NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

VM based

KMS (Encryption and Decryption)

To list the KMS keys during various operations.

kms:ListKeys

KMS feature provided by NetBackup Snapshot Manager.

kms:Encrypt

kms:Decrypt

kms:GenerateDataKey

kms:GenerateDataKeyWithoutPlaintext

kms:CreateGrant

Internally required by AWS for replication of encrypted snapshot.

kms:ReEncryptTo

kms:ReEncryptFrom

To get the information of a particular KMS key.

kms:DescribeKey

To list the KMS keys aliases during various operations.

kms:ListAliases

Protection of RDS resources

To list RDS database snapshots (discovery).

rds:DescribeDBSnapshots

To list RDS database clusters (discovery).

rds:DescribeDBClusters

To list RDS database cluster snapshots (discovery).

rds:DescribeDBClusterSnapshots

To delete RDS database snapshot (snapshot expiry).

rds:DeleteDBSnapshot

To create RDS database snapshot.

rds:CreateDBSnapshot

To create RDS database cluster snapshot.

rds:CreateDBClusterSnapshot

To share/un share RDS database snapshot with a different account, for cross-account replication.

rds:ModifyDBSnapshotAttribute

To list RDS database subnet groups (discovery).

rds:DescribeDBSubnetGroups

To list RDS database instances (discovery).

rds:DescribeDBInstances

To copy RDS database snapshot between regions, used for replication.

rds:CopyDBSnapshot

To copy RDS database cluster snapshot between regions, used for replication.

rds:CopyDBClusterSnapshot

Implicitly required during restore/replicate operations of cross-account snapshot to read the attributes.

rds:DescribeDBSnapshotAttributes

To list all RDS proxies.

rds:DescribeDBProxies

To list RDS database instances for a particular proxy.

rds:DescribeDBProxyTargets

To delete RDS database cluster snapshot (snapshot expiry).

rds:DeleteDBClusterSnapshot

To list tags for RDS resources.

rds:ListTagsForResource

To add tags for RDS resources, during snapshot, replication and restore.

rds:AddTagsToResource

To list the proxy endpoint for given RDS proxy.

rds: DescribeDBProxyEndpoints

To grant permission to retrieve and decrypt encrypted data.

secretsmanager:GetSecretValue

To get the details of the instance types that are offered in a location. It is used to decide the parallelism during backups/restore of the RDS database(s).

ec2:DescribeInstanceTypes

Recovery of RDS resources

To modify settings for RDS database instance.

To modify security group during restore.

rds:ModifyDBInstance

To share/un share RDS database cluster snapshot with a different account for cross-account replication.

rds:ModifyDBClusterSnapshotAttribute

To create RDS database instance from snapshot (snapshot restore).

rds:RestoreDBInstanceFromDBSnapshot

To modify settings for RDS database cluster.

rds:ModifyDBCluster

To create RDS database cluster from snapshot (snapshot restore).

rds:RestoreDBClusterFromSnapshot

To create RDS database instance while restoring RDS cluster.

rds:CreateDBInstance

Required internally by AWS to restore RDS database cluster.

rds:RestoreDBClusterToPointInTime

To create RDS database security group, restore RDS with default security group.

rds:CreateDBSecurityGroup

To create RDS database cluster.

rds:CreateDBCluster

Required internally by AWS to restore RDS database instance.

rds:RestoreDBInstanceToPointInTime

To get the information about parameter group during restore of RDS cluster snapshot.

rds:DescribeDBClusterParameterGroups

Backup of EC2 resources

To get the information about the user/role being used to make API requests (through which CSP is configured).

sts:GetCallerIdentity

This is required on the source account role, for configuring cross-account provider configuration along with other pre-requisites which are required on the cross account role.

sts:AssumeRole

To create EBS volume snapshot.

ec2:CreateSnapshot

To create EC2 instance snapshot (snapshot of all the attached disks).

ec2:CreateSnapshots

To list EC2 instances (discovery) .

ec2:DescribeInstances

To get the status of the specified EC2 instance.

ec2:DescribeInstanceStatus

To share/un share the EBS snapshots with a different account for cross-account replication.

ec2:ModifySnapshotAttribute

To replicate EBS snapshot from one region to other.

To replicate EC2 instance snapshots disk by disk.

ec2:CopySnapshot

To list EBS snapshots (discovery).

ec2:DescribeSnapshots

To get the status of the specified EBS volume.

ec2:DescribeVolumeStatus

To list EBS volumes (discovery).

ec2:DescribeVolumes

Used during restore of EC2 instance snapshot, an AMI is registered intermediately to launch the EC2 instance.

ec2:RegisterImage

To get the specific attribute of specified EBS volume during various operations.

ec2:DescribeVolumeAttribute

To list subnets (discovery).

ec2:DescribeSubnets

To list VPCs (discovery).

ec2:DescribeVpcs

To de-register intermediate AMI registered during restore of EC2 instance

ec2:DeregisterImage

To delete EBS snapshot (snapshot expiry / cleanup during snapshot creation failure).

ec2:DeleteSnapshot

To get the specific attribute of specified EC2 instance.

ec2:DescribeInstanceAttribute

To list regions.

ec2:DescribeRegions

To list availability zones (discovery).

ec2:DescribeAvailabilityZones

To reset permission settings for the specified snapshot modified during cross account replication.

To reset permission settings for the specified snapshot modified during cross account replication.

ec2:ResetSnapshotAttribute

To list dedicated hosts (discovery).

ec2:DescribeHosts

To list AMIs (EC2 instance snapshots created by NetBackup Snapshot Manager) (discovery)

ec2:DescribeImages

To list security groups (discovery).

ec2:DescribeSecurityGroups

To list the network interfaces of EC2 instance, required for EC2 instance discovery.

ec2:DescribeNetworkInterfaces

To get the tags created on the specific resource.

ec2:DescribeTags

To get the details of the instance information that are offered in a location.

ec2:DescribeInstanceTypes

Recovery of EC2 resources

To create EC2 instance (restoring the host snapshot).

ec2:RunInstances

Internally used by AWS to attach specified network interface to given instance, required for restore for host snapshot.

ec2:AttachNetworkInterface

To detach EBS volume(s) from EC2 instance during rollback restore. Also, during GRT workflow, the intermediate volume which first gets attached is later detached.

ec2:DetachVolume

To attach the new EBS volume(s) to EC2 instance in case of rollback restore. Also, during restore of volume snapshot to an EC2 instance, the new created disk is attached to the specified instance.

ec2:AttachVolume

To delete tags on EC2 resources. Some NetBackup Snapshot Manager internal tags are created during various operations which need to be removed later.

ec2:DeleteTags

To create tags on EC2 resources. Required to tag the created/restored resources with NetBackup Snapshot Manager metadata tags and source resource tags.

ec2:CreateTags

To power on the specified instance. Required during restore flow where option to start/stop the instance post restore is specified.

ec2:StartInstances

To power off the specified instance. Required during restore flow where option to start/stop the instance post restore is specified.

ec2:StopInstances

To delete EC2 instance in case of failed restore operation. Also required to delete intermediate EC2 instance created during restore from backup copy.

ec2:TerminateInstances

To create EBS volume from snapshot. Used during volume snapshot restore and instance snapshot rollback restore.

ec2:CreateVolume

To delete EBS volume in case of failed restore operation. Delete detached volumes in case of successful rollback restore. Delete intermediate volume created during GRT operation. Delete volumes along with intermediate EC2 instance created during restore from backup copy.

ec2:DeleteVolume

To get IAM instance profile association status for IAM role attached to the restored instance.

ec2:DescribeIamInstanceProfileAssociations

To attach IAM role to the restored EC2 instance.

ec2:AssociateIamInstanceProfile

To associate elastic IP to EC2 instance/network interface during restore.

ec2:AssociateAddress

To list the SSH key pair for validating the user provided key pair for associating with the restored EC2 instance.

ec2:DescribeKeyPairs

To check whether the availability zone associated with the selected subnet for EC2 instance restore supports the instance type.

ec2:DescribeInstanceTypeOfferings

Internally used by AWS to check whether EBS encryption by default is enabled for the account in the current region.

ec2:GetEbsEncryptionByDefault

To modify block device mappings as per original instance on the restored EC2 instance.

ec2:ModifyInstanceAttribute

Backup from snapshot

To list the blocks of the snapshot(s) being backed up.

ebs:ListSnapshotBlocks

To get the data of a particular snapshot block, read snapshot block.

ebs:GetSnapshotBlock

To list the changed blocks between two snapshots of same EBS volume.

ebs:ListChangedBlocks

Restore from backup copy

To mark the snapshot as complete after writing all the blocks, close the snapshot post restore.

ebs:CompleteSnapshot

To write the blocks to the newly created snapshot during restore from backup.

ebs:PutSnapshotBlock

To create an empty snapshot to be used to write blocks for restoring from backup copy.

ebs:StartSnapshot

Identity management and authorization

To get the alias of the AWS account configured in CSP. This is used for display name of the AWS account usable in various contexts including intelligent groups.

iam:ListAccountAliases

Simulates IAM policies and permissions against a set of operations. Used to verify if required permissions are present with the user/role being used for CSP configuration.

iam:SimulatePrincipalPolicy

PaaS workloads protection (DynamoDB)

To list DynamoDB tables used during discovery.

dynamodb:ListTables

To get the information of a particular DynamoDB table during backup .

dynamodb:DescribeTable

To create table during restore.

dynamodb:CreateTable

To do batch write during restore of dynamodb table.

dynamodb:BatchWriteItem

To list the continuous backups of dynamodb table during backup.

dynamodb:DescribeContinuousBackups

To do point in time restore of dyanmodb table which continues backup to s3 during backup.

dynamodb:ExportTableToPointInTime

To check status of export of continues backup of dynamodb table to s3.

dynamodb:DescribeExport

To delete table in case of failure during restore.

dynamodb:DeleteTable

To update dynamodb table metadata.

dynamodb:UpdateTable

To set the continues backup for table if not already set.

dynamodb:UpdateContinuousBackups

To import tables from S3

dynamodb:ImportTable

To describe the import operation

dynamodb:DescribeImport

CloudWatch log restore with S3 (DynamoDB)

To create log groups to restore logs for DynamoDB import from S3 operations.

logs:CreateLogGroup

To create log stream used for read and write logs for DynamoDB import from S3 operations.

logs:CreateLogStream

To describe log groups created during DynamoDB import from S3 operations.

logs:DescribeLogGroups

To describe log streams created during DynamoDB import from S3 operations.

logs:DescribeLogStreams

To write log events for DynamoDB import from S3 operations.

logs:PutLogEvents

To set the logs retention policy for the logs created during DynamoDB import from S3 operations.

logs:PutRetentionPolicy

PaaS workloads protection (Redshift databases)

To list databases of a Redshift cluster. Retrieve information about database names and their metadata. This permission is for cluster level.

redshift:ListDatabases

To connect to Redshift cluster database using IAM.

redshift:GetClusterCredentialsWithIAM

To run a query in a Redshift cluster database.

redshift-data:ExecuteStatement

To list databases of a Redshift cluster via redshift-data API which is a different endpoint than redshift API endpoint. This permission is required for redshift without a server.

redshift-data:ListDatabases

To fetch temporarily cached result of an SQL statement executed on Redshift cluster databases.

redshift-data:GetStatementResult

For getting properties of Redshift clusters.

redshift:DescribeClusters

For canceling a query executed on Redshift cluster database used during NetBackup job cancellation.

redshift-data:CancelStatement

To connect to Redshift cluster database.

redshift:GetClusterCredentials

Required to get the details about a specific instance when a query is run by the Amazon Redshift Data API.

redshift-data:DescribeStatement

PaaS workloads protection (Redshift cluster)

To list databases of a Redshift cluster. Retrieve information about database names and their metadata. This permission is for cluster level.

redshift:ListDatabases

For getting properties of Redshift clusters.

redshift:DescribeClusters

To create tags on Redshift cluster.

redshift:CreateTags

To create a manual snapshot of the specified cluster.

redshift:CreateClusterSnapshot

To get properties of cluster snapshots.

redshift:DescribeClusterSnapshots

To delete a cluster snapshot.

redshift:DeleteClusterSnapshot

To get cluster subnet groups.

redshift:DescribeClusterSubnetGroups

To restore from cluster snapshot.

redshift:RestoreFromClusterSnapshot

To access the internet gateway.

ec2:DescribeInternetGateways

To list interface assignments and private IPs

ec2:DescribeAddresses

To list availability zones.

ec2:DescribeAvailabilityZones

To list VPCs.

ec2:DescribeVpcs

To get account attributes list.

ec2:DescribeAccountAttributes

To list subnets.

ec2:DescribeSubnets

To list security group.

ec2:DescribeSecurityGroups

Access IAM roles.

iam:GetRole

PaaS workloads protection (Neptune)

To list AWS Neptune snapshots - discovery

neptune:DescribeDBSnapshots

To list AWS Neptune clusters - discovery

neptune:DescribeDBClusters

To delete AWS Neptune snapshot

neptune:DeleteDBSnapshot

To list AWS Neptune cluster

neptune:DescribeDBClusters

To create Neptune database snapshot

neptune:CreateDBSnapshot

To create Neptune database cluster

neptune:CreateDBCluster

To list Neptune database subnet groups

neptune:DescribeDBSubnetGroups

To delete Neptune database cluster snapshot

neptune:DeleteDBSnapshot

To list AWS Neptune cluster snapshots

neptune:DescribeDBSnapshots

PaaS workloads protection (DocumentDB)

To list AWS DocumentDB snapshots - discovery

rds:DescribeDBSnapshots

To list AWS DocumentDB clusters - discovery

rds:DescribeDBClusters

To delete AWS DocumentDB snapshot

rds:DeleteDBSnapshot

To list AWS DocumentDB cluster

rds:DescribeDBClusters

To create DocumentDB database snapshot

rds:CreateDBSnapshot

To create DocumentDB database cluster

rds:CreateDBCluster

To list DocumentDB database subnet groups

rds:DescribeDBSubnetGroups

To delete DocumentDB database cluster snapshot

rds:DeleteDBSnapshot

To list Amazon DocumentDB cluster snapshots

rds:DescribeDBClusterSnapshots

PaaS workloads protection (RDS Custom for Oracle and RDS Custom for SQL )

To set up a trail that records API activity for your AWS account, enabling you to track and monitor resource usage, security events, and user actions.

cloudtrail:CreateTrail

To enable logging for an AWS CloudTrail trail.

cloudtrail:StartLogging

PaaS workloads protection (S3)

To create a s3 bucket required during DynamoDB, Custom for SQL, Custom for Oracle, and Redshift backup/restores.

s3:CreateBucket

To check if bucket already exists used during DynamoDB, Custom for SQL, Custom for Oracle, and Redshift backup/restores.

s3:ListBucket

To retrieve ACLs of an s3 object (file) stored in bucket during DynamoDB, Custom for SQL, Custom for Oracle, and Redshift backups.

s3:GetObjectAcl

To retrieve contents of an s3 object (file) stored in bucket during DynamoDB, Custom for SQL, Custom for Oracle, and Redshift backups.

s3:GetObject

To remove object from s3 bucket required during DynamoDB and Redshift backup/restores.

s3:DeleteObject

To upload data on s3 bucket required during DynamoDB and Redshift restores.

s3:PutObject

Restore object lock S3

To place an Object Retention configuration on objects.

s3:PutObjectRetention

To modify the bucket policy of an Amazon S3 bucket during Custom for Oracle and Custom for SQL backups.

s3:PutBucketPolicy

To configure or modify the Object Lock configuration for an Amazon S3 bucket during Custom for Oracle and Custom for SQL backups.

s3:PutBucketObjectLockConfiguration

To enable or modify versions for an Amazon S3 bucket during Custom for Oracle and Custom for SQL backups.

s3:PutBucketVersioning

To retrieve the tags associated with an object in an Amazon S3 bucket during Custom for Oracle and Custom for SQL backups.

s3:GetObjectTagging

Provider managed consistent snapshots

To send command to the instance configured with SSM, it will run the SSM document to take snapshot.

ssm:SendCommand

To get details of the SSM document and to check the existence of the document created by NetBackup Snapshot Manager for taking application consistent snapshot.

ssm:DescribeDocument

To get the list of instances configured with SSM which are online. The information is also used to fetch platform of the instance.

ssm:DescribeInstanceInformation

To update the default version of the SSM document created by NetBackup Snapshot Manager.

ssm:UpdateDocumentDefaultVersion

To update the contents of the SSM document with the latest one in case of upgrade.

ssm:UpdateDocument

To create the SSM document which will be used to take application consistent snapshot.

ssm:CreateDocument

To get the status and output of the command, that is document execution, and snapshot response.

ssm:GetCommandInvocation

To take application consistent snapshots.

ssm:listCommand

Provider managed consistent snapshots

Role/Policy:AmazonSSMManagedInstanceCore

Permissions on workload VM

To create consistent snapshot of the workload VM on which SSM document runs.

ec2:CreateSnapshots

To create tags to the snapshots created through SSM document.

ec2:CreateTags

To create snapshot of the VM disk by disk.

ec2:CreateSnapshot

Kubernetes cluster based

Role/Policy: AmazonEKSClusterPolicy, AmazonEKSWorkerNodePolicy, AmazonEC2ContainerRegistryPowerUser, AmazonEKS_CNI_Policy, AmazonEKSServicePolicy

EKS

To get kubernetes cluster's nodegroup details regarding scaling configuration.

eks:DescribeNodegroup

To get the status of the scaling done on the cluster.

eks:DescribeUpdate

To scale kubernetes cluster, update node group size.

eks:UpdateNodegroupConfig

To list kubernetes clusters, discover cluster.

eks:ListClusters

To get the information of specified kubernetes cluster, discover cluster attributes.

eks:DescribeCluster

To fetch the list of node groups in EKS cluster.

eks:ListNodegroups

Marketplace deployment

High availability

Required for EKS and for marketplace deployment.

autoscaling:UpdateAutoScalingGroup

autoscaling:AttachInstances

For DR through marketplace.

autoscaling:DescribeScalingActivities

autoscaling:TerminateInstanceInAutoScalingGroup

To send notifications during DR.

sns:Publish

sns:GetTopicAttributes

Deployment

To add the specified outbound (egress) rules to a security group during restore.

ec2:AuthorizeSecurityGroupEgress

To add the specified inbound (ingress) rules to a security group during restore.

ec2:AuthorizeSecurityGroupIngress