Creating the Failback and in-AWS right-sizing roles
The Failback and in-AWS right-sizing roles are required to utilize various AWS Elastic Disaster Recovery capabilities, including cross account failback and in-AWS features. Each Trusted AWS Account will need a set of these IAM roles for functionality. You can automatically create these roles, and their attached policies, via the Trusted accounts section of the AWS Elastic Disaster Recovery console. The roles required are:
-
DRSCrossAccountReplicationRole
-
DRSCrossAccountAgentRole
-
DRSCrossAccountAgentAuthorizedRole
If you intend to create these roles manually, please ensure they are placed in the service-role path, with the Role name
ending in an underscore and the trusted Account ID, as specified below:
arn:aws:iam::account-id:role/service-role/DRSCrossAccountReplicationRole_trustedAccountID
DRSCrossAccountReplicationRole
The DRSCrossAccountReplicationRole contains the following trust policy.
If you plan to use the policy as a template, replace the account-id the Trusted AWS Account ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "drs.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:SourceAccount": "account-id", "aws:SourceArn": "arn:aws:drs:*:account-id:recovery-instance/*" } } }, { "Effect": "Allow", "Principal": { "Service": "drs.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:SourceAccount": "account-id", "aws:SourceArn": "arn:aws:drs:*:account-id:source-server/*" } } } ] }
The DRSCrossAccountReplicationRole has the AWS Managed Policy AWSElasticDisasterRecoveryCrossAccountReplicationPolicy attached.
DRSCrossAccountAgentRole
The DRSCrossAccountAgentRole contains the following trust policy.
If you plan to use the policy as a template, replace the trustedAccount with the Trusted AWS Account ID,
and replace sourceAccount with the source AWS Account ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::targetAccount:root" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::targetAccount:role/service-role/DRSCrossAccountAgentAuthorizedRole_sourceAccount" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::targetAccount:root" }, "Action": "sts:SetSourceIdentity", "Condition": { "StringLike": { "sts:SourceIdentity": "i-*" }, "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::targetAccount:role/service-role/DRSCrossAccountAgentAuthorizedRole_sourceAccount" } } } ] }
The DRSCrossAccountAgentRole has the AWS Managed Policy AWSElasticDisasterRecoveryEc2InstancePolicy attached.
DRSCrossAccountAgentAuthorizedRole
The DRSCrossAccountAgentAuthorizedRole contains the following trust policy.
If you plan to use the policy as a template, replace the account-id the Trusted AWS Account ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:root" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Condition": { "StringLike": { "aws:RequestTag/SourceInstanceARN": "${ec2:SourceInstanceARN}" }, "ForAnyValue:StringEquals": { "sts:TransitiveTagKeys": "SourceInstanceARN" } } } ] }
The DRSCrossAccountReplicationRole has the following inline policy
attached. If you plan to use the policy as a template, replace the trustedAccount with the Trusted AWS Account ID,
and replace sourceAccount with the source AWS Account ID.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Resource": "arn:aws:iam::trustedAccount:role/service-role/DRSCrossAccountAgentRole_sourceAccount", "Effect": "Allow" }, { "Condition": { "StringLike": { "sts:SourceIdentity": "i-*" } }, "Action": [ "sts:SetSourceIdentity" ], "Resource": "arn:aws:iam::trustedAccount:role/service-role/DRSCrossAccountAgentRole_sourceAccount", "Effect": "Allow" } ] }
