This repo contains individual JSON files for Amazon Web Services (AWS) IAM user permissions that are required for specific cloud operations with Cohesity.
The following Cohesity DataPlatform features are covered in this package:
- CloudArchive: Applies when using AWS S3 or Glacier for long term retention of backups.
- CloudSpin On-Demand: Applies when cloning Virtual Machines (VMs) to AWS.
- CloudSpin Policy Based (Full): Applies when using a Protection Policy to stage VMs in AWS. Each backup contains a full copy of the VM (always full).
- CloudSpin Policy Based (Incremental): Applies when using a Protection Policy to stage VMs in AWS. The first backup is full, with all subsequent backups being incremental (incremental forever).
- DataPlatform Cloud Edition Deployment: Applies when deploying DataPlatform Cloud Edition to AWS.
- Native Cloud Data Protection: Applies when backing up native AWS EC2 instances on Cohesity.
To limit permissions to a minimum, Cohesity uses the ability to attach an inline policy to an IAM user. Users can also create a managed policy (AWS Console > IAM > Policies) for each of the capabilities listed above.
Managed (persistent) policies allow administrators to manage changes to policies in a single place across multiple users, with changing taking effect immediately and automatically. This is preferred to inline policies which requires administrators to find users that have inline policies, and implement changes manually on an individual user basis.
To create a managed policy in AWS, do the following:
- Log into the AWS console.
- Click the Services menu item and select IAM from the list.
- Click on the Policies section.
- Click the JSON tab.
- Select all text within the policy editor.
- Copy and paste the appropriate JSON policy from one of the included JSON files in this package.
- Click the Review policy button.
- Enter an appropriate name for the policy in the Name field.
- Click the Create policy button.
- Click on Users section.
- Locate an click the user that will have the managed policy assigned.
- Click the Add permissions button.
- Click the Attach exsiting policies directly button.
- Search for your policy. It is recommended that you include
Cohesityor some other unique term in the policy names that makes searching for them easy. Click the checkbox beside the appropriate policy. - Click the Next: Review button.
- Click the Add permissions button.
Each user can have an inline (one off) policy assigned directly. This section covers assigning inline policies to AWS IAM users. If you are using managed policies, you don't need to assign inline policies.
To assign an inline policy to an AWS IAM user, do the following:
- Log into the AWS console.
- Click the Services menu item and select IAM from the list.
- Click on the Users section.
- Locate an click the user that will have the inline policy assigned.
- Click the Add inline policy link.
- Click the JSON tab.
- Select all text within the policy editor.
- Copy and paste the appropriate JSON policy from one of the included JSON files in this package.
- Click the Review policy button.
- Enter an appropriate name for the policy in the Name field.
- Click the Create policy button.
- James White