AWS managed policies for AWS Resilience Hub - AWS Resilience Hub
AWSResilienceHubAsssessmentExecutionPolicyPolicy updates

AWS managed policies for AWS Resilience Hub

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWSResilienceHubAsssessmentExecutionPolicy

You can attach the AWSResilienceHubAsssessmentExecutionPolicy to your IAM identities. While running an assessment, this policy grants access permissions to other AWS services for executing assessments.

Permission details

This policy provides adequate permissions to publish alarms, AWS FIS and SOP templates to your Amazon Simple Storage Service (Amazon S3) bucket. The Amazon S3 bucket name must start with aws-resilience-hub-artifacts-. If you wish to publish to another Amazon S3 bucket, you can do that while calling CreateRecommendationTemplate API. For more information, see CreateRecommendationTemplate.

This policy includes the following permissions:

  • Amazon CloudWatch (CloudWatch) – Gets all the implemented alarms that you set up in Amazon CloudWatch to monitor the application. In addition, we use cloudwatch:PutMetricData to publish CloudWatch metrics for the resiliency score of the application in the ResilienceHub namespace.

  • Amazon Data Lifecycle Manager – Gets and provides Describe permissions for Amazon Data Lifecycle Manager resources that are associated with your AWS account.

  • Amazon DevOps Guru – Lists and provides Describe permissions for Amazon DevOps Guru resources that are associated with your AWS account.

  • Amazon DynamoDB (DynamoDB) – Lists and provides Describe permissions for Amazon DynamoDB resources that are associated with your AWS account.

  • Amazon ElastiCache (ElastiCache) – Provides Describe permissions for ElastiCache resources that are associated with your AWS account.

  • Amazon Elastic Compute Cloud (Amazon EC2) – Lists and provides Describe permissions for Amazon EC2 resources that are associated with your AWS account.

  • Amazon Elastic Container Registry (Amazon ECR) – Provides Describe permissions for Amazon ECR resources that are associated with your AWS account.

  • Amazon Elastic Container Service (Amazon ECS) – Provides Describe permissions for Amazon ECS resources that are associated with your AWS account.

  • Amazon Elastic File System (Amazon EFS) – Provides Describe permissions for Amazon EFS resources that are associated with your AWS account.

  • Amazon Elastic Kubernetes Service (Amazon EKS) – Lists and provides Describe permissions for Amazon EKS resources that are associated with your AWS account.

  • Amazon EC2 Auto Scaling – Lists and provides Describe permissions for Amazon EC2 Auto Scaling resources that are associated with your AWS account.

  • Amazon EC2 Systems Manager (SSM) – Provides Describe permissions for SSM resources that are associated with your AWS account.

  • Amazon Fault Injection Service (AWS FIS) – Lists and provides Describe permissions for AWS FIS experiments and experiment templates that are associated with your AWS account.

  • Amazon FSx for Windows File Server (Amazon FSx) – Lists and provides Describe permissions for Amazon FSx resources that are associated with your AWS account.

  • Amazon RDS – Lists and provides Describe permissions for Amazon RDS resources that are associated with your AWS account.

  • Amazon Route 53 (Route 53) – Lists and provides Describe permissions for Route 53 resources that are associated with your AWS account.

  • Amazon Route 53 Resolver – Lists and provides Describe permissions for Amazon Route 53 Resolver resources that are associated with your AWS account.

  • Amazon Simple Notification Service (Amazon SNS) – Lists and provides Describe permissions for Amazon SNS resources that are associated with your AWS account.

  • Amazon Simple Queue Service (Amazon SQS) – Lists and provides Describe permissions for Amazon SQS resources that are associated with your AWS account.

  • Amazon Simple Storage Service (Amazon S3) – Lists and provides Describe permissions Amazon S3 resources that are associated with your AWS account.

    Note

    While running an assessment, if there are any missing permissions that needs to be updated from Managed policies, AWS Resilience Hub will successfully complete the assessment using s3:GetBucketLogging permission. However, AWS Resilience Hub will display a warning message that lists the missing permissions and will provide a grace period to add the same. If you do not add the missing permissions within the specified grace period, the assessment will fail.

  • AWS Backup – Lists and gets Describe permissions for Amazon EC2 Auto Scaling resources that are associated with your AWS account.

  • AWS CloudFormation – Lists and gets Describe permissions for resources on AWS CloudFormation stacks that are associated with your AWS account.

  • AWS DataSync – Lists and provides Describe permissions for AWS DataSync resources that are associated with your AWS account.

  • AWS Directory Service – Lists and provides Describe permissions for AWS Directory Service resources that are associated with your AWS account.

  • AWS Elastic Disaster Recovery (Elastic Disaster Recovery) – Provides Describe permissions for Elastic Disaster Recovery resources that are associated with your AWS account.

  • AWS Lambda (Lambda) – Lists and provides Describe permissions for Lambda resources that are associated with your AWS account.

  • AWS Resource Groups (Resource Groups) – Lists and provides Describe permissions for Resource Groups resources that are associated with your AWS account.

  • AWS Service Catalog (Service Catalog) – Lists and provides Describe permissions for Service Catalog resources that are associated with your AWS account.

  • AWS Step Functions – Lists and provides Describe permissions for AWS Step Functions resources that are associated with your AWS account.

  • Elastic Load Balancing – Lists and provides Describe permissions for Elastic Load Balancing resources that are associated with your AWS account.

  • ssm:GetParametersByPath – We use this permission to manage CloudWatch alarms, tests, or SOPs that are configured for your application.

The following IAM policy is required for an AWS account to add permissions for users, user-groups, and roles that provide required permissions for your team to access AWS services while running assessments.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "application-autoscaling:DescribeScalableTargets",
        "autoscaling:DescribeAutoScalingGroups",
        "backup:DescribeBackupVault",
        "backup:GetBackupPlan",
        "backup:GetBackupSelection",
        "backup:ListBackupPlans",
        "backup:ListBackupSelections",
        "cloudformation:DescribeStacks",
        "cloudformation:ListStackResources",
        "cloudformation:ValidateTemplate",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics", 
        "datasync:DescribeTask", 
        "datasync:ListLocations",
        "datasync:ListTasks",
        "devops-guru:ListMonitoredResources",
        "dlm:GetLifecyclePolicies",
        "dlm:GetLifecyclePolicy",
        "drs:DescribeJobs",
        "drs:DescribeSourceServers",
        "drs:GetReplicationConfiguration",
        "ds:DescribeDirectories",
        "dynamodb:DescribeContinuousBackups",
        "dynamodb:DescribeGlobalTable",
        "dynamodb:DescribeLimits",
        "dynamodb:DescribeTable",
        "dynamodb:ListGlobalTables",
        "dynamodb:ListTagsOfResource",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeFastSnapshotRestores",
        "ec2:DescribeFleets",
        "ec2:DescribeHosts",
        "ec2:DescribeInstances",
        "ec2:DescribeNatGateways",
        "ec2:DescribePlacementGroups",
        "ec2:DescribeRegions",
        "ec2:DescribeSnapshots",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcEndpoints",
        "ecr:DescribeRegistry",
        "ecs:DescribeCapacityProviders",
        "ecs:DescribeClusters",
        "ecs:DescribeContainerInstances",
        "ecs:DescribeServices",
        "ecs:DescribeTaskDefinition",
        "ecs:ListContainerInstances",
        "ecs:ListServices",
        "eks:DescribeCluster",
        "eks:DescribeFargateProfile",
        "eks:DescribeNodegroup",
        "eks:ListFargateProfiles",
        "eks:ListNodegroups",
        "elasticache:DescribeCacheClusters",
        "elasticache:DescribeGlobalReplicationGroups",
        "elasticache:DescribeReplicationGroups",
        "elasticache:DescribeSnapshots",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeLifecycleConfiguration",
        "elasticfilesystem:DescribeMountTargets",
        "elasticfilesystem:DescribeReplicationConfigurations",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "fis:GetExperimentTemplate",
        "fis:ListExperimentTemplates",
        "fis:ListExperiments",
        "fsx:DescribeFileSystems",
        "lambda:GetFunctionConcurrency",
        "lambda:GetFunctionConfiguration",
        "lambda:ListAliases",
        "lambda:ListVersionsByFunction",
        "rds:DescribeDBClusterSnapshots",
        "rds:DescribeDBClusters",
        "rds:DescribeDBInstanceAutomatedBackups",
        "rds:DescribeDBInstances",
        "rds:DescribeDBProxies",
        "rds:DescribeDBProxyTargets",
        "rds:DescribeDBSnapshots",
        "rds:DescribeGlobalClusters",
        "resource-groups:GetGroup",
        "resource-groups:ListGroupResources",
        "route53-recovery-control-config:ListClusters",
        "route53-recovery-control-config:ListControlPanels",
        "route53-recovery-control-config:ListRoutingControls",
        "route53-recovery-readiness:GetReadinessCheckStatus",
        "route53-recovery-readiness:GetResourceSet",
        "route53-recovery-readiness:ListReadinessChecks",
        "route53:GetHealthCheck",
        "route53:ListHealthChecks",
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets", 
        "route53resolver:ListResolverEndpoints",
        "route53resolver:ListResolverEndpointIpAddresses",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketObjectLockConfiguration",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetMultiRegionAccessPointRoutes",
        "s3:GetReplicationConfiguration",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:ListMultiRegionAccessPoints",
        "servicecatalog:GetApplication",
        "servicecatalog:ListAssociatedResources",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptionsByTopic",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "ssm:DescribeAutomationExecutions",
        "states:DescribeStateMachine",
        "states:ListStateMachineVersions",
        "states:ListStateMachineAliases",
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "apigateway:GET"
      ],
      "Resource": [
        "arn:aws:apigateway:*::/apis/*",
        "arn:aws:apigateway:*::/restapis/*",
        "arn:aws:apigateway:*::/usageplans"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::aws-resilience-hub-artifacts-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:PutMetricData"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "cloudwatch:namespace": "ResilienceHub"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParametersByPath"
      ],
      "Resource": "arn:aws:ssm:*:*:parameter/ResilienceHub/*"
    }
  ]
}

AWS Resilience Hub updates to AWS managed policies

View details about updates to AWS managed policies for AWS Resilience Hub since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Resilience Hub Document history page.

Change Description Date
AWSResilienceHubAsssessmentExecutionPolicy – AWS Resilience Hub extends support for Amazon FSx for Windows File Server. This AWS Resilience Hub policy allows you to read the Amazon FSx for Windows File Server configuration. March 26, 2024
AWSResilienceHubAsssessmentExecutionPolicy – AWS Resilience Hub extends support for AWS Step Functions. This AWS Resilience Hub policy allows you to read the AWS Step Functions configuration. October 30, 2023
AWSResilienceHubAsssessmentExecutionPolicy – AWS Resilience Hub improves support for Amazon Relational Database Service (Amazon RDS). This AWS Resilience Hub policy allows you to access resources on Amazon RDS while running assessments. October 5, 2023

AWSResilienceHubAsssessmentExecutionPolicy – New policy

This AWS Resilience Hub policy provides access to other AWS services for running assessments.

 June 26, 2023

AWS Resilience Hub started tracking changes

AWS Resilience Hub started tracking changes for its AWS managed policies.

 June 15, 2023