N2W Software

            What are the required minimal AWS permissions/roles for CPM operation?

            You can apply all the required roles by using the JSON files inside the archive attached to this article (including the new permissions required for v2.4).

            To apply these permissions, follow these instructions:
            2. Go to 'Users' and select user which requires the permission to assume the role.
            3. Open 'Permissions' tab and click 'Add permissions'.
            4. Select 'Attach existing policies directly' and click 'Create policy'.
            5. In the opened window open 'JSON' tab, select all data and replace it with data from one of the JSON files you've downloaded previously, and click Review policy'.
            6. Specify the name for the policy, enter the description if needed and click 'Create policy'.
            7. Go back to the user settings and to the 'Permissions' tab and click 'Add permissions', select 'Attach existing policies directly' and search for the policy you've created and click Next:Review'.
            8. Click 'Add permissions'.



            For assuming a role, the user needs this permission:
            "sts:AssumeRole"
            Please check this document for the procedure on establishing trust: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html#cli-role-prepare

            For the cross-account operations, you need to add the following permissions:
            "ec2:ModifyImageAttribute",
            "ec2:ModifySnapshotAttribute",
            "rds:ModifyDBSnapshotAttribute",

            Different set of KMS related permissions is required for admin and non-admin users.

            If you are an admin user, ListAliases & ListKeys are enough.

            Other users need these minimum KMS permissions:

            - For backup and DR:

              "kms:CreateGrant",


              "kms:DescribeKey",


              "kms:GenerateDataKeyWithoutPlaintext",


              "kms:ListAliases",


              "kms:ListKeys"

            - For recovery:

               "kms:DescribeKey",


               "kms:ListAliases",


               "kms:ListKeys",


               "kms:ReEncryptFrom",


               "kms:ReEncryptTo"



            Attachments (1)
            Helpful?  
            Help us to make this article better
            0 0