AWS managed policy: AWSElasticDisasterRecoveryConsoleFullAccess
This policy provides full access to all public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and EC2 information. It also includes EC2 actions that allow to launch, delete, or modify replication servers and recovery instances. These EC2 actions are limited only to resources which the service creates with a specific AWS-only tag. policy to your users or roles.
AWSElasticDisasterRecoveryConsoleFullAccess includes access to your AWS managed keys. However, it does not include access to your customer managed keys, so if you use CMK you will need to add a policy statement to allow the usage of your KMS keys.
Permissions details
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConsoleFullAccess1", "Effect": "Allow", "Action": [ "drs:*" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess2", "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess3", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId", "ec2:DescribeKeyPairs", "ec2:DescribeCapacityReservations", "ec2:DescribeHosts" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess4", "Effect": "Allow", "Action": "license-manager:ListLicenseConfigurations", "Resource": "*" }, { "Sid": "ConsoleFullAccess5", "Effect": "Allow", "Action": "resource-groups:ListGroups", "Resource": "*" }, { "Sid": "ConsoleFullAccess6", "Effect": "Allow", "Action": "elasticloadbalancing:DescribeLoadBalancers", "Resource": "*" }, { "Sid": "ConsoleFullAccess7", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess8", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryConversionServerRole", "arn:aws:iam::*:role/service-role/AWSElasticDisasterRecoveryRecoveryInstanceRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Sid": "ConsoleFullAccess9", "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess10", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess11", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" } } }, { "Sid": "ConsoleFullAccess12", "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess13", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess14", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess15", "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess16", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Sid": "ConsoleFullAccess17", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess18", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess19", "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess20", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess21", "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume", "ec2:StartInstances", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/AWSDRS": "AllowLaunchingIntoThisInstance" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "drs.amazonaws.com" ] } } }, { "Sid": "ConsoleFullAccess22", "Effect": "Allow", "Action": [ "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess23", "Effect": "Allow", "Action": [ "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess24", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSElasticDisasterRecoveryManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess25", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess26", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateSecurityGroup", "CreateVolume", "CreateSnapshot", "RunInstances" ] }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "ConsoleFullAccess27", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateLaunchTemplate" ] } } }, { "Sid": "ConsoleFullAccess28", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStacks" ], "Resource": "*" }, { "Sid": "ConsoleFullAccess29", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }
