Search <book_title>...

NetBackup™ Snapshot Manager Install and Upgrade Guide

Last Published: 2023-03-31

Product(s): NetBackup (10.2)

AWS permissions required by NetBackup Snapshot Manager

The following is a IAM role definition (in JSON format) that gives NetBackup Snapshot Manager the ability to configure AWS plugin and discover assets, manage the snapshots etc.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2AutoScaling",
            "Effect": "Allow",
            "Action": [
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:AttachInstances",
																"autoscaling:DescribeScalingActivities",
																"autoscaling:TerminateInstanceInAutoScalingGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "KMS",
            "Effect": "Allow",
            "Action": [
                "kms:ListKeys",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncryptTo",
                "kms:DescribeKey",
                "kms:ListAliases",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:ReEncryptFrom",
                "kms:CreateGrant"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "RDSBackup",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBClusterSnapshots",
                "rds:DeleteDBSnapshot",
                "rds:CreateDBSnapshot",
                "rds:CreateDBClusterSnapshot",
                "rds:ModifyDBSnapshotAttribute",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeDBInstances",
                "rds:CopyDBSnapshot",
                "rds:CopyDBClusterSnapshot",
                "rds:DescribeDBSnapshotAttributes",
                "rds:DeleteDBClusterSnapshot",
                "rds:ListTagsForResource",
                "rds:AddTagsToResource"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "RDSRecovery",
            "Effect": "Allow",
            "Action": [
                "rds:ModifyDBInstance",
                "rds:ModifyDBClusterSnapshotAttribute",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:ModifyDBCluster",
                "rds:RestoreDBClusterFromSnapshot",
                "rds:CreateDBInstance",
                "rds:RestoreDBClusterToPointInTime",
                "rds:CreateDBSecurityGroup",
                "rds:CreateDBCluster",
                "rds:RestoreDBInstanceToPointInTime",
                "rds:DescribeDBClusterParameterGroups"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Backup",
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "ec2:CreateSnapshot",
                "ec2:CreateSnapshots",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:ModifySnapshotAttribute",
                "ec2:CreateImage",
                "ec2:CopyImage",
                "ec2:CopySnapshot",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:RegisterImage",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DeregisterImage",
                "ec2:DeleteSnapshot",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeRegions",
                "ec2:ModifyImageAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:ResetSnapshotAttribute",
                "ec2:DescribeHosts",
                "ec2:DescribeImages",
                "ec2:DescribeSecurityGroups" ,
                "ec2:DescribeNetworkInterfaces" 
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Recovery",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:AttachNetworkInterface",
                "ec2:DetachVolume",
                "ec2:AttachVolume",
                "ec2:DeleteTags",
                "ec2:CreateTags",
                "ec2:StartInstances",
                "ec2:StopInstances",
	               "ec2:TerminateInstances",												
                "ec2:CreateVolume",
                "ec2:DeleteVolume",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:AssociateIamInstanceProfile",
                "ec2:AssociateAddress",
                "ec2:DescribeKeyPairs",
																"ec2:AuthorizeSecurityGroupEgress",
																"ec2:AuthorizeSecurityGroupIngress",
																"ec2:DescribeInstanceTypeOfferings",
                "ec2:GetEbsEncryptionByDefault"
            ],
            "Resource": [
                "*"
            ]
        },
        {   
            "Sid": "EBS",
            "Effect": "Allow",
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock",
																"ebs:CompleteSnapshot",
																"ebs:PutSnapshotBlock",
																"ebs:ListChangedBlocks"
                "ebs:StartSnapshot"
            ],
            "Resource": [
                "*"
            ]
        },
        {   
            "Sid": "EKS",
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
																"eks:DescribeUpdate",
																"eks:UpdateNodegroupConfig",
																"eks:ListClusters"
                "eks:DescribeCluster"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "IAM",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
						          "iam:SimulatePrincipalPolicy"
            ],
            "Resource": [
                "*"
            ]
        }	
    ]
}

If a NetBackup Snapshot Manager extension is installed on a managed Kubernetes cluster in AWS, then enable the following polices for a user account or a role before configuring the plugin:

AmazonEKSClusterPolicy
AmazonEKSWorkerNodePolicy
AmazonEC2ContainerRegistryReadOnly
AmazonEKS_CNI_Policy
AmazonEKSServicePolicy

Additional IAM permissions required for marketplace deployment

{
  "Sid": "AWSMarketplacePermissions", 
  "Effect": "Allow", 
  "Action": [ 
     "autoscaling:UpdateAutoScalingGroup",  
     "autoscaling:AttachInstances", 
     "sns:Publish", 
     "sns:GetTopicAttributes", 
     "secretsmanager:GetResourcePolicy", 
     "secretsmanager:GetSecretValue", 
     "secretsmanager:DescribeSecret", 
     "secretsmanager:RestoreSecret", 
     "secretsmanager:PutSecretValue", 
     "secretsmanager:DeleteSecret", 
     "secretsmanager:UpdateSecret" 
  ], 
  "Resource": [ 
    "*" 
  ]
}

Additional IAM permissions required by PaaS workloads

{
   "Sid": "DynamoDB",
   "Effect": "Allow",
   "Action": [
      "dynamodb:ListTables",
      "dynamodb:DescribeTable",
      "dynamodb:CreateTable",
      "dynamodb:BatchWriteItem",
      "dynamodb:DescribeContinuousBackups",
      "dynamodb:ExportTableToPointInTime",
      "dynamodb:DescribeExport",
      "dynamodb:DeleteTable",
      "dynamodb:UpdateTable",
      "dynamodb:UpdateContinuousBackups"
   ],
   "Resource": [
     "*"
   ]
},
{
  "Sid": "S3Permissions",
  "Effect": "Allow",
  "Action": [
     "s3:PutObject",
     "s3:GetObject",
     "s3:ListBucket",
					"s3:CreateBucket",
     "s3:DeleteObject"
  ],
  "Resource": [
    "*"
   ]
}