Using a role template for AWS

Prerequisite

You must have the HYCU account ID of your subscription. To get the HYCU account ID, click  <EmailAddress> in the toolbar, and then click Subscription Information to open the Subscription Information dialog box. The account ID is listed under the HYCU Account section.

Considerations

• Make sure that the AWS account for which you are creating the role is not already added as a source in R‑Cloud, otherwise the creation of the least-permissions role will fail and the role with default permissions will stay in place. If you already added the AWS account as a source, delete its role or the AWS CloudFormation stack with which you created the original role before you start the process or use a different account.

• By default, the IAM role created by R‑Cloud allows performing data protection actions on all resources in your AWS account. In addition to creating a custom role with the least-privilege permissions as described in this topic, you can also limit R‑Cloud to have access only to the resources that are relevant for data protection by specifying them in the AWS Management Console. You should do this each time you add new resources that should be accessible to R‑Cloud.

   Note   To make sure that the targets that are automatically created by R‑Cloud will be accessible, keep the default resource accessibility settings for the automatically created targets. For details on how to identify the automatically created targets, see Resources created by R‑Cloud.

  For details on how Amazon S3 works with IAM and how to specify the resources that should be accessible to R‑Cloud, see AWS documentation.

Recommendation

To ensure the highest level of security when using the least-permissions role, it is recommended to do the following in the AWS Management Console:

• Choose the required S3 bucket permissions for the buckets only.

• Choose the required S3 object permissions only for the contents that are stored within the bucket.

Procedure

To add the role template to your AWS account, perform the following:

1. Open the following URL in your browser:

   https://us-east-2.console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/quickcreate?templateUrl=https%3A%2F%2Fhycu-resources.s3.amazonaws.com%2Fcloudformation%2F08082022-HycuRoleTemplate-AWSLeastPermissions.json&stackName=HycuStack&param_ExternalId=<HYCUAccountId>

   In this URL, <HYCUAccountId> at the end of the URL is the account ID of your subscription.

    Important  You must be signed in to the AWS Management Console with the AWS account for which you are creating roles. If you are already signed in to the AWS Management Console with a different account when you create the IAM roles, the creation fails.

2. In the AWS Management Console, on the Quick create stack page, confirm the capabilities required by R‑Cloud by clicking I acknowledge that AWS CloudFormation might create IAM resources, and then click Create stack.

AWS permissions required by R‑Cloud

The following is a list of AWS permissions required by R‑Cloud:

Service	Permissions
S3	ListAllMyBuckets ListBucket ListBucketVersions GetBucketLocation GetBucketLogging GetBucketObjectLockConfiguration GetBucketPublicAccessBlock GetBucketTagging GetBucketVersioning GetEncryptionConfiguration GetLifecycleConfiguration GetObject GetObjectTagging DeleteJobTagging DeleteObject DeleteObjectVersion DeleteObjectTagging DeleteObjectVersionTagging DeleteStorageLensConfigurationTagging PutBucketTagging PutJobTagging PutObjectTagging PutObjectVersionTagging PutStorageLensConfigurationTagging ReplicateTags CreateBucket PutObject For targets that have Object Lock (WORM) enabled, the following additional permissions are required: PutObjectRetention PutObjectLegalHold
S3 Express	CreateSession ListAllMyDirectoryBuckets
STS	AssumeRole
SQS	GetQueueUrl ListQueues ReceiveMessage CreateQueue DeleteMessage DeleteQueue SendMessage
IAM	GetAccountSummary PassRole
EC2	DescribeAddresses DescribeAvailabilityZones DescribeInstances DescribeInstanceStatus DescribeInstanceTypes DescribeRegions DescribeSecurityGroups DescribeSnapshots DescribeSubnets DescribeVolumes GetConsoleOutput CreateTags AllocateAddress AssociateAddress AttachVolume CopyFpgaImage CopyImage CopySnapshot CreateNetworkInterface CreateSnapshot CreateSnapshots CreateVolume DeleteSnapshot DeleteVolume DeregisterImage DetachVolume ImportImage ImportInstance ImportKeyPair ImportSnapshot ImportVolume RegisterImage RunInstances StartInstances StopInstances TerminateInstances
Elastic Block	Store CompleteSnapshot StartSnapshot GetSnapshotBlock ListChangedBlocks ListSnapshotBlocks PutSnapshotBlock
SNS	ListSubscriptions ListSubscriptionsByTopic ListTopics GetSubscriptionAttributes GetTopicAttributes ListTagsForResource TagResource UnTagResource ConfirmSubscription CreateTopic DeleteTopic Publish SetSubscriptionAttributes SetTopicAttributes Subscribe Unsubscribe
S3 Object Lambda	ListBucket ListBucketMultipartUploads ListBucketVersions ListMultipartUploadParts GetObject GetObjectRetention PutObject PutObjectLegalHold PutObjectRetention RestoreObject WriteGetObjectResponse