Home
Configure cloud provider permissions
A cloud account connects Cloud Snapshot Manager to a single cloud provider account.
Configure a role-based IAM user for AWS
The following steps have been provided as an example to help you create a role-based cloud account:
AWS permission usage
The following tables contain information about why Cloud Snapshot Manager requires AWS permissions to discover and protect resources in your cloud environment:

AWS permission usage

The following tables contain information about why Cloud Snapshot Manager requires AWS permissions to discover and protect resources in your cloud environment:

Table 1. EBS or EC2 permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
ec2:DescribeVolumes	List EBS volumes for selection for on-demand or scheduled snapshots. Take EBS and EC2 instance snapshots.
ec2:DescribeInstances	List EC2 instances for selection for on-demand or scheduled snapshots. Take EC2 instance snapshot.
ec2:CreateSnapshot	Take EBS and EC2 instance snapshots.
ec2:DescribeInstanceAttribute	Take EC2 instance snapshot.
ec2:CopySnapshot	Copy EBS or EC2 snapshot to remote region.
ec2:CreateTags	Take a snapshot. Restore from snapshot.	While taking a snapshot, the snapshot is set with the same tags as that of the original resource. During restore, to set tags on the restored instance, depending on what was set on the original resource.
ec2:CreateVolume	Restore EBS or EC2 instance.
ec2:AssociateIamInstanceProfile	Restore EC2 instance.	Associates an IAM instance profile with an instance that is in running or stopped state. Used to attach the IAM role to the restored VM.
ec2:AttachVolume ec2:RegisterImage ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:AttachNetworkInterface ec2:AssignPrivateIpAddresses ec2:CreateNetworkInterface ec2:AssociateAddress ec2:DescribeIamInstanceProfileAssociations ec2:ModifyInstanceAttribute ec2:ModifySnapshotAttribute ec2:DescribeSnapshots ec2:DescribeImages ec2:DescribeNetworkInterfaces ec2:DescribeAddresses ec2:DescribeRegions ec2:DescribeAvailabilityZones ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs ec2:DescribeKeyPairs	Restore EC2 instance.	All 'Describe*' actions are required if you want to restore instances with configuration that is different from the original configuration of the resource (of which a snapshot was taken). The actions list those resources for selection.
ec2:AttachVolume ec2:DetachVolume ec2:CreateVolume ec2:DeleteVolume ec2:ModifyInstanceAttribute	File Level Restore
ec2:ModifySnapshotAttribute	Cross-account copying of snapshots. Restore snapshot.	Required to share and stop sharing the snapshot after a snapshot or restore operation is completed.
ec2:DeleteSnapshot	Expire EBS or EC2 snapshot.	In the case of a DR account, which is required if the account has permission to delete snapshots.
ec2:DeleteTags		To delete tags which are added by Cloud Snapshot Manager if the DR account does not have permission to delete the snapshot.
ec2:DescribeSnapshots	While taking a snapshot, to monitor its status. Expire snapshot. Non-CSM snapshot expiry.

Table 2. RDS permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
rds:DescribeDBInstances	List RDS instances for selection for on-demand or scheduled snapshots.
rds:CreateDBSnapshot rds:ListTagsForResource rds:AddTagsToResource	Create on-demand or scheduled snapshot.
rds:AddTagsToResource rds:ModifyDBInstance rds:RestoreDBInstanceFromDBSnapshot	Restore RDS instance.
rds:DeleteDBSnapshot	Expire DB snapshot.
rds:DescribeDBSnapshots	Monitor snapshot status during creation. Expire snapshot.

Table 3. Aurora DB permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
rds:DescribeDBClusters	List Aurora DB clusters for selection for on-demand or scheduled snapshots.
rds:CreateDBClusterSnapshot rds:ListTagsForResource	Create on-demand or scheduled snapshot.
rds:ModifyDBCluster rds:RestoreDBClusterFromDBSnapshot rds:AddRoleToDBCluster	Restore Aurora DB, and set its attributes.
rds:DeleteDBClusterSnapshot	Expire DB snapshot.
rds:DescribeDBClusterSnapshot	Monitor snapshot status during snapshot creation. Expire DB snapshot.
rds:DeleteDBCluster rds:DeleteDBInstance	Expire DB cluster.

Table 4. Redshift permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
redshift:DescribeClusters	List Redshift DB clusters for selection for on-demand or scheduled snapshot.
redshift:CreateClusterSnapshot redshift:DescribeClusterSnapshots redshift:CreateTags	Take on-demand or scheduled snapshots.
redshift:RestoreFromClusterSnapshot	Restore from snapshot.
redshift:DeleteClusterSnapshot	Expire snapshot.

Table 5. DynamoDB permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
dynamodb:DescribeTable	List tables for selection for on-demand and scheduled snapshots. Take snapshot Restore
dynamodb:ListTables	List table for selection for on-demand and scheduled snapshots.
dynamodb:CreateBackup dynamodb:describeBackup dynamodb:ListTagsOfResource	Take snapshot.	'describeBackup' is for monitoring status of snapshot as snapshot creation is asynchronous.
dynamodb:RestoreTableFromBackup dynamodb:TagResource	Restore from snapshot.
dynamodb:DeleteBackup	Expire snapshot.
dynamodb:ListBackups	Non-CSM Snapshot Details Report	'ListBackups' is required to list all non-CSM snapshot details from the AWS account in the Non-CSM Snapshot Details Report.
dynamodb:CreateTable	Create table	The permissions are required only for the following AWS ARN: "arn:aws:dynamodb:::table/*"
dynamodb:CreateTableReplica	Create table replica	The permissions are required only for the following AWS ARN: "arn:aws:dynamodb:::table/*"
dynamodb:UpdateTable	Update table replica	'UpdateTable' modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table. The permissions are required only for the following AWS ARN: "arn:aws:dynamodb:::table/*"
application- autoscaling:RegisterScalableTarget application- autoscaling:DescribeScalableTargets application-autoscaling:PutScalingPolicy application- autoscaling:DescribeScalingPolicies	Registers or updates a scalable target, the resource that you want to scale.

Table 6. SSM Document permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
ssm:DescribeInstanceInformation ssm:DescribeDocument ssm:SendCommand ssm:GetCommandInvocation	Take application- consistent snapshots. For File Level Recovery

Table 7. IAM permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
iam:PassRole	Create role-based cloud account access.

Table 8. KMS permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
kms:ListAliases	Cross region snapshot copy	To list keys in target regions for encrypting data while copying snapshots.
kms:Encrypt kms:Decrypt kms:ReEncrypt* kms:GenerateDataKey* kms:DescribeKey kms:CreateGrant kms:ListGrants kms:RevokeGrant	Restore encrypted volumes. Restore VM with encrypted volumes. File Level Recovery from encrypted volumes.

Table 9. Cost Explorer permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
ce:GetCostAndUsage ce:GetDimensionValues	Snapshot Summary Report	To report snapshot bucket size, that is storage usage in GB-Month for all snapshots in the AWS account irrespective of whether the snapshots are created by Cloud Snapshot Manager or not.

Table 10. EBS permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
ebs:completeSnapshot ebs:getSnapshotBlock ebs:listChangedBlocks ebs:listSnapshotBlocks ebs:putSnapshotBlock ebs:startSnapshot	EBS snapshot data copy to target storage like PowerProtect DD Virtual Edition (DDVE).	To read data from EBS snapshots and copy to the target storage. To write data into EBS snapshots during restore.

Table 11. ECS permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
ecs:CreateCluster ecs:CreateService ecs:DeleteCluster ecs:DeregisterTaskDefinition ecs:RegisterTaskDefinition ecs:DeleteService ecs:DescribeClusters ecs:DescribeServices ecs:TagResource	Snapshot data copy to target storage like DDVE.	For managing Fargate Container that runs as CSM Proxy for data movement between DDVE and cloud snapshots. The permissions are required only for the following AWS ARNs: "arn:aws:ecs:::cluster/csm" "arn:aws:ecs:::service/csm/csm*"

Table 12. SQS permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
sqs:createQueue sqs:deleteMessage sqs:deleteQueue sqs:receiveMessage sqs:sendMessage	Snapshot data copy to target storage like DDVE.	For communication between Cloud Snapshot Manager services (running in Dell Data Center) and CSM Proxy (running in the user cloud account) to copy data from the snapshot to the target storage. For example, DDVE. The permissions are required only for the AWS ARN: "arn:aws:sqs:::csm*"

Table 13. Cloud Formation permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
cloudformation:createStack cloudformation:deleteStack cloudformation:describeStack	Snapshot data copy to target storage like DDVE.	To create a CSM Proxy (compute) instance on-demand in the cloud account for copying data. For example, for copying EBS snapshots to DDVE in the cloud provider environment. The permissions are required only for the AWS ARN: "arn:aws:cloudformation:::stack/csm-/"

Table 14. ECR permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
ecr:BatchCheckLayerAvailability ecr:BatchGetImage ecr:GetAuthorizationToken ecr:GetDownloadUrlForLayer	Snapshot data copy to target storage like DDVE.	To create a CSM Proxy (compute) instance on-demand in the cloud account for copying data. For example, for copying EBS snapshots to DDVE in the cloud provider environment.

Table 15. Log permissions
AWS Permission	Cloud Snapshot Manager features dependent on the permission	Comments
logs:CreateLogStream logs:PutLogEvents	Snapshot data copy to target storage like DDVE.	To create a CSM Proxy (compute) instance on-demand in the cloud account for copying data. For example, for copying EBS snapshots to DDVE in the cloud provider environment.