Actions, resources, and condition keys for AWS Elastic Disaster Recovery - Service Authorization Reference

Actions, resources, and condition keys for AWS Elastic Disaster Recovery

AWS Elastic Disaster Recovery (service prefix: drs) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Elastic Disaster Recovery

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateFailbackClientToRecoveryInstanceForDrs [permission only] Grants permission to get associate failback client to recovery instance Write

RecoveryInstanceResource*

BatchCreateVolumeSnapshotGroupForDrs [permission only] Grants permission to batch create volume snapshot group Write

RecoveryInstanceResource*

SourceServerResource*

BatchDeleteSnapshotRequestForDrs [permission only] Grants permission to batch delete snapshot request Write
CreateConvertedSnapshotForDrs [permission only] Grants permission to create converted snapshot Write

SourceServerResource*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateExtendedSourceServer Grants permission to extend a source server Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRecoveryInstanceForDrs [permission only] Grants permission to create recovery instance Write

SourceServerResource*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateReplicationConfigurationTemplate Grants permission to create replication configuration template Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSessionForDrs Grants permission to create a session Write
CreateSourceServerForDrs [permission only] Grants permission to create a source server Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteJob Grants permission to delete a job Write

JobResource*

DeleteRecoveryInstance Grants permission to delete recovery instance Write

RecoveryInstanceResource*

DeleteReplicationConfigurationTemplate Grants permission to delete replication configuration template Write

ReplicationConfigurationTemplateResource*

DeleteSourceServer Grants permission to delete source server Write

SourceServerResource*

DescribeJobLogItems Grants permission to describe job log items Read

JobResource*

DescribeJobs Grants permission to describe jobs Read
DescribeRecoveryInstances Grants permission to describe recovery instances Read

ec2:DescribeInstances

DescribeRecoverySnapshots Grants permission to describe recovery snapshots Read

SourceServerResource*

DescribeReplicationConfigurationTemplates Grants permission to describe replication configuration template Read
DescribeReplicationServerAssociationsForDrs [permission only] Grants permission to describe replication server associations Read
DescribeSnapshotRequestsForDrs [permission only] Grants permission to describe snapshot requests Read
DescribeSourceServers Grants permission to describe source servers Read
DisconnectRecoveryInstance Grants permission to disconnect recovery instance Write

RecoveryInstanceResource*

DisconnectSourceServer Grants permission to disconnect source server Write

SourceServerResource*

GetAgentCommandForDrs [permission only] Grants permission to get agent command Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentConfirmedResumeInfoForDrs [permission only] Grants permission to get agent confirmed resume info Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentInstallationAssetsForDrs [permission only] Grants permission to get agent installation assets Read
GetAgentReplicationInfoForDrs [permission only] Grants permission to get agent replication info Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentRuntimeConfigurationForDrs [permission only] Grants permission to get agent runtime configuration Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentSnapshotCreditsForDrs [permission only] Grants permission to get agent snapshot credits Read

RecoveryInstanceResource*

SourceServerResource*

GetChannelCommandsForDrs [permission only] Grants permission to get channel commands Read
GetFailbackCommandForDrs [permission only] Grants permission to get failback command Read

RecoveryInstanceResource*

GetFailbackLaunchRequestedForDrs [permission only] Grants permission to get failback launch requested Read

RecoveryInstanceResource*

GetFailbackReplicationConfiguration Grants permission to get failback replication configuration Read

RecoveryInstanceResource*

GetLaunchConfiguration Grants permission to get launch configuration Read

SourceServerResource*

GetReplicationConfiguration Grants permission to get replication configuration Read

SourceServerResource*

GetSuggestedFailbackClientDeviceMappingForDrs [permission only] Grants permission to get suggested failback client device mapping Read

RecoveryInstanceResource*

InitializeService Grants permission to initialize service Write

iam:AddRoleToInstanceProfile

iam:CreateInstanceProfile

iam:CreateServiceLinkedRole

iam:GetInstanceProfile

IssueAgentCertificateForDrs Grants permission to issue an agent certificate Write

RecoveryInstanceResource*

SourceServerResource*

ListExtensibleSourceServers Grants permission to list extensible source servers Read
ListStagingAccounts Grants permission to list staging accounts Read
ListTagsForResource Grants permission to list tags for a resource Read
NotifyAgentAuthenticationForDrs [permission only] Grants permission to notify agent authentication Write

RecoveryInstanceResource*

SourceServerResource*

NotifyAgentConnectedForDrs [permission only] Grants permission to notify agent is connected Write

RecoveryInstanceResource*

SourceServerResource*

NotifyAgentDisconnectedForDrs [permission only] Grants permission to notify agent is disconnected Write

RecoveryInstanceResource*

SourceServerResource*

NotifyAgentReplicationProgressForDrs [permission only] Grants permission to notify agent replication progress Write

RecoveryInstanceResource*

SourceServerResource*

NotifyConsistencyAttainedForDrs [permission only] Grants permission to notify consistency attained Write

RecoveryInstanceResource*

NotifyReplicationServerAuthenticationForDrs [permission only] Grants permission to notify replication server authentication Write

RecoveryInstanceResource*

NotifyVolumeEventForDrs [permission only] Grants permission to notify replicator volume events Write

SourceServerResource*

RetryDataReplication Grants permission to retry data replication Write

SourceServerResource*

SendAgentLogsForDrs [permission only] Grants permission to send agent logs Write

RecoveryInstanceResource*

SourceServerResource*

SendAgentMetricsForDrs [permission only] Grants permission to send agent metrics Write

RecoveryInstanceResource*

SourceServerResource*

SendChannelCommandResultForDrs [permission only] Grants permission to send channel command result Write
SendClientLogsForDrs [permission only] Grants permission to send client logs Write
SendClientMetricsForDrs [permission only] Grants permission to send client metrics Write
SendVolumeStatsForDrs [permission only] Grants permission to send volume throughput statistics Write

SourceServerResource*

StartFailbackLaunch Grants permission to start failback launch Write

RecoveryInstanceResource*

aws:RequestTag/${TagKey}

aws:TagKeys

StartRecovery Grants permission to start recovery Write

SourceServerResource*

drs:CreateRecoveryInstanceForDrs

drs:ListTagsForResource

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateLaunchTemplate

ec2:CreateLaunchTemplateVersion

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteLaunchTemplateVersions

ec2:DeleteSnapshot

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstanceTypes

ec2:DescribeInstances

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:DescribeVolumes

ec2:DetachVolume

ec2:ModifyInstanceAttribute

ec2:ModifyLaunchTemplate

ec2:RevokeSecurityGroupEgress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

StopFailback Grants permission to stop failback Write

RecoveryInstanceResource*

TagResource Grants permission to assign a resource tag Tagging

JobResource

RecoveryInstanceResource

ReplicationConfigurationTemplateResource

SourceServerResource

aws:RequestTag/${TagKey}

aws:TagKeys

drs:CreateAction

TerminateRecoveryInstances Grants permission to terminate recovery instances Write

RecoveryInstanceResource*

ec2:DeleteVolume

ec2:DescribeInstances

ec2:DescribeVolumes

ec2:TerminateInstances

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a resource Tagging

JobResource

RecoveryInstanceResource

ReplicationConfigurationTemplateResource

SourceServerResource

aws:TagKeys

UpdateAgentBacklogForDrs [permission only] Grants permission to update agent backlog Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentConversionInfoForDrs [permission only] Grants permission to update agent conversion info Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentReplicationInfoForDrs [permission only] Grants permission to update agent replication info Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentReplicationProcessStateForDrs [permission only] Grants permission to update agent replication process state Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentSourcePropertiesForDrs [permission only] Grants permission to update agent source properties Write

RecoveryInstanceResource*

SourceServerResource*

UpdateFailbackClientDeviceMappingForDrs [permission only] Grants permission to update failback client device mapping Write

RecoveryInstanceResource*

UpdateFailbackClientLastSeenForDrs [permission only] Grants permission to update failback client last seen Write

RecoveryInstanceResource*

UpdateFailbackReplicationConfiguration Grants permission to update failback replication configuration Write

RecoveryInstanceResource*

UpdateLaunchConfiguration Grants permission to update launch configuration Write

SourceServerResource*

UpdateReplicationCertificateForDrs [permission only] Grants permission to update a replication certificate Write

RecoveryInstanceResource*

UpdateReplicationConfiguration Grants permission to update replication configuration Write

SourceServerResource*

UpdateReplicationConfigurationTemplate Grants permission to update replication configuration template Write

ReplicationConfigurationTemplateResource*

Resource types defined by AWS Elastic Disaster Recovery

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
JobResource arn:${Partition}:drs:${Region}:${Account}:job/${JobID}

aws:ResourceTag/${TagKey}

RecoveryInstanceResource arn:${Partition}:drs:${Region}:${Account}:recovery-instance/${RecoveryInstanceID}

aws:ResourceTag/${TagKey}

drs:EC2InstanceARN

ReplicationConfigurationTemplateResource arn:${Partition}:drs:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}

aws:ResourceTag/${TagKey}

SourceServerResource arn:${Partition}:drs:${Region}:${Account}:source-server/${SourceServerID}

aws:ResourceTag/${TagKey}

Condition keys for AWS Elastic Disaster Recovery

AWS Elastic Disaster Recovery defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString
drs:CreateAction Filters access by the name of a resource-creating API action String
drs:EC2InstanceARN Filters access by the EC2 instance the request originated from String