β Important
The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact Support.
AWS Workloads (CloudRanger) requires an Identity Access Management (IAM) role to access and manage your AWS workloads. To configure your AWS Workloads account, you will need to grant AWS Workloads third-party access to your AWS account.
To create an IAM role, AWS Workloads Management Console provides a CloudFormation template that provisions the CloudFormation stack within your AWS environment. This then generates the following IAM permissions for AWS Workloads to access your AWS Account:
IAM Role
IAM Instance Profile
IAM Policy
The generated Amazon Resource Name (ARN) of the IAM role is then linked back to AWS Workloads so that it can run backup and restore jobs on your AWS workloads.
Permissions
The following table provides detailed information about the permissions required to discover, backup and restore your Amazon EFS resources:
Permission ID | Why Druva needs the Permission |
Discovery Permissions |
|
elasticfilesystem:DescribeFileSystems | View Amazon EFS details |
elasticfilesystem:DescribeMountTargets | Locate mount points in your subnet |
elasticfilesystem:DescribeLifecycleConfiguration | Check storage class transition settings |
elasticfilesystem:DescribeMountTargetSecurityGroups | Identify network access rules |
elasticfilesystem:DescribeTags | Read EFS metadata |
elasticfilesystem:DescribeMountTargetSecurityGroups | Validates the mount point outbound and inbound access |
Backup and Restore Permissions |
|
elasticfilesystem:ClientMount | Perform mount operations |
elasticfilesystem:ClientRead | Discover and read data from EFS |
elasticfilesystem:ClientWrite | Write data during restore |
elasticfilesystem:ClientRootAccess | Root-level operations, as required for backup |
ec2:RunInstances | To launch new instances for your workload |
ec2:TerminateInstances | To allow the instance to destroy itself or children after the job |
ec2:DescribeInstances | To check the status of instances |
ec2:CreateTags | To label new instances or volumes with job IDs |
ec2:DescribeInstanceTypes | To ensure the instance size supports the workload |
ec2:CreateNetworkInterface | Required to attach the instance to the network during launch |
ec2:DeleteNetworkInterface | To clean up the network interface upon EC2 termination |
ec2:DescribeNetworkInterfaces | To find existing interfaces for EFS mount points |
ec2:ModifyNetworkInterfaceAttribute | To adjust network settings for performance |
ec2:DescribeSubnets | To discover the current network layout |
ec2:DescribeVpcs | To discover the current network layout |
ec2:DescribeSecurityGroups | To find the groups required for EFS access |
ec2:CreateNetworkInterface | Required to attach the instance to the network during launch |
ec2:DeleteNetworkInterface | To clean up the network interface upon termination |
ec2:DescribeNetworkInterfaces | To find existing interfaces for EFS mount points |
ec2:ModifyNetworkInterfaceAttribute | To adjust network settings for performance |
ec2:DescribeSubnets | To discover the current network layout |
ec2:DescribeVpcs | To discover the current network layout |
ec2:DescribeSecurityGroups | To find the groups required for EFS access |
s3:GetObject | To download your binary or data via the Pre-signed URL |
s3:PutObject | To upload the results/backups to the destination bucket |
s3:ListBucket | To verify files before or after the transfer |
s3:GetBucketLocation | Required for the SDK to route requests to the correct region |
iam:PassRole | Allows the binary to pass its own role to a new EC2 instance it launches |
ssm:PutParameter | For putting Falcon Auth key for ephemeral devices |
ssm:DeleteParameter | Permissions used in Destroy customer scenario |
ssm:GetParameter | Permissions used in Reading Auth key and activate devices |