoreDBClusterFromSnapshot
- rds:RemoveRoleFromDBCluster
- rds:CreateOptionGroup
- rds:CreateDBSubnetGroup
- rds:StopDBInstanceAutomatedBackupsReplication
- rds:ModifyCustomDBEngineVersion
- rds:ModifyDBParameterGroup
- rds:Describe*
- rds:CreateDBInstance
- rds:ModifyDBInstance
- rds:ModifyDBClusterParameterGroup
- rds:AddTagsToResource
- rds:CreateDBClusterEndpoint
- rds:StopDBCluster
- rds:CreateDBParameterGroup
- rds:StartDBInstanceAutomatedBackupsReplication
- rds:StopDBInstance
- rds:PromoteReadReplica
- rds:StartDBInstance
- rds:RebootDBCluster
- rds:ModifyCertificates
- rds:ListTagsForResource
- rds:CreateDBSecurityGroup
- rds:RestoreDBInstanceFromDBSnapshot
- rds:RebootDBInstance
- rds:CreateDBCluster
- rds:ModifyDBClusterEndpoint
- rds:ModifyDBCluster
- rds:CreateDBClusterParameterGroup
- rds:CreateDBInstanceReadReplica
- rds:PromoteReadReplicaDBCluster
- rds:RemoveRoleFromDBInstance
- rds:ModifyDBSubnetGroup
EFS Recovery Access
permissions:
- elasticfilesystem:ModifyMountTargetSecurityGroups
- elasticfilesystem:Describe*
- elasticfilesystem:Restore
- elasticfilesystem:CreateFileSystem
- elasticfilesystem:ListTagsForResource
- elasticfilesystem:ClientWrite
- elasticfilesystem:TagResource
- elasticfilesystem:CreateTags
- elasticfilesystem:CreateMountTarget
- elasticfilesystem:ClientMount
- elasticfilesystem:PutLifecycleConfiguration
- elasticfilesystem:Backup
- elasticfilesystem:PutBackupPolicy
- elasticfilesystem:ClientRootAccess
- elasticfilesystem:CreateAccessPoint
- elasticfilesystem:PutFileSystemPolicy
- elasticfilesystem:UpdateFileSystem
Backup Service Access For Resource Recovery
permissions:
- backup:ListTags
- backup:ListBackupJobs
- backup:DescribeBackupJob
- backup:DescribeRestoreJob
- backup:ListRestoreJobs
- backup:GetBackupVaultAccessPolicy
- backup:ListBackupVaults
- backup:GetRecoveryPointRestoreMetadata
- backup:DescribeRecoveryPoint
- backup:DescribeBackupVault
- backup:ListRecoveryPointsByResource
- backup:StartRestoreJob
- backup:ListRecoveryPointsByBackupVault
- dynamoDb:RestoreTableFromAwsBackup
Backup Storage Access For Resource Recovery
permissions:
- backup-storage:Mount
- backup-storage:MountCapsule
Pass Role For Resource recovery Access
permissions:
- iam:PassRole
Lambda Function Create And Invoke Access
permissions:
- lambda:CreateFunction
- lambda:TagResource
- lambda:AddPermission
- lambda:List
- lambda:InvokeFunction
- lambda:Get*
- lambda:CreateEventSourceMapping
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:AttachNetworkInterface
- ec2:DeleteNetworkInterface
FSx Recovery Access
permissions:
- fsx:Describe
- fsx:CreateFileSystem
- fsx:CreateFileCache
- fsx:CreateVolume
- fsx:CreateStorageVirtualMachine
- fsx:CreateFileSystemFromBackup
- fsx:CreateVolumeFromBackup
- fsx:RestoreVolumeFromSnapshot
- fsx:UpdateFileSystem
- fsx:UpdateFileCache
- fsx:AssociateFileGateway
- fsx:AssociateFileSystemAliases
- fsx:TagResource
Route53 Recovery Access
permissions:
- route53:Get
- route53:List
- route53:ListResourceRecordSets
- route53:CreateHostedZone
- route53:ChangeResourceRecordSets
- route53:ChangeTagsForResource
- route53:AssociateVPCWithHostedZone
- route53:UpdateHostedZoneComment
- ec2:DescribeVpcs
- ec2:DescribeRegions
SQS Recovery Access
permissions:
- sqs:List
- sqs:Get
- sqs:CreateQueue
- sqs:TagQueue
- sqs:SetQueueAttributes
EC2 Reset Access
permissions:
- ec2:Describe
- ec2:DeleteSubnet
- ec2:UnmonitorInstances
- ec2:DeleteClientVpnEndpoint
- ec2:DeleteVpcPeeringConnection
- ec2:DeleteVpcEndpoints
- ec2:UpdateSecurityGroupRuleDescriptionsIngress
- ec2:DeleteRouteTable
- ec2:DisassociateVpcCidrBlock
- ec2:DeleteVolume
- ec2:DeleteVpnGateway
- ec2:UnassignIpv6Addresses
- ec2:DeleteInternetGateway
- ec2:UnassignPrivateIpAddresses
- ec2:DeleteVpnConnection
- ec2:DisableImageDeprecation
- ec2:DetachVolume
- ec2:UpdateSecurityGroupRuleDescriptionsEgress
- ec2:DeleteNetworkInterface
- ec2:DeletePublicIpv4Pool
- ec2:DetachInternetGateway
- ec2:StopInstances
- ec2:DisassociateRouteTable
- ec2:DetachVpnGateway
- ec2:DeleteTransitGatewayRoute
- ec2:AssociateDhcpOptions
- ec2:DeleteDhcpOptions
- ec2:DeleteNatGateway
- ec2:DeleteVpc
- ec2:DeleteTransitGateway
- ec2:DeleteKeyPair
- ec2:DeleteNetworkAclEntry
- ec2:DeleteQueuedReservedInstances
- ec2:DeleteCarrierGateway
- ec2:DisassociateAddress
- ec2:DeregisterImage
- ec2:DeleteSnapshot
- ec2:DeleteNetworkAcl
- ec2:ReplaceNetworkAclAssociation
- ec2:ReleaseAddress
- ec2:DeleteEgressOnlyInternetGateway
- ec2:TerminateInstances
- ec2:DetachNetworkInterface
- ec2:DeletePlacementGroup
- ec2:DeleteRoute
- ec2:DeprovisionPublicIpv4PoolCidr
- ec2:DisassociateSubnetCidrBlock
- ec2:DeleteVpnConnectionRoute
- ec2:DeleteCustomerGateway
- ec2:DeleteClientVpnRoute
- ec2:DeleteSecurityGroup
- ec2:DeleteTransitGatewayConnect
Loadbalancer Reset Access
permissions:
- elasticloadbalancing:Describe
- elasticloadbalancing:Delete
- elasticloadbalancing:ModifyListener
- elasticloadbalancing:DetachLoadBalancerFromSubnets
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:RemoveListenerCertificates
- elasticloadbalancing:RemoveTags
- elasticloadbalancing:ModifyRule
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:ModifyTargetGroup
- elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer
Loadbalancer V2 Reset Access
permissions:
- elasticloadbalancing:Describe
- elasticloadbalancing:Delete
- elasticloadbalancing:ModifyListener
- elasticloadbalancing:DetachLoadBalancerFromSubnets
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:RemoveListenerCertificates
- elasticloadbalancing:RemoveTags
- elasticloadbalancing:ModifyRule
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:ModifyTargetGroup
- elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer
Lambda Function Delete Access
permissions:
- lambda:RemovePermission
- lambda:Delete
RDS Reset Access
permissions:
- rds:Describe
- rds:Delete
- rds:StopDBCluster
- rds:RemoveRoleFromDBCluster
- rds:StopDBInstance
- rds:RemoveRoleFromDBInstance
EFS Reset Access
permissions:
- elasticfilesystem:Describe
- elasticfilesystem:Delete
- elasticfilesystem:UntagResource
FSx Reset Access
permissions:
- fsx:Describe
- fsx:Delete
- fsx:ListTagsForResource
- fsx:UntagResource
SQS Reset Access
permissions:
- sqs:List
- sqs:Get
- sqs:DeleteQueue
- sqs:UntagQueue
SSM Reset Access
permissions:
- ssm:DeleteParameter
DynamoDB Reset Access
permissions:
- dynamodb:DeleteTable
SNS Reset Access
permissions:
- sns:List
- sns:Get
- sns:DeleteTopic
- sns:Unsubscribe
- sns:SetTopicAttributes
Route53 Reset Access
permissions:
- route53:Get
- route53:List
- ec2:DescribeVpcs
- route53:ListResourceRecordSets
- route53:ChangeResourceRecordSets
- route53:ChangeTagsForResource
- route53:DeleteHostedZone
- route53:DisassociateVPCFromHostedZone
NOTE
This list of permissions may increase as Cloud Rewind adds more services for protection.