Clumio generates a permissions file based on the asset types that you selected when you manually connected your AWS account. The policies that are attached to each entity grant Clumio permissions to access your account and selected resources in the account.
The following tables list the permissions that Clumio requires to perform inventory, backup, and restore operations for the selected assets. Depending on the assets that you selected, you might see a subset of the following entities in the permissions file.
AWS resources
Clumio creates the following resources in your AWS account:
-
Clumio SNS Topic
-
Clumio SNS Topic Policy
-
Clumio EventBridge Rule
-
Clumio IAM Policy
-
Clumio IAM Role
Security
Using permissions boundary with Clumio IAM permissions
Most of the permissions listed below are restricted to the resources relevant to Clumio. Customers looking for more granular control over the deployed IAM permissions by Clumio can leverage a custom Permissions Boundary policy with the Clumio IAM Role.
Using permissions boundary with CloudFormation
Provide the Permissions Boundary ARN during the Clumio CloudFormation deployment stack.
Using Permissions Boundary with Terraform
Use the "permissions_boundary_arn" input parameter for the Terraform module. Further details can be found on the Terraform Registry page.
ClumioIAMRole
This is the role Clumio will assume in a customer account to provide cloud inventory, backup and restore features. This role is required, without it, Clumio cannot protect any AWS assets.
Trust policies
| Actions | Permission statement | More information |
|---|---|---|
| sts:AssumeRole | Allow | This role can only be assumed by a single intermediate role within Clumio’s control plane |
Inline policies
ClumioInventoryPolicy
This policy is required to grant Clumio access for inventory related actions.
| Actions | Permission statement |
|---|---|
| backup:ListProtectedResources | Required to allow Clumio insight into other AWS-backed up resources. |
| backup:ListBackupVaults | Allow Clumio to retrieve AWS Backup vaults. |
| backup:ListRecoveryPointsByBackupVault | Allow Clumio to list recovery points in AWS Backup vaults. |
| backup:DescribeRecoveryPoint | Allow Clumio to get recovery point information. |
| cloudwatch:GetMetricStatistics | Required to get Cloudwatch metrics for S3 buckets and DynamoDB tables. |
| dynamodb:DescribeBackup dynamodb:DescribeContinuousBackups dynamodb:DescribeTable dynamodb:DescribeTableReplicaAutoScaling dynamodb:ListBackups dynamodb:ListTables dynamodb:ListTagsOfResource |
Required to list all DynamoDB tables and relevant information. |
| dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:ListGlobalTables |
Required to list DynamoDB global tables and relevant information. |
| ec2:DescribeImageAttribute ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstances ec2:DescribeInstanceTypes ec2:DescribeInstanceCreditSpecifications ec2:DescribeInstanceTypeOfferings ec2:DescribeTags ec2:DescribeSnapshots ec2:DescribeAvailabilityZones ec2:DescribeSecurityGroups |
Required to list EC2 resources and relevant information. |
| ec2:DescribeFastSnapshotRestore ec2:DescribeSnapshotAttribute ec2:DescribeSnapshots ec2:DescribeLockedSnapshots ec2:DescribeVolumeAttribute ec2:DescribeVolumeStatus ec2:DescribeVolumes ebs:ListChangedBlocks ebs:ListSnapshotBlocks kms:DescribeKey |
Required to list EBS resources and relevant information. |
| rds:DescribeDBClusters | Required to describe RDS clusters for Clumio inventory synchronization. |
| rds:DescribeDBClusterSnapshotAttributes rds:DescribeDBClusterSnapshots |
Required to describe RDS cluster snapshots for Clumio Convert and during restore operations. |
| rds:DescribeDBInstances | Required to describe RDS instances for Clumio inventory synchronization. |
| rds:DescribeDBInstanceAutomatedBackups | Required to describe RDS snapshots for point-in-time backups. |
| rds:DescribeDBSnapshotAttributes | Required to describe RDS instance snapshot attributes for Clumio Convert. |
| rds:DescribeDBSnapshots | Required to describe the RDS instance snapshot for Clumio Convert and during restore. |
| rds:DescribeGlobalClusters | Required to describe RDS global clusters for Clumio inventory synchronization. |
| rds:DescribeOptionGroups rds:DescribeOptionGroupOptions |
Required to describe RDS option groups. |
| rds:ListTagsForResource | Required to list RDS cluster or instance tags for Clumio inventory synchronization. |
| s3:ListAllMyBuckets s3:GetBucketLocation s3:GetEncryptionConfiguration s3:GetBucketVersioning s3:GetBucketPolicy s3:GetBucketPublicAccessBlock s3:GetBucketTagging s3:GetReplicationConfiguration s3:GetLifecycleConfiguration s3:GetBucketLogging s3:GetBucketObjectLockConfiguration |
Required to list all S3 buckets and relevant information. |
| s3:PutStorageLensConfiguration s3:PutStorageLensConfigurationTagging s3:DeleteStorageLensConfiguration s3:GetStorageLensConfiguration s3:ListStorageLensConfigurations s3:GetStorageLensConfigurationTagging |
Storage lens permissions to retrieve S3 object-level metrics. |
| s3:GetMultiRegionAccessPoint | Get a single multi-region access point. |
| s3:ListMultiRegionAccessPoints | List all S3 multi-region access points. |
| cloudwatch:GetMetricStatistics | Get CloudWatch Metrics for S3 buckets. |
ClumioKMSPolicy
This policy is required to grant Clumio access to customer keys and Clumio’s keys during backup and restore operations.
| Actions | Permission statement |
|---|---|
| kms:DescribeKey kms:Encrypt kms:Decrypt kms:ReEncryptFrom kms:ReEncryptTo kms:GenerateDataKey kms:GenerateDataKeyPair kms:GenerateDataKeyPairWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext |
Required in order to access customers' keys during backup and restore operations, if objects in the customers' bucket are encrypted. Also, required while copying large objects directly between the customer's bucket and Clumio’s arena bucket. |
ClumioBaseValidationPolicy
This policy is required to validate permissions for Clumio base managed policy.
| Actions | Permission statement |
|---|---|
| iam:GetPolicy iam:GetPolicyVersion |
Required to validate ClumioBaseManagedPolicy attached to Clumio Role. |
ClumioDriftDetectPolicy
This policy grants Clumio read permissions to detect changes to resources in an account.
| Actions | Permission statement |
|---|---|
| cloudformation:DescribeStacks cloudformation:DescribeStackResources cloudformation:DetectStackResourceDrift iam:GetServiceLinkedRoleDeletionStatus iam:ListInstanceProfilesForRole iam:SimulatePrincipalPolicy iam:GetContextKeysForPrincipalPolicy iam:ListAttachedRolePolicies iam:ListRolePolicies iam:ListRoleTags iam:GetRolePolicy iam:GetRole sns:GetTopicAttributes sns:ListSubscriptionsByTopic sns:ListTagsForResource sns:GetDataProtectionPolicy events:DescribeEventBus events:ListTagsForResource events:DescribeRule events:ListTargetsByRule |
Read permissions required to detect changes in resources in a customer's account. |
Managed policies
ClumioBaseManagedPolicy
This policy grants Clumio access for basic validation and to obtain basic information. The permissions defined in this policy are required for Clumio to list and validate protection policies for AWS assets.
| Actions | Permission statement |
|---|---|
| iam:ListAttachedRolePolicies iam:ListRolePolicies iam:GetRolePolicy |
List all policies (managed and inline) for ClumioIAMRole and ClumioSupportRole. Required to validate policies. |
| iam:ListAccountAliases | Required to fetch account alias for a customer account. |
| sns:GetTopicAttributes events:DescribeRule |
Required to validate SNS topic and rule created in a customer account. |
| organizations:DescribeOrganization | Required to allow Clumio to only have to add one policy for the entire AWS organization. Otherwise, Clumio would have to create policies for each account. |
| account:ListRegions account:GetRegionOptStatus |
Lists AWS regions and whether they are enabled or not. Specifies which regions your AWS account can use. |
| iam:GetPolicy iam:GetPolicyVersion |
Gets policy definitions for policies attached to Clumio Roles. Required to validate S3, RDS, DynamoDB, EC2/EBS and other AWS datasource policies. |
| ssm:GetDocument | Gets contents of the specified AWS Systems Manager document. |
| iam:ListAttachedRolePolicies iam:ListRolePolicies iam:GetRolePolicy |
Permissions to list all policies for ClumioS3ContinuousBackupEventBridgeRole.Required to validate policies. |
| iam:GetRole iam:GetPolicyVersion |
Permissions to fetch role details for S3 Continuous Backup Role. Required to validate S3 role details. |
| sns:DecodeAuthorizationMessage | Permissions to decode authorization error messages. |
ClumioDynamoDbBackupPolicy
This policy contains permissions required for DynamoDB Snap and SecureVault backups.
| Actions | Permission statement |
|---|---|
| dynamodb:ExportTableToPointInTime dynamodb:UpdateTable |
Required during seed backup to export the table data to S3 and enable streams. |
| dynamodb:DescribeStream dynamodb:GetRecords dynamodb:GetShardIterator |
Required during incremental backups to use streams to capture the incremental data. |
| dynamodb:DescribeExport | Required during seed backup to export the table data to S3. |
| s3:AbortMultipartUpload s3:PutObject s3:PutObjectAcl |
Required during seed backup to upload table data to S3. |
| kms:CreateGrant kms:Decrypt kms:DescribeKey kms:Encrypt kms:GenerateDataKey kms:ReEncryptFrom kms:ReEncryptTo |
Required to decrypt the items in the encrypted table and encrypt the S3 files. |
| dynamodb:CreateBackup dynamodb:DescribeTable dynamodb:DescribeContinuousBackups dynamodb:DescribeTimeToLive dynamodb:ListTagsOfResource dynamodb:UpdateContinuousBackups |
Required to backup table data and configuration information. |
| dynamodb:DeleteBackup dynamodb:DescribeBackup |
Required to delete backups during expiry or failed backups cleanup. |
| dynamodb:ListBackups | Required to list snap backups. |
| application-autoscaling:DescribeScalableTargets application-autoscaling:DescribeScalingPolicies |
Required to backup autoscaling configuration information. |
ClumioDynamoDbRestorePolicy
The policy contains permissions required to restore DynamoDB Snap and SecureVault backups
| Actions | Permission statement |
|---|---|
| kms:Decrypt kms:DescribeKey kms:Encrypt kms:GenerateDataKey kms:ReEncryptFrom kms:ReEncryptTo |
Required to decrypt the S3 files and encrypt the restored table items. |
| dynamodb:CreateTable dynamodb:CreateTableReplica dynamodb:UpdateTableReplicaAutoScaling |
Required to restore table data, the global table replica and then update them with the same backup configuration. |
| dynamodb:ImportTable dynamodb:DescribeImport |
Required to restore to a new table from S3 files. |
| s3:GetObject s3:ListBucket |
Required to restore to a new table from S3 files. |
| logs:CreateLogGroup logs:CreateLogStream logs:DescribeLogGroups logs:DescribeLogStreams logs:PutLogEvents logs:PutRetentionPolicy |
Required by the ImportTable API used during restores. |
| dynamodb:BatchWriteItem dynamodb:DeleteItem dynamodb:GetItem dynamodb:PutItem dynamodb:Query dynamodb:Scan dynamodb:TagResource dynamodb:UntagResource dynamodb:UpdateItem dynamodb:UpdateTimeToLive |
Required to restore from a snap. |
| dynamodb:DeleteTable | Required to delete table during failed restore cleanup. |
| dynamodb:DescribeTable dynamodb:RestoreTableFromBackup dynamodb:RestoreTableToPointInTime |
Required to restore from a snap. |
| application-autoscaling:PutScalingPolicy application-autoscaling:RegisterScalableTarget |
Required to restore autoscaling settings of the DynamoDB table provisioned throughput. |
| iam:PassRole | Required for cross-region snap and PITR restores with autoscaling settings. |
| iam:CreateServiceLinkedRole | AWSServiceRoleForApplicationAutoScaling_DynamoDBTable is automatically created when the RegisterScalableTarget API is called. |
ClumioEC2BackupPolicy
The Clumio Managed IAM policy for EBS and EC2 backups. This is a generic policy used to identify Clumio created resources in the customer account. Most of the policy statements in the ClumioEc2BackupPolicy use tag based conditions to provide access to the actions.
The following tags are used: ClumioVendorTag - Vendor: Clumio
| Actions | Permission statement |
|---|---|
| ec2:CreateSnapshots ec2:CreateSnapshot |
Required to take point in time snapshots of a given volume or instance for backup. The actions are allowed only if the operation has ClumioVendorTag in the request. |
| ec2:CreateSnapshots ec2:CreateSnapshot |
Allow CreateSnapshot(s) on any instance or volume in the AWS account. The resulting snapshot is tagged with ClumioVendorTag per the statements in AllowStartSnapshotWithClumioRequestTag. |
| ec2:DeleteSnapshot | Required to delete snapshots in the following cases: - Clumio maintains only one snapshot per volume per storage tier. During incremental backup, older snapshots taken by previous backups are deleted. - When a backup expires, snapshots associated with the backup(if any) are deleted.This action is allowed only if it is tagged with a ClumioVendorTag. |
| ec2:RegisterImage | Required to register an image of a given EC2 instance in aws_snapshot backup operations. This action is allowed on a snapshot only if it is tagged with ClumioVendorTag. |
| ec2:RegisterImage | no description |
| ec2:DeregisterImage | Required to let Clumio AWS backup to deregister the image registered at the time of backup, if backup fails after the image has been registered. This action is allowed only if the image has been tagged with ClumioVendorTag. |
| ec2:CreateTags | Deny direct CreateTags operation. Allow tag creation only if it is associated with CreateSnapshot(s) operations. Allow CreateTags operation on an image only if one of the request tags is ClumioVendorTag. |
| ec2:CreateTags | no description |
| ec2:DeleteTags | Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioVendorTag. |
| ebs:GetSnapshotBlock ebs:ListChangedBlocks ebs:ListSnapshotBlocks |
Allow read operations on a given snapshot. Clumio backup uses these operations to retrieve the data in a snapshot. |
| ec2:DescribeCapacityReservations ec2:DescribeAddresses ec2:DescribeNetworkInterfaces ec2:DescribeVpcs ec2:DescribeElasticGpus ec2:DescribeSubnets ec2:DescribeKeyPairs elastic-inference:DescribeAcceleratorOfferings elastic-inference:DescribeAccelerators |
Allow 'describe' operations on resources which could be associated with an EC2 instance. |
| iam:GetInstanceProfile | Allow read on a given instance profile. |
| iam:GetRole | Allow read on a given role. |
ClumioEC2RestorePolicy
This is the Clumio Managed IAM policy for EBS and EC2 restore operations. Most of the policy statements used in ClumioEc2RestorePolicy use tag based conditions to provide access to the actions.
The following tags are used in the tag based conditions:
- ClumioVendorTag - Vendor: Clumio
This tag identifies Clumio-created resources in your AWS account.
- ClumioRestoreTag - clumio.restore.tag : "*"
During the process of EC2/EBS Restore, this particular tag is intermittently applied to the resources until the completion of the restore.
| Actions | Permission statement |
|---|---|
| ebs:StartSnapshot | A Clumio restore task invokes StartSnapshot to restore a snapshot with the following steps: - starts a snapshot - puts the snapshot data of the volume to be restored in the snapshot - completes the snapshot. Allow StartSnapshot action only if the request contains ClumioVendorTag. |
| ebs:CompleteSnapshot ebs:PutSnapshotBlock |
Clumio restore task invokes CompleteSnapshot to restore a snapshot. Snapshot operations are allowed only on snapshots with ClumioVendorTag. |
| ec2:CreateSnapshots ec2:CreateSnapshot |
Clumio restore uses CreateSnapshot operations to generate an AMI of a restored instance/volume. Allow create snapshot with ClumioRestoreTag for volume restore. |
| ec2:CreateVolume | Clumio restore invokes CreateVolume to create a restored volume. Allow CreateVolume only if the operation request contains ClumioRestoreTag. |
| ec2:DeleteVolume | Clumio restore deletes the restored volume in case restore fails after the volume has been created. Allow DeleteVolume only if the volume is tagged with ClumioRestoreTag. |
| ec2:AttachVolume | Clumio restore attaches the restored volumes to the restored instance or the instance specified in EC2 restore volumes request. |
| ec2:DetachVolume ec2:AttachVolume |
AttachVolume attaches an EBS volume to an EC2 instance. There is no condition for this operation. This is to facilitate the following: - Allow attaching a volume which was not restored by Clumio to a Clumio restored EC2 instance. - Allow attaching a Clumio restored volume to an EC2 instance which was not restored by Clumio. DetachVolume allows Clumio to detach a volume only from a Clumio restored EC2 instance. |
| ec2:RegisterImage | Clumio restore uses RegisterImage operation to create an AMI, in case of a restore as an AMI image. RegisterImage can be performed only on a Clumio restored snapshot. |
| ec2:DeregisterImage | Clumio restore de-registers the image if the restore operation has failed after the register image operation. DeregisterImage can be performed only on a Clumio restored snapshot. |
| ec2:RunInstances | Clumio restore uses run instance operation to launch a restored instance with the required resources. |
| ec2:StartInstances ec2:StopInstances ec2:TerminateInstances |
Clumio restore performs instance based operations such as StartInstances, StopInstances and TerminateInstances at various steps in the instance restore task. Allow the listed instance operations on instances with ClumioRestoreTag. |
| ec2:DeleteNetworkInterface | Clumio restore deletes the network interface created while launching the restored instance in case restore failure after launching the instance. DeleteNetworkInterface is allowed only if the interface is tagged with ClumioRestoreTag. |
| ec2:AssociateAddress ec2:DisassociateAddress |
Clumio restore associates addresses with the network interfaces after restoring the instance. If the restore fails after association of address to the network interfaces step, then the DisassociateAddress operation is performed. The AssociateAddress or DisassociateAddress operations are performed only on instances and network interfaces tagged with ClumioRestoreTag. |
| ec2:CreateTags | Clumio intends to create tags only on Clumio created resources so as to avoid extending Clumio Role’s access to other existing resources by allowing CreateTags operation. Deny direct CreateTags operation. Allow tag creation on listed resources only if they are associated with CreateAction operations other than CreateTags. Clumio creates images using the RegisterImage operation which does not support CreateTags as a dependent operation. Therefore, access to CreateTags is required by Clumio restore. Allow CreateTags operation only on an image only if one of the request tags is ClumioRestoreTag. |
| ec2:DeleteTags | DeleteTags is a delete operation which should be allowed only on resources which have been created by Clumio operations to avoid accidental deletion of tags. Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioRestoreTag. |
| iam:PassRole | Access for PassRole is required to attach an instance profile to the restored instance. |
| ebs:GetSnapshotBlock ebs:ListChangedBlocks ebs:ListSnapshotBlocks |
Allow read operations on a given snapshot. Clumio restore uses these operations to read the data in a snapshot. |
| iam:GetInstanceProfile | Restore uses the GetInstanceProfile operation to validate the instance profile to be attached to the restored instance. |
| iam:GetRole | Restore uses GetRole operation to validate the given AWS role. |
| ec2:DescribeCapacityReservations ec2:DescribeAddresses ec2:DescribeNetworkInterfaces ec2:DescribeVpcs ec2:DescribeElasticGpus ec2:DescribeSubnets ec2:DescribeKeyPairs elastic-inference:DescribeAcceleratorOfferings elastic-inference:DescribeAccelerators |
Restore uses the listed EC2 describe operations to validate the restored instances. |
ClumioRdsBackupPolicy
Grants access to Clumio for RDS Snap and SecureVault in-region and cross-region backups
| Actions | Permission statement |
|---|---|
| rds:CopyDBClusterSnapshot rds:ModifyDBClusterSnapshotAttribute |
Copies a snapshot of a database cluster. Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot. |
| rds:CopyDBSnapshot rds:ModifyDBSnapshotAttribute |
Copies the specified database snapshot. |
| rds:CreateDBClusterSnapshot | Creates a snapshot of a database cluster. |
| rds:DescribeDBClusterSnapshots | Returns information about database cluster snapshots. |
| rds:CreateDBSnapshot | Creates a snapshot of a database instance. |
| rds:DescribeDBSubnetGroups | Returns a list of DBSubnetGroup descriptions. |
| rds:AddTagsToResource | Adds metadata tags to an Amazon RDS resource. |
| rds:ModifyOptionGroup | Modifies an existing option group. |
| rds:ModifyDBCluster | Modifies the settings of an Amazon Aurora database cluster or a Multi-AZ database cluster. |
| rds:ModifyDBInstance | Modifies settings for a database instance. |
| ec2:DescribeSecurityGroups | Describes the specified security groups or all of your security groups. |
| rds:ListTagsForResource | Lists all tags on an Amazon RDS resource. |
| rds:DeleteDBClusterSnapshot | Deletes a database cluster snapshot. |
| rds:DeleteDBSnapshot | Deletes a database snapshot. |
| kms:CreateGrant | Required during backup and restore of an RDS instance or cluster. |
ClumioRdsRestorePolicy
| Actions | Permission statement |
|---|---|
| rds:ListTagsForResource | Required to identify a Clumio restored instance or cluster for cleanup. |
| rds:CreateDBInstance | Required to restore an RDS instance in an RDS cluster. |
| rds:CreateDBParameterGroup | Required to restore the parameter group configuration. |
| rds:RestoreDBInstanceFromDBSnapshot | Required to restore an RDS instance from the snapshot. |
| rds:RestoreDBInstanceToPointInTime | Required to restore a RDS instance from its point in time configuration. |
| rds:RestoreDBClusterFromSnapshot | Required to restore the RDS cluster from the snapshot. |
| rds:RestoreDBClusterToPointInTime | Required to restore a RDS cluster from its point in time configuration. |
| rds:RemoveTagsFromResource | Required to remove the Clumio tag from a restored RDS instance or cluster. |
| rds:AddTagsToResource | Required to identify the Clumio restored instance or cluster for cleanup. |
| rds:CreateOptionGroup | Required to restore an option group in Clumio restored instance/cluster. Wildcard required in resource ARN for cross-region restores. |
| rds:CreateDBInstanceReadReplica | Required to restore the read-replicas for Clumio restored instance/cluster. Wildcard is used for regions so that Clumio can create read-replicas in the regions not connected to Clumio. |
| rds:DeleteDBCluster | Required to clean up a Clumio-created RDS cluster on failure. |
| rds:DeleteDBInstance | Required to clean up a Clumio-created RDS instance on failure. |
| rds:AddRoleToDBCluster | Required to associate IAM roles for a Clumio restored cluster. |
| rds:AddRoleToDBInstance | Required to associate IAM roles for a Clumio restored instance. |
| iam:PassRole | Required to pass the associated IAM roles to a Clumio restored instance or cluster. |
ClumioS3BackupPolicy
This policy contains permissions required for S3 continuous backups.
| Actions | Permission statement |
|---|---|
| cloudwatch:GetMetricStatistics | Required to get Cloudwatch metrics for S3 buckets. |
| s3:ListBucket s3:PutObject s3:PutObjectAcl s3:PutObjectTagging |
Required to allow Clumio backups. |
| organizations:DescribeOrganization | Required to allow Clumio to only have to add one policy for the entire AWS organization. Otherwise, Clumio would have to create policies for each account. |
| s3:GetInventoryConfiguration s3:PutInventoryConfiguration s3:ListBucket s3:ListBucketVersions s3:ListBucketMultipartUploads s3:GetObject s3:GetObjectTagging s3:GetObjectVersionTagging s3:GetObjectVersion |
Required to get S3 bucket and object information in preparation for S3 backup and S3 continuous backup. |
| s3:GetBucketNotification s3:PutBucketNotification |
Required to set up S3 bucket event notifications in customer buckets to forward to EventBridge for continuous backup. |
| events:DescribeRule events:PutRule events:DeleteRule events:PutTargets events:RemoveTargets events:ListTargetsByRule |
Required to configure an EventBridge rule to forward customer bucket events to Clumio arena bucket for continuous backup. |
| iam:PassRole | Required for continuous backup, as EventBridge requires all new cross account event bus targets to add IAM Roles. This allows Clumio to pass in the Continuous Backup role. |
ClumioS3RestorePolicy
This policy contains permissions required to restore S3 assets.
| Actions | Permission statement |
|---|---|
| s3:PutObject s3:PutObjectAcl s3:PutObjectTagging s3:DeleteObject s3:AbortMultipartUpload s3:GetObject s3:GetObjectTagging |
Required to allow Clumio to modify and check customer bucket contents during restore. |
| s3:GetBucketVersioning s3:ListBucketVersions |
Required to allow Clumio to check restore target bucket. |
| s3:ListBucket s3:GetObject |
Required to allow Clumio restores. |
ClumioS3ContinuousBackupEventBridgeRole
This role is required if you select the S3 asset type to apply Clumio protection and want to use Clumio’s S3 continuous backup feature.
Trust policies
| Actions | Permission statement |
|---|---|
| sts:AssumeRole | Required by EventBridge for new cross account event bus targets to add IAM roles. This passes in that role, and is necessary for continuous backup. |
Inline policies
ClumioS3ContinuousBackupEventBridgePolicy
| Actions | Permission statement |
|---|---|
| events:PutEvents | Allows S3 events from an on-boarded AWS account to be forwarded to Eventbridge. |
ClumioSSMNotificationRole
This role is used to publish SNS notifications about the SSM agent.
Trust policies
| Actions | Permission statement |
|---|---|
| sts:AssumeRole | Role required to publish SNS notifications about the SSM agent. |
Inline policies
ClumioSSMNotificationPolicy
| Actions | Permission statement |
|---|---|
| sns:Publish | Allow Clumio SSM Notification Role to publish messages to SNS Topic in the control plane account. |
ClumioSupportRole
This role is optional in the manual onboarding flow.
Trust policies
| Actions | Permission statement |
|---|---|
| sts:AssumeRole | This role can only be assumed by a single role in the Clumio control plane. |
Inline policies
ClumioSupportPolicy
| Actions | Permission statement |
|---|---|
| support:AddAttachmentsToSet support:AddCommunicationToCase support:CreateCase support:DescribeAttachment support:DescribeCases support:DescribeCommunications support:DescribeCreateCaseOptions support:DescribeServices support:DescribeSeverityLevels support:DescribeSupportedLanguages support:DescribeTrustedAdvisorCheckRefreshStatuses support:DescribeTrustedAdvisorCheckResult support:DescribeTrustedAdvisorChecks support:DescribeTrustedAdvisorCheckSummaries |
Allows Clumio Support to create cases to proactively fix any issues with backup and restore operations. |
ClumioEventPub
This SNS topic notifies Clumio services about new events in your resource inventory. The ARN for this topic is required to be passed as the target ARN for the event rules. It contains the following policy.
ClumioEventPubPolicy
This policy provides security to the inventory topic.
| Actions | Permission statement |
|---|---|
| SNS:Publish | Any resource in a customer account can publish to this topic. |
| SNS:Subscribe | Clumio control plane resources can subscribe to this topic. |
| SNS:ListSubscriptionsByTopic | Required to list subscriptions associated with this topic. |
| SNS:Publish | Required so that EventBridge rules in a customer account can publish to this topic. |
ClumioEventPubKey
A KMS key that can be used for encryption at rest for SNS topics like ClumioEventPub etc. The key must have all the permissions mentioned under ClumioEventPubKeyPolicy.
ClumioEventPubKeyPolicy
This policy provides security to the ClumioEventPubKey by controlling which AWS services can use the key for encryption and decryption operations.
| Actions | Service Principal | Description |
|---|---|---|
| kms:GenerateDataKey* kms:Decrypt |
events.amazonaws.com |
Allows Amazon EventBridge to use the KMS key for encrypting events before forwarding them to SNS topics |
| kms:GenerateDataKey* kms:Decrypt |
sns.amazonaws.com |
Allows Amazon SNS to use the KMS key for message encryption when delivering to subscribers. This can be scoped to specific SNS topics using resource conditions |
Note: The permissions above represent the minimum required access. You may need to add additional permissions based on your specific use case.