Agentless, cloud-native backup for Amazon Web Services (AWS)
Post Reply
kmontgo
Lurker
Posts: 2
Liked: never
Joined: Apr 30, 2024 5:50 pm
Full Name: Kent Montgomery
Contact:

Service IAM Roles in Backup Account

Post by kmontgo »

Hello,

Service IAM Roles in Backup Account requires many IAM and EC2 permissions with a Resource of "*" as the default.
The permissions being called out on a security audit are `iam:PutRolePolicy`, `iam:AttachRolePolicy`, iam:PassRole` and `ec2:RunInstances` as examples.

Is there a way to restrict these permissions to only the VBA_Worker instances? Maybe some other method of narrowing the scope if these rights?

Thank you!
nielsengelen
Product Manager
Posts: 5729
Liked: 1205 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Service IAM Roles in Backup Account

Post by nielsengelen »

Hi Kent,

Sorry for the late reply.

We have a list of IAM permissions required in our user guide.

These are the minimum requirements to ensure everything works. Within the product, we also have the option to create dedicated roles for specific features (workloads, workers). Have you tried this already by any chance?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
kmontgo
Lurker
Posts: 2
Liked: never
Joined: Apr 30, 2024 5:50 pm
Full Name: Kent Montgomery
Contact:

Re: Service IAM Roles in Backup Account

Post by kmontgo »

Niels,

I had not considered using the dedicated role option and that may help with the privilege restriction.

Thank you for the feedback,

Kent
nielsengelen
Product Manager
Posts: 5729
Liked: 1205 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Service IAM Roles in Backup Account

Post by nielsengelen »

No problem. Please let us know if you face any issues or questions.

Thanks!
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests