AWS IAM Permissions for the Data Plane
IAM permissions required by the Aurva Data Plane on AWS.
Permission Grouping
The permissions are grouped into 3 categories, based on the product that we want to use.
-
Common permissions: Applicable to all irrespective of the product.
-
DSPM permissions: Applicable to the DSPM product suite.
-
DAM permissions: Applicable to DAM product suite.
Please follow the link below If you want to check the architecture of the data plane across various deployment types.
Common Permissions
** RDS**
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusterEndpoints",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstanceAutomatedBackups",
"rds:DescribeDBInstances",
"rds:DescribeDBMajorEngineVersions",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSnapshotAttributes"
],
"Resource": "*"
}
]
}
**
Cloudwatch**
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:GenerateQuery",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRegions"
],
"Resource": "*"
}
]
}
DSPM Policies
KMS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:GetPublicKey",
"kms:ListKeys",
"kms:Decrypt",
"kms:DescribeKey",
"kms:DescribeCustomKeyStores"
],
"Resource": "*"
}
]
}
Redshift
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:DescribeNodeConfigurationOptions",
"redshift:DescribeClusterParameters",
"redshift:DescribeStorage",
"redshift:DescribeClusterVersions",
"redshift:DescribeTable",
"redshift:ListDatabases",
"redshift:ListTables",
"redshift:ListSchemas",
"redshift:FetchResults"
],
"Resource": "*"
}
]
}
**
S3**
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetObjectAttributes",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "*"
}
]
}
Secrets Manager
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets"
],
"Resource": "<database-specific-secrets-arn>"
}
]
}
**
DynamoDB**
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:DescribeEndpoint",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeBackup",
"dynamodb:ListTables",
"dynamodb:ListStreams",
"dynamodb:ListGlobalTables",
"dynamodb:ListBackups",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:GetRecords",
"dynamodb:DescribeContinuousBackups"
],
"Resource": "*"
}
]
}
ElasticCache
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheEngineVersions",
"elasticache:DescribeEngineDefaultParameters",
"elasticache:DescribeCacheParameterGroups"
],
"Resource": "*"
}
]
}
DocumentDB
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"docdb:ListClusters",
"docdb:ListClusterSnapshots",
"docdb:GetCluster",
"docdb:GetClusterSnapshot"
],
"Resource": "*"
}
]
}
Keyspaces
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cassandra:ListStreams",
"cassandra:GetRecords",
"cassandra:GetShardIterator",
"cassandra:GetStream",
"cassandra:Select",
"cassandra:SelectMultiRegionResource"
],
"Resource": "*"
}
]
}