AWS Resilience Hub permissions reference
The following IAM policies and policy snippets define the permissions necessary to use AWS Resilience Hub.
Contents
Permissions required to use AWS Resilience Hub to manage an application in a single AWS account
The following IAM policy is required for a single AWS account that will have the permissions to perform all the actions for AWS Resilience Hub.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resiliencehub:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dlm:GetLifecyclePolicies", "dlm:GetLifecyclePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:GetSubscriptionAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:GetApplication", "servicecatalog:ListAssociatedResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources", "resource-groups:GetGroup", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fis:ListExperiments" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:
customer_account_id
:parameter/ResilienceHub/*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:PutBucketVersioning", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::aws-resilience-hub-artifacts-*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcEndpoints", "ec2:DescribeFastSnapshotRestores", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeNatGateways", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", "rds:DescribeGlobalClusters", "rds:DescribeDBClusterSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetFunctionConcurrency", "lambda:ListAliases", "lambda:ListVersionsByFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:DescribeRegistry" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "backup:DescribeBackupVault", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:ListBackupPlans", "backup:ListBackupSelections" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:ListTagsOfResource", "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListGlobalTables", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sqs:GetQueueUrl", "sqs:GetQueueAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeClusters", "ecs:ListServices", "ecs:DescribeServices", "ecs:DescribeCapacityProviders", "ecs:DescribeContainerInstances", "ecs:ListContainerInstances", "ecs:DescribeTaskDefinition" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:GetReadinessCheckStatus", "route53-recovery-control-config:ListClusters", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:GetHealthCheck" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "drs:DescribeSourceServers", "drs:DescribeJobs", "drs:GetReplicationConfiguration" ], "Resource": "*" } ] }
If you want to use your own Amazon S3 bucket, you can pass the
bucketName
parameter to the
CreateRecommendationTemplate
API action. If that's the
case, you won't need the s3:CreateBucket
permission, but you
will need the s3:PutObject
and s3:GetObject
permissions for the input bucket.
Permissions required to use AWS Resilience Hub to manage scheduled assessments in a single AWS account
The following IAM policy is required for the
AwsResilienceHubPeriodicAssessmentRole
role to have the
permissions to perform scheduled assessment actions in AWS Resilience Hub .
The role name is
AwsResilienceHubPeriodicAssessmentRole
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole", "sts:AssumeRole" ], "Resource": "arn:aws:iam::
primary_account_id
:role/AwsResilienceHubAdminAccountRole" }, { "Effect": "Allow", "Action": [ "resiliencehub:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dlm:GetLifecyclePolicies", "dlm:GetLifecyclePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:GetSubscriptionAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:GetApplication", "servicecatalog:ListAssociatedResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources", "resource-groups:GetGroup", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fis:ListExperiments" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:customer_account_id
:parameter/ResilienceHub/*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:PutBucketVersioning", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::aws-resilience-hub-artifacts-*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcEndpoints", "ec2:DescribeFastSnapshotRestores", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeNatGateways", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", "rds:DescribeGlobalClusters", "rds:DescribeDBClusterSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetFunctionConcurrency", "lambda:ListAliases", "lambda:ListVersionsByFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:DescribeRegistry" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "backup:DescribeBackupVault", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:ListBackupPlans", "backup:ListBackupSelections" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:ListTagsOfResource", "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListGlobalTables", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sqs:GetQueueUrl", "sqs:GetQueueAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeClusters", "ecs:ListServices", "ecs:DescribeServices", "ecs:DescribeCapacityProviders", "ecs:DescribeContainerInstances", "ecs:ListContainerInstances", "ecs:DescribeTaskDefinition" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:GetReadinessCheckStatus", "route53-recovery-control-config:ListClusters", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:GetHealthCheck" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "drs:DescribeSourceServers", "drs:DescribeJobs", "drs:GetReplicationConfiguration" ], "Resource": "*" } ] }
The associated trust policy for the scheduled assessments role,
(AwsResilienceHubPeriodicAssessmentRole
), gives permissions for
the AWS Resilience Hub service to assume the scheduled assessments role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "resiliencehub.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Permissions required to use AWS Resilience Hub to manage application in multiple accounts
The following IAM permissions policies are necessary if you're using AWS Resilience Hub with multiple accounts. Each account might need different permissions depending on your use case.
Calling account permissions
The following IAM policy is required for the AWS account that will have only the permissions necessary to call into AWS Resilience Hub.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole", "sts:AssumeRole" ], "Resource": "arn:aws:iam::
primary_account_id
:role/AwsResilienceHubAdminAccountRole" }, { "Effect": "Allow", "Action": [ "resiliencehub:*" ], "Resource": "*" } ] }
Admin account permissions
The following IAM policy is required for the AWS account that will have admin permissions for AWS Resilience Hub.
{ "Version": "2012-10-17", "Statement": [ { "Action": ["sts:AssumeRole"], "Resource": ["arn:aws:iam::
secondary_account_id
:role/AwsResilienceHubExecutorAccountRole"], "Effect": "Allow" } ] }
The associated trust policy for the admin role is as follows, where
is the role
used in the primary account to call the APIs for AWS Resilience Hub.caller_IAM_role
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
primary_account_id
:role/caller_IAM_role
" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::primary_account_id
:role/AwsResilienceHubPeriodicAssessmentRole" }, "Action": "sts:AssumeRole" } ] }
Executor account role permissions
The following IAM policy is required for the AWS account that will have the executor account role permissions for AWS Resilience Hub.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dlm:GetLifecyclePolicies", "dlm:GetLifecyclePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:GetSubscriptionAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources", "resource-groups:GetGroup", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fis:ListExperiments" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:DescribeAutomationExecutions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcEndpoints", "ec2:DescribeFastSnapshotRestores", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeNatGateways", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", "rds:DescribeGlobalClusters", "rds:DescribeDBClusterSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetFunctionConcurrency", "lambda:ListAliases", "lambda:ListVersionsByFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:DescribeRegistry" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "backup:DescribeBackupVault", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:ListBackupPlans", "backup:ListBackupSelections" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:ListTagsOfResource", "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListGlobalTables", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeFileSystems" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:PutBucketVersioning", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sqs:GetQueueUrl", "sqs:GetQueueAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:
secondary_account_id
:parameter/ResilienceHub/*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeClusters", "ecs:ListServices", "ecs:DescribeServices", "ecs:DescribeCapacityProviders", "ecs:DescribeContainerInstances", "ecs:ListContainerInstances", "ecs:DescribeTaskDefinition" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:GetReadinessCheckStatus", "route53-recovery-control-config:ListClusters", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:GetHealthCheck" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "drs:DescribeSourceServers", "drs:DescribeJobs", "drs:GetReplicationConfiguration" ], "Resource": "*" } ] }
The associated trust policy for the executor account role. This gives
permission for the primary account role
(AwsResilienceHubAdminAccountRole
) to assume the secondary
accounts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
primary_account_id
:role/AwsResilienceHubAdminAccountRole" }, "Action": "sts:AssumeRole" } ] }