AWS Resilience Hub permissions reference - AWS Resilience Hub

AWS Resilience Hub permissions reference

The following IAM policies and policy snippets define the permissions necessary to use AWS Resilience Hub.

Permissions required to use AWS Resilience Hub to manage an application in a single AWS account

The following IAM policy is required for a single AWS account that will have the permissions to perform all the actions for AWS Resilience Hub.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resiliencehub:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:GetSubscriptionAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:GetApplication", "servicecatalog:ListAssociatedResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources", "resource-groups:GetGroup", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fis:ListExperiments" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:customer_account_id:parameter/ResilienceHub/*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:PutBucketVersioning", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::aws-resilience-hub-artifacts-*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcEndpoints", "ec2:DescribeFastSnapshotRestores", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeNatGateways", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", "rds:DescribeGlobalClusters", "rds:DescribeDBClusterSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetFunctionConcurrency", "lambda:ListAliases", "lambda:ListVersionsByFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:DescribeRegistry" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "backup:DescribeBackupVault", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:ListBackupPlans", "backup:ListBackupSelections" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:ListTagsOfResource", "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListGlobalTables", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sqs:GetQueueUrl", "sqs:GetQueueAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeClusters", "ecs:ListServices", "ecs:DescribeServices", "ecs:DescribeCapacityProviders", "ecs:DescribeContainerInstances", "ecs:ListContainerInstances", "ecs:DescribeTaskDefinition" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:GetReadinessCheckStatus", "route53-recovery-control-config:ListClusters", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:GetHealthCheck" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "drs:DescribeSourceServers", "drs:DescribeJobs", "drs:GetReplicationConfiguration" ], "Resource": "*" } ] }
Note

If you want to use your own Amazon S3 bucket, you can pass the bucketName parameter to the CreateRecommendationTemplate API action. If that's the case, you won't need the s3:CreateBucket permission, but you will need the s3:PutObject and s3:GetObject permissions for the input bucket.

Permissions required to use AWS Resilience Hub to manage scheduled assessments in a single AWS account

The following IAM policy is required for the AwsResilienceHubPeriodicAssessmentRole role to have the permissions to perform scheduled assessment actions in AWS Resilience Hub .

Note

The role name is AwsResilienceHubPeriodicAssessmentRole.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole", "sts:AssumeRole" ], "Resource": "arn:aws:iam::primary_account_id:role/AwsResilienceHubAdminAccountRole" }, { "Effect": "Allow", "Action": [ "resiliencehub:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:GetSubscriptionAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:GetApplication", "servicecatalog:ListAssociatedResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources", "resource-groups:GetGroup", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fis:ListExperiments" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:customer_account_id:parameter/ResilienceHub/*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:PutBucketVersioning", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::aws-resilience-hub-artifacts-*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcEndpoints", "ec2:DescribeFastSnapshotRestores", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeNatGateways", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", "rds:DescribeGlobalClusters", "rds:DescribeDBClusterSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetFunctionConcurrency", "lambda:ListAliases", "lambda:ListVersionsByFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:DescribeRegistry" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "backup:DescribeBackupVault", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:ListBackupPlans", "backup:ListBackupSelections" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:ListTagsOfResource", "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListGlobalTables", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sqs:GetQueueUrl", "sqs:GetQueueAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeClusters", "ecs:ListServices", "ecs:DescribeServices", "ecs:DescribeCapacityProviders", "ecs:DescribeContainerInstances", "ecs:ListContainerInstances", "ecs:DescribeTaskDefinition" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:GetReadinessCheckStatus", "route53-recovery-control-config:ListClusters", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:GetHealthCheck" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "drs:DescribeSourceServers", "drs:DescribeJobs", "drs:GetReplicationConfiguration" ], "Resource": "*" } ] }

The associated trust policy for the scheduled assessments role, (AwsResilienceHubPeriodicAssessmentRole), gives permissions for the AWS Resilience Hub service to assume the scheduled assessments role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "resiliencehub.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Permissions required to use AWS Resilience Hub to manage application in multiple accounts

The following IAM permissions policies are necessary if you're using AWS Resilience Hub with multiple accounts. Each account might need different permissions depending on your use case.

Calling account permissions

The following IAM policy is required for the AWS account that will have only the permissions necessary to call into AWS Resilience Hub.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole", "sts:AssumeRole" ], "Resource": "arn:aws:iam::primary_account_id:role/AwsResilienceHubAdminAccountRole" }, { "Effect": "Allow", "Action": [ "resiliencehub:*" ], "Resource": "*" } ] }

Admin account permissions

The following IAM policy is required for the AWS account that will have admin permissions for AWS Resilience Hub.

{ "Version": "2012-10-17", "Statement": [ { "Action": ["sts:AssumeRole"], "Resource": ["arn:aws:iam::secondary_account_id:role/AwsResilienceHubExecutorAccountRole"], "Effect": "Allow" } ] }

The associated trust policy for the admin role is as follows, where caller_IAM_role is the role used in the primary account to call the APIs for AWS Resilience Hub.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::primary_account_id:role/caller_IAM_role" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::primary_account_id:role/AwsResilienceHubPeriodicAssessmentRole" }, "Action": "sts:AssumeRole" } ] }

Executor account role permissions

The following IAM policy is required for the AWS account that will have the executor account role permissions for AWS Resilience Hub.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:GetSubscriptionAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources", "resource-groups:GetGroup", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fis:ListExperiments" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:DescribeAutomationExecutions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcEndpoints", "ec2:DescribeFastSnapshotRestores", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeNatGateways", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", "rds:DescribeGlobalClusters", "rds:DescribeDBClusterSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetFunctionConcurrency", "lambda:ListAliases", "lambda:ListVersionsByFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:DescribeRegistry" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "backup:DescribeBackupVault", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:ListBackupPlans", "backup:ListBackupSelections" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:ListTagsOfResource", "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListGlobalTables", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:PutBucketVersioning", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sqs:GetQueueUrl", "sqs:GetQueueAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:secondary_account_id:parameter/ResilienceHub/*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeClusters", "ecs:ListServices", "ecs:DescribeServices", "ecs:DescribeCapacityProviders", "ecs:DescribeContainerInstances", "ecs:ListContainerInstances", "ecs:DescribeTaskDefinition" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:GetReadinessCheckStatus", "route53-recovery-control-config:ListClusters", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:GetHealthCheck" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "drs:DescribeSourceServers", "drs:DescribeJobs", "drs:GetReplicationConfiguration" ], "Resource": "*" } ] }

The associated trust policy for the executor account role. This gives permission for the primary account role (AwsResilienceHubAdminAccountRole) to assume the secondary accounts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::primary_account_id:role/AwsResilienceHubAdminAccountRole" }, "Action": "sts:AssumeRole" } ] }