Actions, resources, and condition keys for AWS Elastic Disaster Recovery
AWS Elastic Disaster Recovery (service prefix: drs
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Elastic Disaster Recovery
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AssociateFailbackClientToRecoveryInstanceForDrs [permission only] | Grants permission to get associate failback client to recovery instance | Write | |||
AssociateSourceNetworkStack | Grants permission to associate CloudFormation stack with source network | Write |
cloudformation:DescribeStackResource cloudformation:DescribeStacks drs:GetLaunchConfiguration ec2:CreateLaunchTemplateVersion ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs ec2:ModifyLaunchTemplate |
||
BatchCreateVolumeSnapshotGroupForDrs [permission only] | Grants permission to batch create volume snapshot group | Write | |||
BatchDeleteSnapshotRequestForDrs [permission only] | Grants permission to batch delete snapshot request | Write | |||
CreateConvertedSnapshotForDrs [permission only] | Grants permission to create converted snapshot | Write | |||
CreateExtendedSourceServer | Grants permission to extend a source server | Write |
drs:DescribeSourceServers drs:GetReplicationConfiguration |
||
CreateLaunchConfigurationTemplate | Grants permission to create launch configuration template | Write | |||
CreateRecoveryInstanceForDrs [permission only] | Grants permission to create recovery instance | Write | |||
CreateReplicationConfigurationTemplate | Grants permission to create replication configuration template | Write |
ec2:CreateSecurityGroup ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:GetEbsDefaultKmsKeyId ec2:GetEbsEncryptionByDefault kms:CreateGrant kms:DescribeKey |
||
CreateSourceNetwork | Grants permission to create a source network | Write |
ec2:DescribeInstances ec2:DescribeVpcs |
||
CreateSourceServerForDrs [permission only] | Grants permission to create a source server | Write | |||
DeleteJob | Grants permission to delete a job | Write | |||
DeleteLaunchAction | Grants permission to delete a launch action | Write | |||
DeleteLaunchConfigurationTemplate | Grants permission to delete launch configuration template | Write | |||
DeleteRecoveryInstance | Grants permission to delete recovery instance | Write | |||
DeleteReplicationConfigurationTemplate | Grants permission to delete replication configuration template | Write | |||
DeleteSourceNetwork | Grants permission to delete source network | Write | |||
DeleteSourceServer | Grants permission to delete source server | Write | |||
DescribeJobLogItems | Grants permission to describe job log items | Read | |||
DescribeJobs | Grants permission to describe jobs | Read | |||
DescribeLaunchConfigurationTemplates | Grants permission to describe launch configuration template | Read | |||
DescribeRecoveryInstances | Grants permission to describe recovery instances | Read |
drs:DescribeSourceServers ec2:DescribeInstances |
||
DescribeRecoverySnapshots | Grants permission to describe recovery snapshots | Read | |||
DescribeReplicationConfigurationTemplates | Grants permission to describe replication configuration template | Read | |||
DescribeReplicationServerAssociationsForDrs [permission only] | Grants permission to describe replication server associations | Read | |||
DescribeSnapshotRequestsForDrs [permission only] | Grants permission to describe snapshot requests | Read | |||
DescribeSourceNetworks | Grants permission to describe source networks | Read | |||
DescribeSourceServers | Grants permission to describe source servers | Read | |||
DisconnectRecoveryInstance | Grants permission to disconnect recovery instance | Write | |||
DisconnectSourceServer | Grants permission to disconnect source server | Write | |||
ExportSourceNetworkCfnTemplate | Grants permission to export CloudFormation template which contains source network resources | Write |
s3:GetBucketLocation s3:GetObject s3:PutObject |
||
GetAgentCommandForDrs [permission only] | Grants permission to get agent command | Read | |||
GetAgentConfirmedResumeInfoForDrs [permission only] | Grants permission to get agent confirmed resume info | Read | |||
GetAgentInstallationAssetsForDrs [permission only] | Grants permission to get agent installation assets | Read | |||
GetAgentReplicationInfoForDrs [permission only] | Grants permission to get agent replication info | Read | |||
GetAgentRuntimeConfigurationForDrs [permission only] | Grants permission to get agent runtime configuration | Read | |||
GetAgentSnapshotCreditsForDrs [permission only] | Grants permission to get agent snapshot credits | Read | |||
GetChannelCommandsForDrs [permission only] | Grants permission to get channel commands | Read | |||
GetFailbackCommandForDrs [permission only] | Grants permission to get failback command | Read | |||
GetFailbackLaunchRequestedForDrs [permission only] | Grants permission to get failback launch requested | Read | |||
GetFailbackReplicationConfiguration | Grants permission to get failback replication configuration | Read | |||
GetLaunchConfiguration | Grants permission to get launch configuration | Read | |||
GetReplicationConfiguration | Grants permission to get replication configuration | Read | |||
GetSuggestedFailbackClientDeviceMappingForDrs [permission only] | Grants permission to get suggested failback client device mapping | Read | |||
InitializeService | Grants permission to initialize service | Write |
iam:AddRoleToInstanceProfile iam:CreateInstanceProfile iam:CreateServiceLinkedRole iam:GetInstanceProfile |
||
IssueAgentCertificateForDrs [permission only] | Grants permission to issue an agent certificate | Write | |||
ListExtensibleSourceServers | Grants permission to list extensible source servers | Read |
drs:DescribeSourceServers |
||
ListLaunchActions | Grants permission to list launch actions | Read | |||
ListStagingAccounts | Grants permission to list staging accounts | Read | |||
ListTagsForResource | Grants permission to list tags for a resource | Read | |||
NotifyAgentAuthenticationForDrs [permission only] | Grants permission to notify agent authentication | Write | |||
NotifyAgentConnectedForDrs [permission only] | Grants permission to notify agent is connected | Write | |||
NotifyAgentDisconnectedForDrs [permission only] | Grants permission to notify agent is disconnected | Write | |||
NotifyAgentReplicationProgressForDrs [permission only] | Grants permission to notify agent replication progress | Write | |||
NotifyConsistencyAttainedForDrs [permission only] | Grants permission to notify consistency attained | Write | |||
NotifyReplicationServerAuthenticationForDrs [permission only] | Grants permission to notify replication server authentication | Write | |||
NotifyVolumeEventForDrs [permission only] | Grants permission to notify replicator volume events | Write | |||
PutLaunchAction | Grants permission to put a launch action | Write |
ssm:DescribeDocument |
||
RetryDataReplication | Grants permission to retry data replication | Write | |||
ReverseReplication | Grants permission to reverse replication | Write |
drs:DescribeReplicationConfigurationTemplates drs:DescribeSourceServers ec2:DescribeInstances |
||
SendAgentLogsForDrs [permission only] | Grants permission to send agent logs | Write | |||
SendAgentMetricsForDrs [permission only] | Grants permission to send agent metrics | Write | |||
SendChannelCommandResultForDrs [permission only] | Grants permission to send channel command result | Write | |||
SendClientLogsForDrs [permission only] | Grants permission to send client logs | Write | |||
SendClientMetricsForDrs [permission only] | Grants permission to send client metrics | Write | |||
SendVolumeStatsForDrs [permission only] | Grants permission to send volume throughput statistics | Write | |||
StartFailbackLaunch | Grants permission to start failback launch | Write | |||
StartRecovery | Grants permission to start recovery | Write |
drs:CreateRecoveryInstanceForDrs drs:ListTagsForResource ec2:AttachVolume ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateLaunchTemplate ec2:CreateLaunchTemplateVersion ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteLaunchTemplateVersions ec2:DeleteSnapshot ec2:DeleteVolume ec2:DescribeAccountAttributes ec2:DescribeAvailabilityZones ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeVolumes ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:ModifyLaunchTemplate ec2:RevokeSecurityGroupEgress ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole |
||
StartReplication | Grants permission to start replication | Write | |||
StartSourceNetworkRecovery | Grants permission to start network recovery | Write |
cloudformation:CreateStack cloudformation:DescribeStackResource cloudformation:DescribeStacks cloudformation:UpdateStack drs:GetLaunchConfiguration ec2:CreateLaunchTemplateVersion ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs ec2:ModifyLaunchTemplate s3:GetObject s3:PutObject |
||
StartSourceNetworkReplication | Grants permission to start network replication | Write | |||
StopFailback | Grants permission to stop failback | Write | |||
StopReplication | Grants permission to stop replication | Write | |||
StopSourceNetworkReplication | Grants permission to stop network replication | Write | |||
TagResource | Grants permission to assign a resource tag | Tagging | |||
TerminateRecoveryInstances | Grants permission to terminate recovery instances | Write |
drs:DescribeSourceServers ec2:DeleteVolume ec2:DescribeInstances ec2:DescribeVolumes ec2:TerminateInstances |
||
UntagResource | Grants permission to untag a resource | Tagging | |||
UpdateAgentBacklogForDrs [permission only] | Grants permission to update agent backlog | Write | |||
UpdateAgentConversionInfoForDrs [permission only] | Grants permission to update agent conversion info | Write | |||
UpdateAgentReplicationInfoForDrs [permission only] | Grants permission to update agent replication info | Write | |||
UpdateAgentReplicationProcessStateForDrs [permission only] | Grants permission to update agent replication process state | Write | |||
UpdateAgentSourcePropertiesForDrs [permission only] | Grants permission to update agent source properties | Write | |||
UpdateFailbackClientDeviceMappingForDrs [permission only] | Grants permission to update failback client device mapping | Write | |||
UpdateFailbackClientLastSeenForDrs [permission only] | Grants permission to update failback client last seen | Write | |||
UpdateFailbackReplicationConfiguration | Grants permission to update failback replication configuration | Write | |||
UpdateLaunchConfiguration | Grants permission to update launch configuration | Write |
ec2:DescribeInstances |
||
UpdateLaunchConfigurationTemplate | Grants permission to update launch configuration | Write | |||
UpdateReplicationCertificateForDrs [permission only] | Grants permission to update a replication certificate | Write | |||
UpdateReplicationConfiguration | Grants permission to update replication configuration | Write |
ec2:CreateSecurityGroup ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:GetEbsDefaultKmsKeyId ec2:GetEbsEncryptionByDefault kms:CreateGrant kms:DescribeKey |
||
UpdateReplicationConfigurationTemplate | Grants permission to update replication configuration template | Write |
ec2:CreateSecurityGroup ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:GetEbsDefaultKmsKeyId ec2:GetEbsEncryptionByDefault kms:CreateGrant kms:DescribeKey |
Resource types defined by AWS Elastic Disaster Recovery
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
JobResource |
arn:${Partition}:drs:${Region}:${Account}:job/${JobID}
|
|
RecoveryInstanceResource |
arn:${Partition}:drs:${Region}:${Account}:recovery-instance/${RecoveryInstanceID}
|
|
ReplicationConfigurationTemplateResource |
arn:${Partition}:drs:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}
|
|
LaunchConfigurationTemplateResource |
arn:${Partition}:drs:${Region}:${Account}:launch-configuration-template/${LaunchConfigurationTemplateID}
|
|
SourceServerResource |
arn:${Partition}:drs:${Region}:${Account}:source-server/${SourceServerID}
|
|
SourceNetworkResource |
arn:${Partition}:drs:${Region}:${Account}:source-network/${SourceNetworkID}
|
Condition keys for AWS Elastic Disaster Recovery
AWS Elastic Disaster Recovery defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |
drs:CreateAction | Filters access by the name of a resource-creating API action | String |
drs:EC2InstanceARN | Filters access by the EC2 instance the request originated from | ARN |