Actions, resources, and condition keys for AWS Elastic Disaster Recovery - Service Authorization Reference

Actions, resources, and condition keys for AWS Elastic Disaster Recovery

AWS Elastic Disaster Recovery (service prefix: drs) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Elastic Disaster Recovery

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateFailbackClientToRecoveryInstanceForDrs [permission only] Grants permission to get associate failback client to recovery instance Write

RecoveryInstanceResource*

AssociateSourceNetworkStack Grants permission to associate CloudFormation stack with source network Write

SourceNetworkResource*

cloudformation:DescribeStackResource

cloudformation:DescribeStacks

drs:GetLaunchConfiguration

ec2:CreateLaunchTemplateVersion

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:ModifyLaunchTemplate

aws:RequestTag/${TagKey}

aws:TagKeys

BatchCreateVolumeSnapshotGroupForDrs [permission only] Grants permission to batch create volume snapshot group Write

RecoveryInstanceResource*

SourceServerResource*

BatchDeleteSnapshotRequestForDrs [permission only] Grants permission to batch delete snapshot request Write
CreateConvertedSnapshotForDrs [permission only] Grants permission to create converted snapshot Write

SourceServerResource*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateExtendedSourceServer Grants permission to extend a source server Write

aws:RequestTag/${TagKey}

aws:TagKeys

drs:DescribeSourceServers

drs:GetReplicationConfiguration

CreateLaunchConfigurationTemplate Grants permission to create launch configuration template Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRecoveryInstanceForDrs [permission only] Grants permission to create recovery instance Write

SourceServerResource*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateReplicationConfigurationTemplate Grants permission to create replication configuration template Write

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateSecurityGroup

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:GetEbsDefaultKmsKeyId

ec2:GetEbsEncryptionByDefault

kms:CreateGrant

kms:DescribeKey

CreateSourceNetwork Grants permission to create a source network Write

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:DescribeInstances

ec2:DescribeVpcs

CreateSourceServerForDrs [permission only] Grants permission to create a source server Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteJob Grants permission to delete a job Write

JobResource*

DeleteLaunchAction Grants permission to delete a launch action Write

LaunchConfigurationTemplateResource

SourceServerResource

DeleteLaunchConfigurationTemplate Grants permission to delete launch configuration template Write

LaunchConfigurationTemplateResource*

DeleteRecoveryInstance Grants permission to delete recovery instance Write

RecoveryInstanceResource*

DeleteReplicationConfigurationTemplate Grants permission to delete replication configuration template Write

ReplicationConfigurationTemplateResource*

DeleteSourceNetwork Grants permission to delete source network Write

SourceNetworkResource*

DeleteSourceServer Grants permission to delete source server Write

SourceServerResource*

DescribeJobLogItems Grants permission to describe job log items Read

JobResource*

DescribeJobs Grants permission to describe jobs Read
DescribeLaunchConfigurationTemplates Grants permission to describe launch configuration template Read
DescribeRecoveryInstances Grants permission to describe recovery instances Read

drs:DescribeSourceServers

ec2:DescribeInstances

DescribeRecoverySnapshots Grants permission to describe recovery snapshots Read

SourceServerResource*

DescribeReplicationConfigurationTemplates Grants permission to describe replication configuration template Read
DescribeReplicationServerAssociationsForDrs [permission only] Grants permission to describe replication server associations Read
DescribeSnapshotRequestsForDrs [permission only] Grants permission to describe snapshot requests Read
DescribeSourceNetworks Grants permission to describe source networks Read
DescribeSourceServers Grants permission to describe source servers Read
DisconnectRecoveryInstance Grants permission to disconnect recovery instance Write

RecoveryInstanceResource*

DisconnectSourceServer Grants permission to disconnect source server Write

SourceServerResource*

ExportSourceNetworkCfnTemplate Grants permission to export CloudFormation template which contains source network resources Write

SourceNetworkResource*

s3:GetBucketLocation

s3:GetObject

s3:PutObject

aws:RequestTag/${TagKey}

aws:TagKeys

GetAgentCommandForDrs [permission only] Grants permission to get agent command Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentConfirmedResumeInfoForDrs [permission only] Grants permission to get agent confirmed resume info Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentInstallationAssetsForDrs [permission only] Grants permission to get agent installation assets Read
GetAgentReplicationInfoForDrs [permission only] Grants permission to get agent replication info Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentRuntimeConfigurationForDrs [permission only] Grants permission to get agent runtime configuration Read

RecoveryInstanceResource*

SourceServerResource*

GetAgentSnapshotCreditsForDrs [permission only] Grants permission to get agent snapshot credits Read

RecoveryInstanceResource*

SourceServerResource*

GetChannelCommandsForDrs [permission only] Grants permission to get channel commands Read
GetFailbackCommandForDrs [permission only] Grants permission to get failback command Read

RecoveryInstanceResource*

GetFailbackLaunchRequestedForDrs [permission only] Grants permission to get failback launch requested Read

RecoveryInstanceResource*

GetFailbackReplicationConfiguration Grants permission to get failback replication configuration Read

RecoveryInstanceResource*

GetLaunchConfiguration Grants permission to get launch configuration Read

SourceServerResource*

GetReplicationConfiguration Grants permission to get replication configuration Read

SourceServerResource*

GetSuggestedFailbackClientDeviceMappingForDrs [permission only] Grants permission to get suggested failback client device mapping Read

RecoveryInstanceResource*

InitializeService Grants permission to initialize service Write

iam:AddRoleToInstanceProfile

iam:CreateInstanceProfile

iam:CreateServiceLinkedRole

iam:GetInstanceProfile

IssueAgentCertificateForDrs [permission only] Grants permission to issue an agent certificate Write

RecoveryInstanceResource*

SourceServerResource*

ListExtensibleSourceServers Grants permission to list extensible source servers Read

drs:DescribeSourceServers

ListLaunchActions Grants permission to list launch actions Read

LaunchConfigurationTemplateResource

SourceServerResource

ListStagingAccounts Grants permission to list staging accounts Read
ListTagsForResource Grants permission to list tags for a resource Read
NotifyAgentAuthenticationForDrs [permission only] Grants permission to notify agent authentication Write

RecoveryInstanceResource*

SourceServerResource*

NotifyAgentConnectedForDrs [permission only] Grants permission to notify agent is connected Write

RecoveryInstanceResource*

SourceServerResource*

NotifyAgentDisconnectedForDrs [permission only] Grants permission to notify agent is disconnected Write

RecoveryInstanceResource*

SourceServerResource*

NotifyAgentReplicationProgressForDrs [permission only] Grants permission to notify agent replication progress Write

RecoveryInstanceResource*

SourceServerResource*

NotifyConsistencyAttainedForDrs [permission only] Grants permission to notify consistency attained Write

RecoveryInstanceResource*

NotifyReplicationServerAuthenticationForDrs [permission only] Grants permission to notify replication server authentication Write

RecoveryInstanceResource*

NotifyVolumeEventForDrs [permission only] Grants permission to notify replicator volume events Write

SourceServerResource*

PutLaunchAction Grants permission to put a launch action Write

LaunchConfigurationTemplateResource

ssm:DescribeDocument

SourceServerResource

RetryDataReplication Grants permission to retry data replication Write

SourceServerResource*

ReverseReplication Grants permission to reverse replication Write

RecoveryInstanceResource*

drs:DescribeReplicationConfigurationTemplates

drs:DescribeSourceServers

ec2:DescribeInstances

aws:RequestTag/${TagKey}

aws:TagKeys

SendAgentLogsForDrs [permission only] Grants permission to send agent logs Write

RecoveryInstanceResource*

SourceServerResource*

SendAgentMetricsForDrs [permission only] Grants permission to send agent metrics Write

RecoveryInstanceResource*

SourceServerResource*

SendChannelCommandResultForDrs [permission only] Grants permission to send channel command result Write
SendClientLogsForDrs [permission only] Grants permission to send client logs Write
SendClientMetricsForDrs [permission only] Grants permission to send client metrics Write
SendVolumeStatsForDrs [permission only] Grants permission to send volume throughput statistics Write

SourceServerResource*

StartFailbackLaunch Grants permission to start failback launch Write

RecoveryInstanceResource*

aws:RequestTag/${TagKey}

aws:TagKeys

StartRecovery Grants permission to start recovery Write

SourceServerResource*

drs:CreateRecoveryInstanceForDrs

drs:ListTagsForResource

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateLaunchTemplate

ec2:CreateLaunchTemplateVersion

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteLaunchTemplateVersions

ec2:DeleteSnapshot

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstanceTypes

ec2:DescribeInstances

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:DescribeVolumes

ec2:DetachVolume

ec2:ModifyInstanceAttribute

ec2:ModifyLaunchTemplate

ec2:RevokeSecurityGroupEgress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

StartReplication Grants permission to start replication Write

SourceServerResource*

StartSourceNetworkRecovery Grants permission to start network recovery Write

SourceNetworkResource*

cloudformation:CreateStack

cloudformation:DescribeStackResource

cloudformation:DescribeStacks

cloudformation:UpdateStack

drs:GetLaunchConfiguration

ec2:CreateLaunchTemplateVersion

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:ModifyLaunchTemplate

s3:GetObject

s3:PutObject

aws:RequestTag/${TagKey}

aws:TagKeys

StartSourceNetworkReplication Grants permission to start network replication Write

SourceNetworkResource*

StopFailback Grants permission to stop failback Write

RecoveryInstanceResource*

StopReplication Grants permission to stop replication Write

SourceServerResource*

StopSourceNetworkReplication Grants permission to stop network replication Write

SourceNetworkResource*

TagResource Grants permission to assign a resource tag Tagging

JobResource

LaunchConfigurationTemplateResource

RecoveryInstanceResource

ReplicationConfigurationTemplateResource

SourceNetworkResource

SourceServerResource

aws:RequestTag/${TagKey}

aws:TagKeys

drs:CreateAction

TerminateRecoveryInstances Grants permission to terminate recovery instances Write

RecoveryInstanceResource*

drs:DescribeSourceServers

ec2:DeleteVolume

ec2:DescribeInstances

ec2:DescribeVolumes

ec2:TerminateInstances

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a resource Tagging

JobResource

LaunchConfigurationTemplateResource

RecoveryInstanceResource

ReplicationConfigurationTemplateResource

SourceNetworkResource

SourceServerResource

aws:TagKeys

UpdateAgentBacklogForDrs [permission only] Grants permission to update agent backlog Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentConversionInfoForDrs [permission only] Grants permission to update agent conversion info Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentReplicationInfoForDrs [permission only] Grants permission to update agent replication info Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentReplicationProcessStateForDrs [permission only] Grants permission to update agent replication process state Write

RecoveryInstanceResource*

SourceServerResource*

UpdateAgentSourcePropertiesForDrs [permission only] Grants permission to update agent source properties Write

RecoveryInstanceResource*

SourceServerResource*

UpdateFailbackClientDeviceMappingForDrs [permission only] Grants permission to update failback client device mapping Write

RecoveryInstanceResource*

UpdateFailbackClientLastSeenForDrs [permission only] Grants permission to update failback client last seen Write

RecoveryInstanceResource*

UpdateFailbackReplicationConfiguration Grants permission to update failback replication configuration Write

RecoveryInstanceResource*

UpdateLaunchConfiguration Grants permission to update launch configuration Write

SourceServerResource*

ec2:DescribeInstances

UpdateLaunchConfigurationTemplate Grants permission to update launch configuration Write

LaunchConfigurationTemplateResource*

UpdateReplicationCertificateForDrs [permission only] Grants permission to update a replication certificate Write

RecoveryInstanceResource*

UpdateReplicationConfiguration Grants permission to update replication configuration Write

SourceServerResource*

ec2:CreateSecurityGroup

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:GetEbsDefaultKmsKeyId

ec2:GetEbsEncryptionByDefault

kms:CreateGrant

kms:DescribeKey

UpdateReplicationConfigurationTemplate Grants permission to update replication configuration template Write

ReplicationConfigurationTemplateResource*

ec2:CreateSecurityGroup

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:GetEbsDefaultKmsKeyId

ec2:GetEbsEncryptionByDefault

kms:CreateGrant

kms:DescribeKey

Resource types defined by AWS Elastic Disaster Recovery

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
JobResource arn:${Partition}:drs:${Region}:${Account}:job/${JobID}

aws:ResourceTag/${TagKey}

RecoveryInstanceResource arn:${Partition}:drs:${Region}:${Account}:recovery-instance/${RecoveryInstanceID}

aws:ResourceTag/${TagKey}

drs:EC2InstanceARN

ReplicationConfigurationTemplateResource arn:${Partition}:drs:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}

aws:ResourceTag/${TagKey}

LaunchConfigurationTemplateResource arn:${Partition}:drs:${Region}:${Account}:launch-configuration-template/${LaunchConfigurationTemplateID}

aws:ResourceTag/${TagKey}

SourceServerResource arn:${Partition}:drs:${Region}:${Account}:source-server/${SourceServerID}

aws:ResourceTag/${TagKey}

SourceNetworkResource arn:${Partition}:drs:${Region}:${Account}:source-network/${SourceNetworkID}

aws:ResourceTag/${TagKey}

Condition keys for AWS Elastic Disaster Recovery

AWS Elastic Disaster Recovery defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString
drs:CreateAction Filters access by the name of a resource-creating API action String
drs:EC2InstanceARN Filters access by the EC2 instance the request originated from ARN