1. Clumio
  2. Knowledge Base
  3. Adding Data Sources

Articles in this section

See more

Permissions file details

Anu Kolhatkar
  • Updated

Clumio generates a permissions file based on the asset types selected when you manually on-board your AWS account to Clumio. The policies attached to each of the entities grants Clumio specific permissions to access your account and selected resources within it to protect your AWS assets. 

Note: Permissions required for RDS and MS SQL on EC2 will be added in upcoming revisions.

The tables below contain descriptions of permissions that Clumio requires to perform an inventory of the selected assets  and backup and restore operations. Based on your selections, you will see all of the following entities or a subset of them in the permissions file. 

 

ClumioIAMRole

This is the role Clumio will assume in a customer account to provide Cloud Inventory, Backup and Restore features. This role is required, without it, Clumio cannot protect any AWS assets.

Actions(s) Permission statement
  • sts:AssumeRole
 This role can only be assumed by a single intermediate role within Clumio’s control plane.

 

ClumioBasePolicy

This policy grants Clumio access for basic validation and to obtain basic information. The permissions defined in this policy are required for Clumio to list and validate protection policies for AWS assets.

Action(s) Permission statement
  • iam:ListAttachedRolePolicies
  • iam:ListRolePolicies
  • iam:GetRolePolicy

List all policies (managed and inline) for ClumioIAMRole and ClumioSupportRole.

Required to validate policies
  • iam:ListAccountAliases
 Required to fetch account alias for the customer's account
  • sns:GetTopicAttributes
  • events:DescribeRule
 Required to validate SNS topic and rule created in customer's account.
  • iam:GetRole

Fetch role details for S3 Continuous Backup Role.

Required to validate S3 role details.
  • iam:ListAttachedRolePolicies
  • iam:ListRolePolicies
  • iam:GetRolePolicy
 List all policies for ClumioS3ContinuousBackupEventBridgeRole. Required to validate policies
  • iam:GetPolicy
  • iam:GetPolicyVersion
 Fetch policy definitions for s3, DynamoDB, or EC2 managed policies. Required for S3, DynamoDB, and EC2 policy validation

 

ClumioInventoryPolicy

This policy is required to grant Clumio access for inventory related actions.

Actions(s) Permission statement
  • backup:ListProtectedResources
 Required to allow Clumio insight into other AWS-backed up resources. 
  • s3:ListAllMyBuckets
  • s3:GetBucketLocation
  • s3:GetEncryptionConfiguration
  • s3:GetBucketVersioning
  • s3:GetBucketPolicy
  • s3:GetBucketTagging
  • s3:GetReplicationConfiguration
  • s3:GetLifecycleConfiguration
  • s3:GetBucketLogging
 Required to list all S3 buckets and relevant information.
  • cloudwatch:GetMetricStatistics
 Required to get Cloudwatch Metrics for S3 buckets. 
  • dynamodb:DescribeBackup
  • dynamodb:DescribeContinuousBackups- dynamodb:DescribeTable
  • dynamodb:DescribeTableReplicaAutoScaling
  • dynamodb:ListBackups
  • dynamodb:ListTables
  • dynamodb:ListTagsOfResource
 Required to list all DynamoDB tables and relevant information.
  • dynamodb:DescribeGlobalTable
  • dynamodb:DescribeGlobalTableSettings
  • dynamodb:ListGlobalTables
 Required to list DynamoDB global tables and relevant information.
  • ec2:DescribeImageAttribute
  • ec2:DescribeImages
  • ec2:DescribeInstanceAttribute
  • ec2:DescribeInstanceStatus
  • ec2:DescribeInstances
  • ec2:DescribeInstanceTypes
  • ec2:DescribeInstanceCreditSpecifications
  • ec2:DescribeInstanceTypeOfferings
  • ec2:DescribeTags
  • ec2:DescribeSnapshots
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeSecurityGroups
 Required to list EC2 resources and relevant information.
  • ec2:DescribeFastSnapshotRestore
  • ec2:DescribeSnapshotAttribute
  • ec2:DescribeSnapshots
  • ec2:DescribeVolumeAttribute
  • ec2:DescribeVolumeStatus
  • ec2:DescribeVolumes
  • ebs:ListChangedBlocks
  • ebs:ListSnapshotBlocks
  • kms:DescribeKey
 Required to list EBS resources and relevant information.

 

ClumioKMSPolicy

This policy is required to grant Clumio access to customer keys and Clumio’s keys during backup and restore operations.

Action(s) Permission statement
  • kms:DescribeKey
  • kms:Encrypt
  • kms:Decrypt
  • kms:ReEncryptFrom
  • kms:ReEncryptTo
  • kms:GenerateDataKey
  • kms:GenerateDataKeyPair
  • kms:GenerateDataKeyPairWithoutPlaintext
  • kms:GenerateDataKeyWithoutPlaintext
  • kms:CreateGrant

Required in order to access customers' keys during backup and restore operations, if objects in the customers' bucket are encrypted. 

Also, required while copying large objects directly between the customer's bucket and Clumio’s arena bucket.

 

ClumioS3BackupPolicy

This policy contains permissions required for S3 continuous backups.

Action(s) Permission statement
  • cloudwatch:GetMetricStatistics
 Required to get Cloudwatch metrics for S3 buckets.
  • s3:ListBucket
  • s3:PutObject
  • s3:PutObjectAcl
  • s3:PutObjectTagging
 Required to allow Clumio backups.
  • organizations:DescribeOrganization
 Required to allow Clumio to only have to add one policy for the entire AWS org. Otherwise, Clumio would have to create policies for each account.
  • s3:GetInventoryConfiguration
  • s3:PutInventoryConfiguration
  • s3:ListBucket
  • s3:ListBucketVersions
  • s3:ListBucketMultipartUploads
  • s3:GetObject
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:GetObjectVersion
 Required to get S3 bucket and object information in preparation for S3 backup and S3 continuous backup.
  • s3:GetBucketNotification
  • s3:PutBucketNotification
 Required to set up S3 bucket event notifications in customer buckets to forward to EventBridge for continuous backup.
  • events:DescribeRule
  • events:PutRule
  • events:DeleteRule
  • events:PutTargets
  • events:RemoveTargets
  • events:ListTargetsByRule
 Required to configure an EventBridge rule to forward customer bucket events to Clumio arena bucket for continuous backup.
  • iam:PassRole

 

 Required for continuous backup, as EventBridge requires all new cross account event bus targets to add IAM Roles. This allows Clumio to pass in the Continuous Backup role.

 

ClumioS3RestorePolicy

This policy contains permissions required to restore S3 assets.

Action(s) Permission statement
  • s3:PutObject
  • s3:PutObjectAcl
  • s3:PutObjectTagging
  • s3:DeleteObject

Required to allow Clumio to modify customer bucket contents during restore. 

 

ClumioDynamoDbBackupPolicy

This policy contains permissions required for DynamoDB Snap and SecureVault backups.

Action(s) Permission statement
  • dynamodb:ExportTableToPointInTime
  • dynamodb:UpdateTable

Required during seed backup to export the table data to S3 and enable streams.
  • dynamodb:DescribeStream
  • dynamodb:GetRecords
  • dynamodb:GetShardIterator

Required during incremental backups to use streams to capture the incremental data.
  • dynamodb:DescribeExport

Required during seed backup to export the table data to S3.
  • s3:AbortMultipartUpload
  • s3:PutObject
  • s3:PutObjectAcl

Required during seed backup to upload table data to S3.
  • kms:CreateGrant
  • kms:Decrypt
  • kms:DescribeKey
  • kms:Encrypt
  • kms:GenerateDataKey
  • kms:ReEncryptFrom
  • kms:ReEncryptTo

Required to decrypt the items in the encrypted table and encrypt the S3 files.
  • dynamodb:CreateBackup
  • dynamodb:DescribeTable
  • dynamodb:DescribeContinuousBackups
  • dynamodb:DescribeTimeToLive
  • dynamodb:ListTagsOfResource
  • dynamodb:UpdateContinuousBackups

Required to backup table data and configuration information.
  • dynamodb:DeleteBackup
  • dynamodb:DescribeBackup

 

Required to delete backups during expiry or failed backups cleanup.
  • dynamodb:ListBackups

Required to list snap backups.
  • application-autoscaling:DescribeScalableTargets
  • application-autoscaling:DescribeScalingPolicies

Required to backup autoscaling configuration information.

 

ClumioDynamoDbRestorePolicy

The policy contains permissions required to restore DynamoDB Snap and SecureVault backups

Action(s) Permission statement

  • kms:Decrypt

  • kms:DescribeKey

  • kms:Encrypt

  • kms:GenerateDataKey

  • kms:ReEncryptFrom

  • kms:ReEncryptTo

Required to decrypt the S3 files and encrypt the restored table items.
  • dynamodb:CreateTable
  • dynamodb:CreateTableReplica
  • dynamodb:UpdateTableReplicaAutoScaling

Required to restore table data, the global table replica and then update them with the same backup configuration.
  • dynamodb:ImportTable
  • dynamodb:DescribeImport

Required to restore to a new table from S3 files.
  • s3:GetObject
  • s3:ListBucket

Required to restore to a new table from S3 files.
  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents
  • logs:PutRetentionPolicy

Required by the ImportTable API used during restores.
  • dynamodb:BatchWriteItem
  • dynamodb:DeleteItem
  • dynamodb:GetItem
  • dynamodb:PutItem
  • dynamodb:Query
  • dynamodb:Scan
  • dynamodb:TagResource
  • dynamodb:UntagResource
  • dynamodb:UpdateItem
  • dynamodb:UpdateTimeToLive
 Required to restore from a snap.
  • dynamodb:DeleteTable

Required to delete table during failed restore cleanup.
  • dynamodb:DescribeTable
  • dynamodb:RestoreTableFromBackup
  • dynamodb:RestoreTableToPointInTime

Required to restore from a snap.
  • application-autoscaling:PutScalingPolicy
  • application-autoscaling:RegisterScalableTarget

Required to restore autoscaling settings of the DynamoDB table provisioned throughput.
  • iam:PassRole

Required for cross-region snap and PITR restores with autoscaling settings.
  • iam:CreateServiceLinkedRole

AWSServiceRoleForApplicationAutoScaling_DynamoDBTable is automatically created when the RegisterScalableTarget API is called.

 

ClumioEC2BackupPolicy

The Clumio Managed IAM policy for EBS and EC2 backups. This is a generic policy used to identify Clumio created resources in the customer account. Most of the policy statements in the ClumioEc2BackupPolicy use tag based conditions to provide access to the actions.

The following tag(s) are used: ClumioVendorTag - Vendor: Clumio

Action(s) Permission statement
  • ec2:CreateSnapshots
  • ec2:CreateSnapshot

Required to take point in time snapshots of a given volume or instance for backup.

The actions are allowed only if the operation has ClumioVendorTag in the request.
  • ec2:CreateSnapshots
  • ec2:CreateSnapshot

Allow CreateSnapshot(s) on any instance or volume in the AWS account. 

The resulting snapshot is tagged with ClumioVendorTag per the statements in AllowStartSnapshotWithClumioRequestTag.
  • ec2:DeleteSnapshot

Required to delete snapshots in the following cases:

  • Clumio maintains only one snapshot per volume per storage tier. During incremental backup, older snapshots taken by previous backups are deleted.
  • When a backup expires, snapshots associated with the backup(if any) are deleted.

This action is allowed only if it is tagged with a ClumioVendorTag.
  • ec2:RegisterImage

Required to register an image of a given EC2 instance in aws_snapshot backup operations.

This action is allowed on a snapshot only if it is tagged with ClumioVendorTag.
  • ec2:DeregisterImage

Required to let Clumio AWS backup to deregister the image registered at the time of backup, if backup fails after the image has been registered.

This action is allowed only if the image has been tagged with ClumioVendorTag.
  • ec2:CreateTags

Deny direct CreateTags operation. Allow tag creation only if it is associated with CreateSnapshot(s) operations.

Allow CreateTags operation on an image only if one of the request tags is ClumioVendorTag.
  • ec2:DeleteTags

Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioVendorTag.
  • ebs:GetSnapshotBlock
  • ebs:ListChangedBlocks
  • ebs:ListSnapshotBlocks

Allow read operations on a given snapshot. Clumio backup uses these operations to retrieve the data in a snapshot.
  • ec2:DescribeCapacityReservations
  • ec2:DescribeAddresses
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeVpcs
  • ec2:DescribeElasticGpus
  • ec2:DescribeSubnets
  • ec2:DescribeKeyPairs
  • elastic-inference:DescribeAcceleratorOfferings
  • elastic-inference:DescribeAccelerators

Allow describe operations on the resources which could be associated with an EC2 instance.
  • iam:GetInstanceProfile

Allow read on a given instance profile.
  • iam:GetRole

Allow read on a given role.

 

ClumioEC2RestorePolicy

This is the Clumio Managed IAM policy for EBS and EC2 restore operations. Most of the policy statements used in ClumioEc2RestorePolicy use tag based conditions to provide access to the actions.

The following tags are used in the tag based conditions:

     1. ClumioVendorTag - Vendor: Clumio
This is a generic used to identify Clumio created resources in the customer account.

     2. ClumioRestoreTag - clumio.restore.tag : "*"
During the process of EC2/EBS Restore, this particular tag is intermittently applied to the resources until the completion of the restore.

Action(s) Permission statement
  • ebs:StartSnapshot

A Clumio restore task invokes StartSnapshot to restore a snapshot with the following steps:

  • starts a snapshot
  • puts the snapshot data of the volume to be restored in the snapshot
  • completes the snapshot.

Allow StartSnapshot action only if the request contains ClumioVendorTag.
  • ebs:CompleteSnapshot
  • ebs:PutSnapshotBlock

Clumio restore task invokes CompleteSnapshot to restore a snapshot.

Snapshot operations are allowed only on snapshots with ClumioVendorTag.
  • ec2:CreateSnapshots
  • ec2:CreateSnapshot

Clumio restore uses CreateSnapshot(s) operations to generate an AMI of a restored instance/volume.

Allow create snapshot with ClumioRestoreTag for volume restore.
  • ec2:CreateVolume

Clumio restore invokes CreateVolume to create a restored volume.

Allow CreateVolume only if the operation request contains ClumioRestoreTag.
  • ec2:DeleteVolume

Clumio restore deletes the restored volume in case restore fails after the volume has been created.

Allow DeleteVolume only if the volume is tagged with ClumioRestoreTag.
  • ec2:AttachVolume

Clumio restore attaches the restored volumes to the restored instance or the instance specified in EC2 restore volumes request.
  • ec2:DetachVolume
  • ec2:AttachVolume

AttachVolume attaches an EBS volume to an EC2 instance. There is no condition for this operation. This is to facilitate the following:

  • Allow attaching a volume which was not restored by Clumio to a Clumio restored EC2 instance.
  • Allow attaching a Clumio restored volume to an EC2 instance which was not restored by Clum. 

DetachVolume allows Clumio to detach a volume only from a Clumio restored EC2 instance.
  • ec2:RegisterImage

Clumio restore uses RegisterImage operation to create an AMI, in case of a restore as an AMI image.

RegisterImage can be performed only on a Clumio restored snapshot.
  • ec2:DeregisterImage

Clumio restore de-registers the image if the restore operation has failed after the register image operation.

DeregisterImage can be performed only on a Clumio restored snapshot.
  • ec2:RunInstances

Clumio restore uses run instance operation to launch a restored instance with the required resources.
  • ec2:StartInstances
  • ec2:StopInstances
  • ec2:TerminateInstances

Clumio restore performs instance based operations such as  StartInstances, StopInstances and TerminateInstances at various steps in the instance restore task.

Allow the listed instance operations on instances with ClumioRestoreTag.
  • ec2:DeleteNetworkInterface

Clumio restore deletes the network interface created while launching the restored instance in case restore failure after launching the instance.

DeleteNetworkInterface operation is allowed only if the interface is tagged with ClumioRestoreTag.
  • ec2:AssociateAddress
  • ec2:DisassociateAddress

Clumio restore associates addresses with the network interfaces after restoring the instance.

If the restore fails after association of address to the network interfaces step, then the DisassociateAddress operation is performed.

The AssociateAddress or DisassociateAddress operations are performed only on instances and network interfaces tagged with ClumioRestoreTag.
  • ec2:CreateTags

Clumio intends to create tags only on Clumio created resources so as to avoid extending Clumio Role’s access to other existing resources by allowing CreateTags operation.

Deny direct CreateTags operation. 

Allow tag creation on listed resources only if they are associated with CreateAction operations other than CreateTags.

Clumio creates images using the RegisterImage operation which does not support CreateTags as a dependent operation. Therefore, access to CreateTags is required by Clumio restore.

Allow CreateTags operation only on an image only if one of the request tags is ClumioRestoreTag.
  • ec2:DeleteTags

DeleteTags is a delete operation which should be allowed only on resources which has been created by Clumio operations to avoid accidental deletion of tags.

Allow Delete Tags on an image or snapshot only if the resource is tagged with ClumioRestoreTag.
  • iam:PassRole

Access for PassRole is required to attach an instance profile to the restored instance.
  • ebs:GetSnapshotBlock
  • ebs:ListChangedBlocks
  • ebs:ListSnapshotBlocks

Allow read operations on a given snapshot. Clumio restore uses these operations to read the data in a snapshot.
  • iam:GetInstanceProfile

Restore uses the GetInstanceProfile operation to validate the instance profile to be attached to the restored instance.
  • iam:GetRole

Restore uses GetRole operation to validate the given AWS role.
  • ec2:DescribeCapacityReservations
  • ec2:DescribeAddresses
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeVpcs
  • ec2:DescribeElasticGpus
  • ec2:DescribeSubnets
  • ec2:DescribeKeyPairs
  • elastic-inference:DescribeAcceleratorOfferings
  • elastic-inference:DescribeAccelerators

Restore uses the listed EC2 describe operations to validate the restored instances.

 

ClumioDriftDetectPolicy

This policy grants Clumio read permissions to detect changes in resources in an account.

Action(s) Permission statement
  • cloudformation:DescribeStacks
  • cloudformation:DescribeStackResources
  • cloudformation:DetectStackResourceDrift
  • iam:GetServiceLinkedRoleDeletionStatus
  • iam:ListInstanceProfilesForRole
  • iam:SimulatePrincipalPolicy
  • iam:GetContextKeysForPrincipalPolicy
  • iam:ListAttachedRolePolicies
  • iam:ListRolePolicies
  • iam:ListRoleTags
  • iam:GetRolePolicy
  • iam:GetRole
  • sns:GetTopicAttributes
  • sns:ListSubscriptionsByTopic
  • sns:ListTagsForResource
  • events:DescribeEventBus
  • events:ListTagsForResource
  • events:DescribeRule
  • events:ListTargetsByRule

Read permissions required to detect changes in resources in a customer's account.

 

ClumioSupportRole

This role is optional in the manual onboarding flow. The Support role can be assumed only by a single role in the Clumio control plane. 

The role requires the following policy.

ClumioSupportPolicy

Action(s) Permission statement
  • support:AddAttachmentsToSet
  • support:AddCommunicationToCase
  • support:CreateCase
  • support:DescribeAttachment
  • support:DescribeCases
  • support:DescribeCommunications
  • support:DescribeCreateCaseOptions
  • support:DescribeServices
  • support:DescribeSeverityLevels
  • support:DescribeSupportedLanguages
  • support:DescribeTrustedAdvisorCheckRefreshStatuses
  • support:DescribeTrustedAdvisorCheckResult
  • support:DescribeTrustedAdvisorChecks
  • support:DescribeTrustedAdvisorCheckSummaries

Required to allow Clumio Support to create cases to proactively fix any issues with backup and restore operations. 

 

ClumioS3ContinuousBackupEventBridgeRole

This role is required if you select the S3 asset type to apply Clumio protection and want to use Clumio’s S3 continuous backup feature. It contains the following policy.

ClumioS3ContinuousBackupEventBridgePolicy

Action(s) Permission statement
  • events:PutEvents

Allows for S3 events from an on-boarded AWS account to be forwarded to Eventbridge.

 

ClumioEventPub

This SNS topic notifies Clumio services about any new events in the customer’s resource inventory. The ARN for this topic is required to be passed as the target ARN for the event rules. It contains the following policy.

ClumioEventPubPolicy

This policy provides security to the inventory topic.

Action(s) Permission statement
  • SNS:Publish
 Any resource in a customer account can publish to this topic.
  • SNS:Subscribe
 Clumio control plane resources can subscribe to this topic.
  • SNS:ListSubscriptionsByTopic
 Required to list subscriptions associated with this topic.
  • SNS:Publish
 Required so that EventBridge rules in a customer account can publish to this topic.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.