Minimum Required AWS Permissions

For the AWS account used by the ZCA, Zerto requires only a subset of AWS permissions. This gives the Zerto customer more security and control over their AWS environment.

Permissions are required for:

•

Installing Zerto on AWS

•

Failover to AWS

•

Failover from AWS

•

Basic functionality

•

Collection of environment data

The following table lists the minimum required permissions, and for which task and service each permission is required:

Permission	Required for	Service
Resource: *
AttachNetworkInterface	Failover to AWS	EC2
AttachVolume	Failover to AWS	EC2
CancelConversionTask	Failover to AWS	EC2
CancelImportTask	Failover to AWS	EC2
CreateNetworkInterface	Failover to AWS	EC2
CreateSnapshot	Failover from AWS	EC2
CreateTags	Basic functionality	EC2
CreateVolume	Failover to AWS	EC2
DeleteNetworkInterface	Basic functionality	EC2
DeleteSnapshot	Failover from AWS	EC2
DeleteTags	Basic functionality	EC2
DeleteVolume	Failover to AWS	EC2
DeregisterImage	Failover from AWS	EC2
DescribeAvailabilityZones	Collection of environment data	EC2
DescribeConversionTasks	Failover to AWS	EC2
DescribeImages	Basic functionality Failover from AWS	EC2
DescribeInstanceAttribute	Failover from AWS	EC2
DescribeInstances	Collection of environment data	EC2
DescribeInstanceStatus	Basic functionality	EC2
DescribeNetworkInterfaces	Basic functionality	EC2
DescribeRegions	Collection of environment data	EC2
DescribeSnapshots	Failover from AWS	EC2
DescribeSecurityGroups	Collection of environment data	EC2
DescribeSubnets	Collection of environment data	EC2
DescribeTags	Failover from AWS	EC2
DescribeVolumes	Collection of environment data	EC2
DescribeVolumeStatus	Failover from AWS	EC2
DescribeVpcEndpoints	Failover from AWS	EC2
DescribeVpcs	Collection of environment data	EC2
DetachNetworkInterface	Failover from AWS	EC2
DetachVolume	Failover to AWS	EC2
ImportInstance	Failover to AWS	EC2
ImportVolume	Failover to AWS	EC2
ModifyVolume	Failover from AWS	EC2
ModifyInstanceAttribute	Basic functionality	EC2
ModifyNetworkInterfaceAttribute	Failover from AWS	EC2
RunInstances	Basic functionality	EC2
StartInstances	Failover to AWS	EC2
StopInstances	Failover to AWS	EC2
TerminateInstances	Basic functionality	EC2
GetObjectVersion	Basic functionality	S3
ListAllMyBuckets	Basic functionality	S3
HeadBucket	Collection of environment data	S3
GetPolicyVersion	Install Zerto in AWS	IAM
ListAttachedRolePolicies	Install Zerto in AWS	IAM
ListPolicyVersions	Install Zerto in AWS	IAM
PassRole	Install Zerto in AWS	IAM
DescribeTrails	Collection of environment data	CloudTrail
GetTrailStatus	Collection of environment data	CloudTrail
LookupEvents	Collection of environment data	CloudTrail
Resource: arn:aws:s3:::zerto*/*
PutObject	Basic functionality	S3
GetObject	Basic functionality	S3
DeleteObjectVersion	Basic functionality	S3
DeleteObject	Basic functionality	S3
Resource: arn:aws:s3:::zerto*
ListBucketMultipartUploads	Basic functionality Failover from AWS	S3
PutBucketTagging	Basic functionality	S3
PutLifecycleConfiguration	Basic functionality	S3
ListBucketVersions	Basic functionality	S3
CreateBucket	Basic functionality	S3
ListBucket	Basic functionality	S3
GetBucketLocation	Basic functionality	S3
DeleteBucket	Basic functionality	S3
GetBucketPolicy	Collection of environment data	S3
Resource: *, StringEquals: ec2:ResourceTag/ZERTO_TAG: "ZERTO_VPC_RESOURCE"
AuthorizeSecurityGroupIngress	Failover to AWS	EC2
CreateSecurityGroup	Basic functionality	EC2
DeleteSecurityGroup	Basic functionality	EC2

Minimum required AWS permissions - in JSON format

Permissions for IAM roles can be specified by creating a policy in JSON format. The required AWS permissions are listed below. For further details, see Zerto - Prerequisites & Requirements for Amazon Web Services (AWS).

For your convenience, click here to access a .txt file, from which you can copy and paste.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:CancelConversionTask",
"ec2:CancelImportTask",
"ec2:CreateNetworkInterface",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeConversionTasks",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DetachNetworkInterface",
"ec2:DetachVolume",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"s3:HeadBucket",
"s3:ListAllMyBuckets",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PassRole"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::zerto*/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:ListBucketMultipartUploads",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration",
"s3:ListBucketVersions",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:DeleteBucket",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::zerto*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/ZERTO_TAG": "ZERTO_VPC_RESOURCE"
}
}
}
]
}