1. Clumio
  2. Knowledge Base
  3. Clumio for AWS

Articles in this section

AWS Resource Usage

Aashav Panchal
  • Updated

This document describes the resources that are deployed within the customer’s AWS account by Clumio in order to enable global visibility, risk assessment, and data protection operations within the customer’s AWS account.

AWS Resources

Clumio creates the following resources in your AWS account:

  • Clumio SNS Topic
  • Clumio SNS Topic Policy
  • Clumio Event Rule
  • Clumio IAM Policy
  • Clumio IAM Role

IAM Roles and Permissions

The following IAM roles and policies are created in order to give Clumio access to your account and perform the required actions. 

  • IAM Policy to create and manage IAM roles and policies
  • IAM Policy to perform drift detection on the Clumio resources
  • IAM Role/Policy to provide proactive support
  • IAM Policy to perform Clumio operations on the EC2/EBS assets
  • IAM Policy to perform Clumio operations on the RDS assets
  • IAM Policy to perform Clumio operations on the S3 assets
  • IAM Policy to perform Clumio operations on the DynamoDB assets

Find the IAM permissions linked to these policies shared below for further reference: 

  • An IAM policy used by Clumio to create and manage IAM roles and policies in the customer’s AWS account.
sts:AssumeRole
iam:CreateRole
iam:AttachRolePolicy
iam:DetachRolePolicy
iam:DeleteRole
iam:ListAccountAliases

Note: The permissions listed above are restricted to resources relevant to Clumio. For more information, download the stack from the Clumio portal.

  • An IAM policy used by Clumio to perform drift detection on the Clumio resources in the customer AWS account.
cloudformation:DescribeStacks
cloudformation:DescribeStackResources
cloudformation:DetectStackResourceDrift
iam:GetServiceLinkedRoleDeletionStatus
iam:ListInstanceProfilesForRole
iam:SimulatePrincipalPolicy
iam:GetContextKeysForPrincipalPolicy
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:ListRoleTags
iam:GetRolePolicy
iam:GetRole
sns:GetTopicAttributes
sns:ListSubscriptionsByTopic
sns:ListTagsForResource
events:DescribeEventBus
events:ListTagsForResource
events:DescribeRule
events:ListTargetsByRule

Note: The permissions listed above are restricted to resources relevant to Clumio. For more information, download the stack from the Clumio portal.

 

  • An IAM policy used by Clumio to provide proactive support:
support:*

Note: The permissions listed above are restricted to resources relevant to Clumio. For more information, download the stack from the Clumio portal.

 

  • An IAM policy that allows the Clumio role to perform Clumio operations on the EC2/EBS assets:
ec2:DescribeImageAttribute
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeInstanceCreditSpecifications
ec2:DescribeInstanceTypeOfferings
ec2:DescribeTags
ec2:DescribeSnapshots
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
ec2:DescribeFastSnapshotRestores
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeVolumeAttribute
ec2:DescribeVolumeStatus
ec2:DescribeVolumes
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
kms:DescribeKey
ec2:CreateSnapshots
ec2:CreateSnapshot
ec2:CreateTags
ec2:DeleteTags
ec2:DeleteSnapshot
ec2:CreateVolume
ec2:DeleteVolume
ec2:AttachVolume
ec2:DetachVolume
ec2:StartInstances
ec2:StopInstances
ec2:DeleteNetworkInterface
ec2:AssociateAddress
ec2:DisassociateAddress
ec2:DescribeVpcs
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces
ec2:DescribeKeyPairs
ec2:DescribeElasticGpus
ec2:DescribeSubnets
iam:GetRole
iam:ListRoles
iam:GetInstanceProfile
iam:ListInstanceProfiles
elastic-inference:DescribeAccelerators
elastic-inference:DescribeAcceleratorOfferings
ec2:DescribeCapacityReservations
ec2:RegisterImage
ec2:DeregisterImage
ec2:TerminateInstances
ec2:RunInstances
kms:DescribeKey
kms:Encrypt
kms:Decrypt
kms:ReEncrypt*
kms:GenerateDataKey*
kms:DescribeKey
kms:CreateGrant
ebs:ListChangedBlocks
ebs:ListSnapshotBlocks
ebs:GetSnapshotBlock
ebs:PutSnapshotBlock
ebs:StartSnapshot
ebs:CompleteSnapshot

Note: The permissions listed above are restricted to resources relevant to Clumio. For more information, download the stack from the Clumio portal.

 

  • An IAM policy that allows the Clumio role to perform Clumio operations on the RDS assets:
rds:DescribeDBClusters
rds:DescribeDBClusterSnapshotAttributes
rds:DescribeDBClusterSnapshots
rds:DescribeDBInstanceAutomatedBackups
rds:DescribeDBInstances
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
rds:DescribeGlobalClusters
rds:ListTagsForResource
rds:DescribeOptionGroups
rds:DescribeOptionGroupOptions
cloudwatch:GetMetricStatistics
rds:DescribeDBSubnetGroups
rds:CreateDBInstance
rds:CreateDBSnapshot
rds:CreateDBClusterSnapshot
rds:RestoreDBInstanceFromDBSnapshot
rds:RestoreDBInstanceToPointInTime
rds:RestoreDBClusterFromSnapshot
rds:RestoreDBClusterToPointInTime
rds:ModifyDBCluster
rds:ModifyDBInstance
rds:ModifyDBClusterSnapshotAttribute
rds:ModifyDBSnapshotAttribute
rds:CopyDBClusterSnapshot
rds:CopyDBSnapshot
rds:RemoveTagsFromResource
rds:ListTagsForResource
rds:AddTagsToResource
rds:CreateOptionGroup
rds:CreateDBParameterGroup
rds:DeleteDBCluster
rds:DeleteDBInstance
rds:DeleteDBClusterSnapshot
rds:DeleteDBSnapshot

Note: The permissions listed above are restricted to resources relevant to Clumio. For more information, download the stack from the Clumio portal.

 

  • An IAM policy that allows the Clumio role to perform Clumio operations on the S3 assets:
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetEncryptionConfiguration
s3:GetBucketVersioning
s3:GetBucketPolicy
s3:GetBucketTagging
s3:GetReplicationConfiguration
s3:GetInventoryConfiguration
s3:PutInventoryConfiguration
s3:ListBucket*
s3:GetObject*
cloudtrail:AddTags
cloudtrail:CreateTrail
cloudtrail:DeleteTrail
cloudtrail:GetEventSelectors
cloudtrail:GetInsightSelectors
cloudtrail:GetTrail
cloudtrail:GetTrailStatus
cloudtrail:PutEventSelectors
cloudtrail:PutInsightSelectors
cloudtrail:RemoveTags
cloudtrail:StartLogging
cloudtrail:StopLogging
cloudtrail:UpdateTrail
cloudwatch:GetMetricStatistics
s3:ListBucket
s3:PutObject*
s3:PutObject*
s3:DeleteObject

Note: The permissions listed above are restricted to resources relevant to Clumio. For more information, download the stack from the Clumio portal.

 

  • An IAM policy that allows the Clumio role to perform Clumio operations on the DynamoDB assets:
dynamodb:DescribeBackup
dynamodb:DescribeContinuousBackups
dynamodb:DescribeTable
dynamodb:ListBackups
dynamodb:ListGlobalTables
dynamodb:ListTables
dynamodb:ListTagsOfResource
dynamodb:CreateTable
dynamodb:ExportTableToPointInTime
dynamodb:DescribeStream
dynamodb:GetRecords
dynamodb:GetShardIterator
dynamodb:DescribeExport
s3:AbortMultipartUpload
s3:PutObject
s3:PutObjectAcl
kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKey
kms:ReEncrypt*
dynamodb:BatchWriteItem
dynamodb:CreateBackup
dynamodb:DeleteItem
dynamodb:DeleteTable
dynamodb:DescribeTable
dynamodb:DescribeContinuousBackups
dynamodb:DescribeTimeToLive
dynamodb:GetItem
dynamodb:ListTagsOfResource
dynamodb:PutItem
dynamodb:Query
dynamodb:RestoreTableFromBackup
dynamodb:RestoreTableToPointInTime
dynamodb:Scan
dynamodb:TagResource
dynamodb:UntagResource
dynamodb:UpdateContinuousBackups
dynamodb:UpdateItem
dynamodb:UpdateTable
dynamodb:UpdateTimeToLive
dynamodb:DeleteBackup
dynamodb:DescribeBackup
dynamodb:ListBackups
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DeleteScalingPolicy
application-autoscaling:DeregisterScalableTarget
application-autoscaling:PutScalingPolicy
application-autoscaling:RegisterScalableTarget
iam:PassRole

Note: The permissions listed above are restricted to resources relevant to Clumio. For more information, download the stack from the Clumio portal.

Please contact support@clumio.com in case of any clarifications or questions.

Related articles

Comments

0 comments

Please sign in to leave a comment.