Connect to AWS Accounts

Appranix requires a way to be authenticated and authorized to connect to the customer AWS account to provide resilience for their cloud application environment.

Pre-requisites

For onboarding the AWS account in Appranix, a few roles and permissions in AWS should be enabled through an AWS stack. The onboarding user should have the below listed permissions in the AWS account to create a Role Stack for Appranix in AWS.

  • AWSCloudFormationFullAccess
  • IAMFullAccess

To add a new AWS Cloud Connection in Appranix, follow the below steps:

  1. Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "AWS Cloud"
  2. Fill in the Name and Description for the Cloud Connection
  3. Select the operational regions where your protection and recovery operations need to be done
  4. Enable the services required and click next
  5. Select the "IAM permission" type for the Cloud Connection
  6. After choosing the IAM permission, launch the CloudFormation template in your AWS console
  7. After the execution, copy the ARN number from the output section of the CloudFormation screen
  8. Register the cloud and wait for the progress of the connection to see the discovered resources

If you have technical challenges in the above steps, you may have problems with one or more of the following items.

  1. Permission to launch CloudFormation
  2. You don't have permission to create an IAM role
  3. If the copied ARN from the output is not valid, it is possibly a copy-paste error
  4. The newly created role is removed or blocked before the discovery process
  5. There is a network outage or AWS response delay that causes the discovery to delay longer due to Exponential Backoff

Steps to share Cross-tenant Cloud Connection,

For cross-tenant recovery, Appranix requires two active Cloud Connections. One should point to the primary AWS account, and another should point to the recovery AWS account.

  1. Once the two Active Cloud Connections are created, open the primary AWS Cloud Connection
  2. Click the "ACTIONS" button and select "SHARED CLOUD CONNECTION"
  3. Click on "SHARE TO CLOUD CONNECTION" and select the recovery AWS account Cloud Connection from the drop-down list
  4. Save the shared connection and finish

AWS IAM Permissions

Appranix gets four sets of permissions during Cloud Connection creation.

  • Discovery
  • Protection
  • Recovery
  • Reset
Operation Appranix AWS Permissions Name
Discovery EC2 Discovery Access
Load balancer Discovery Access
Load balancer V2 Discovery Access
KMS Discovery Access
ACM Discovery Accesss
RDS Discovery Access
EFS Discovery Access
Protection EC2 Protection Access
Backup Service Access For Resource Protection
Backup Storage Access For Resource Protection
Pass Role For Backup Service Access
KMS Access For Encrypted Resource Protection
RDS Protection Access
RDS Option Group Write Access
EFS Protection Access
EC2 Retention Access
Backup Service Access For Resource Retention
RDS Retention Access
Recovery EC2 Recovery Access
Loadbalancer Recovery Access
Loadbalancer V2 Recovery Access
ACM Discovery Access
KMS Access For Encrypted Resource Recovery
Cloud Formation Stack Create And Update Access
RDS Recovery Access
EFS Recovery Access
Backup Service Access For Resource Recovery
Backup Storage Access For Resource Recovery
Pass Role For Resource Recovery Access
Lambda Function Create And Invoke Access
Reset Cloud Formation Stack Delete Access
EC2 Reset Access
Loadbalancer Reset Access
Loadbalancer V2 Reset Access
Lambda Function Delete Access
EFS Reset Access

NOTE: When a particular permission is revoked manually in the AWS portal, the set of operations associated with that role will fail.

EC2 Discovery Access
   Action:
   - ec2:DescribeAddresses
   - ec2:DescribeInstances
   - ec2:DescribeInstanceAttribute
   - ec2:DescribeRegions
   - ec2:DescribeDhcpOptions
   - ec2:DescribeClientVpnConnections
   - ec2:DescribeVpcEndpointServices
   - ec2:DescribeSnapshots
   - ec2:DescribeAddressesAttribute
   - ec2:DescribeVpcAttribute
   - ec2:DescribeInternetGateways
   - ec2:DescribeNetworkInterfaces
   - ec2:DescribeAvailabilityZones
   - ec2:DescribeNetworkInterfaceAttribute
   - ec2:DescribeVolumes
   - ec2:DescribeNetworkInterfacePermissions
   - ec2:DescribeVpcEndpointConnections
   - ec2:DescribeNetworkAcls
   - ec2:DescribeRouteTables
   - ec2:DescribeClientVpnEndpoints
   - ec2:DescribeVpnConnections
   - ec2:DescribeSnapshotAttribute
   - ec2:DescribeTags
   - ec2:DescribeVpcPeeringConnections
   - ec2:DescribeNatGateways
   - ec2:DescribeCustomerGateways
   - ec2:DescribeVolumeAttribute
   - ec2:DescribeSecurityGroups
   - ec2:DescribeImages
   - ec2:DescribeSecurityGroupRules
   - ec2:DescribeVpcs
   - ec2:DescribeImageAttribute
   - ec2:DescribeInstanceTypes
   - ec2:DescribeVpcEndpoints
   - ec2:DescribeSubnets
   - ec2:DescribeVpnGateways
Loadbalancer Discovery Access
  permissions:
  - elasticloadbalancing:DescribeSSLPolicies
  - elasticloadbalancing:DescribeTags
  - elasticloadbalancing:DescribeLoadBalancerPolicyTypes
  - elasticloadbalancing:DescribeLoadBalancerAttributes
  - elasticloadbalancing:DescribeLoadBalancers
  - elasticloadbalancing:DescribeTargetGroupAttributes
  - elasticloadbalancing:DescribeListeners
  - elasticloadbalancing:DescribeAccountLimits
  - elasticloadbalancing:DescribeLoadBalancerPolicies
  - elasticloadbalancing:DescribeTargetHealth
  - elasticloadbalancing:DescribeTargetGroups
  - elasticloadbalancing:DescribeListenerCertificates
  - elasticloadbalancing:DescribeRules
  - elasticloadbalancing:DescribeInstanceHealth
Loadbalancer V2 Discovery Access
 permissions:
 - elasticloadbalancing:DescribeSSLPolicies
 - elasticloadbalancing:DescribeTags
 - elasticloadbalancing:DescribeLoadBalancerPolicyTypes
 - elasticloadbalancing:DescribeLoadBalancerAttributes
 - elasticloadbalancing:DescribeLoadBalancers
 - elasticloadbalancing:DescribeTargetGroupAttributes
 - elasticloadbalancing:DescribeListeners
 - elasticloadbalancing:DescribeAccountLimits
 - elasticloadbalancing:DescribeLoadBalancerPolicies
 - elasticloadbalancing:DescribeTargetHealth
 - elasticloadbalancing:DescribeTargetGroups
 - elasticloadbalancing:DescribeListenerCertificates
 - elasticloadbalancing:DescribeRules
 - elasticloadbalancing:DescribeInstanceHealthd
KMS Discovery Access
 permissions:
 - kms:ListKeys
 - kms:ListAliases
 - kms:DescribeKey
ACM Discovery Access
 permissions:
 - acm:DescribeCertificate
 - acm:ListCertificates
 - acm:ListTagsForCertificate
RDS Discovery Access
 permissions:
 - rds:Describe*
 - rds:ListTagsForResource
EFS Discovery Access
 permissions:
 - elasticfilesystem:DescribeBackupPolicy
 - elasticfilesystem:DescribeMountTargets
 - elasticfilesystem:DescribeTags
 - elasticfilesystem:ListTagsForResource
 - elasticfilesystem:DescribeLifecycleConfiguration
 - elasticfilesystem:DescribeFileSystemPolicy
 - elasticfilesystem:DescribeAccessPoints
 - elasticfilesystem:DescribeAccountPreferences
 - elasticfilesystem:DescribeFileSystems
 - elasticfilesystem:DescribeMountTargetSecurityGroup
EC2 Protection Access
 permissions:
 - ec2:DescribeImages
 - ec2:CopySnapshot
 - ec2:CreateTags
 - ec2:CreateSnapshots
 - ec2:DescribeImageAttribute
 - ec2:RegisterImage
 - ec2:CreateSnapshot
 - ec2:ImportSnapshot
 - ec2:DescribeSnapshotAttribute
 - ec2:ModifySnapshotAttribute
 - ec2:CreateImage
 - ec2:CopyImage
 - ec2:ImportImage
 - ec2:DescribeSnapshots
Backup Service Access For Resource Protection
 permissions:
 - backup:TagResource
 - backup:ListCopyJobs
 - backup:PutBackupVaultAccessPolicy
 - backup:ListTags
 - backup:ListBackupJobs
 - backup:StartBackupJob
 - backup:DescribeCopyJob
 - backup:DescribeBackupJob
 - backup:CopyIntoBackupVault
 - backup:GetBackupVaultAccessPolicy
 - backup:CreateBackupVault
 - backup:ListBackupVaults
 - backup:UpdateRecoveryPointLifecycle
 - backup:GetRecoveryPointRestoreMetadata
 - backup:DescribeRecoveryPoint
 - backup:DescribeBackupVault
 - backup:StopBackupJob
 - backup:UntagResource
 - backup:ListRecoveryPointsByBackupVault
 - backup:StartCopyJob
Backup Storage Access For Resource Protection
 permissions:
 - backup-storage:Mount
 - backup-storage:MountCapsule
Pass Role For Backup Service Access
 permissions:
 - iam:PassRole
KMS Access For Encrypted Resource Protection
 permissions:
 - kms:ListKeys
 - kms:Decrypt
 - kms:Encrypt
 - kms:ListAliases
 - kms:ReEncryptTo
 - kms:DescribeKey
 - kms:RetireGrant
 - kms:CreateGrant
 - kms:ReEncryptFrom
 - kms:GenerateDataKey
RDS Protection Access
 permissions:
 - rds:DescribeDBClusterSnapshotAttributes
 - rds:AddTagsToResource
 - rds:DescribeDBSnapshots
 - rds:CopyDBSnapshot
 - rds:CopyDBClusterSnapshot
 - rds:DescribeDBSnapshotAttributes
 - rds:ModifyDBSnapshot
 - rds:ListTagsForResource
 - rds:CreateDBSnapshot
 - rds:DescribeDBClusterSnapshots
 - rds:DescribeOptionGroupOptions
 - rds:CreateDBClusterSnapshot
 - rds:ModifyDBClusterSnapshotAttribute
 - rds:ModifyDBSnapshotAttribute
 - rds:DescribeOptionGroups
RDS Option Group Write Access
 permissions:
 - rds:DeleteOptionGroup
 - rds:ModifyOptionGroup
 - rds:CreateOptionGroup
EFS Protection Access
 permissions:
 - elasticfilesystem:DescribeFileSystems
 - elasticfilesystem:DescribeTags
 - elasticfilesystem:DescribeBackupPolicy
 - elasticfilesystem:Backup
 - elasticfilesystem:TagResource
 - elasticfilesystem:CreateTags
EC2 Retention Access
 permissions:
 - ec2:DeregisterImage
 - ec2:DeleteSnapshot
 - ec2:DeleteTags
 - ec2:DescribeSnapshots
 - ec2:DescribeTags
 - ec2:DescribeSnapshotAttribute
 - ec2:DescribeImages
 - ec2:DescribeImageAttribute
Backup Service Access For Resource Retention
 permissions:
 - backup:UntagResource
 - backup:ListRecoveryPointsByBackupVault
 - backup:ListTags
 - backup:ListBackupJobs
 - backup:DescribeBackupJob
 - backup:DeleteRecoveryPoint
 - backup:ListBackupVaults
 - backup:GetRecoveryPointRestoreMetadata
 - backup:DescribeBackupVault
 - backup:DescribeRecoveryPoint
 - backup:StopBackupJob
 - backup:ListRecoveryPointsByResource
 - backup:DeleteBackupVault
 - backup:DeleteBackupVaultAccessPolicy
RDS Retention Access
 permissions:
 - rds:DescribeDBClusterSnapshotAttributes
 - rds:DescribeDBSnapshots
 - rds:DeleteDBSnapshot
 - rds:DescribeDBSnapshotAttributes
 - rds:DeleteDBClusterSnapshot
 - rds:ListTagsForResource
 - rds:DescribeDBClusterSnapshots
 - rds:RemoveTagsFromResource
 - rds:DeleteOptionGroup
 - rds:ModifyOptionGroup
EC2 Recovery Access
 permissions:
 - ec2:Describe*
 - ec2:CreateDhcpOptions
 - ec2:AuthorizeSecurityGroupIngress
 - ec2:ModifyVolumeAttribute
 - ec2:AttachInternetGateway
 - ec2:StartInstances
 - ec2:CreateNetworkInterfacePermission
 - ec2:RevokeSecurityGroupEgress
 - ec2:CreateRoute
 - ec2:CreateInternetGateway
 - ec2:ModifyAddressAttribute
 - ec2:CreateTags
 - ec2:ModifyNetworkInterfaceAttribute
 - ec2:RunInstances
 - ec2:ModifySecurityGroupRules
 - ec2:StopInstances
 - ec2:AssignPrivateIpAddresses
 - ec2:CreateVolume
 - ec2:ReplaceNetworkAclAssociation
 - ec2:RevokeSecurityGroupIngress
 - ec2:CreateNetworkInterface
 - ec2:CreateDefaultVpc
 - ec2:CreateSubnet
 - ec2:ModifyVpcEndpoint
 - ec2:CreateVpnConnection
 - ec2:AttachVolume
 - ec2:ModifyVpcEndpointServicePermissions
 - ec2:CreateNatGateway
 - ec2:RunScheduledInstances
 - ec2:CreateVpc
 - ec2:ModifyImageAttribute
 - ec2:CreateSubnetCidrReservation
 - ec2:ModifySubnetAttribute
 - ec2:CreateDefaultSubnet
 - ec2:RebootInstances
 - ec2:AssociateDhcpOptions
 - ec2:AssignIpv6Addresses
 - ec2:ImportInstance
 - ec2:AttachVpnGateway
 - ec2:ImportSnapshot
 - ec2:CreateVpnConnectionRoute
 - ec2:AllocateHosts
 - ec2:CreateImage
 - ec2:CopyImage
 - ec2:AssociateVpcCidrBlock
 - ec2:ReplaceRoute
 - ec2:AssociateRouteTable
 - ec2:ReplaceNetworkAclEntry
 - ec2:CreateVpnGateway
 - ec2:ImportImage
 - ec2:CreateVpcPeeringConnection
 - ec2:ModifyVolume
 - ec2:UpdateSecurityGroupRuleDescriptionsEgress
 - ec2:RegisterImage
 - ec2:CreateRouteTable
 - ec2:AssociateSubnetCidrBlock
 - ec2:CreateEgressOnlyInternetGateway
 - ec2:AssociateAddress
 - ec2:DeleteNetworkInterfacePermission
 - ec2:CreateSecurityGroup
 - ec2:CreateNetworkAcl
 - ec2:ModifyVpcAttribute
 - ec2:ModifyInstanceAttribute
 - ec2:AuthorizeSecurityGroupEgress
 - ec2:AllocateAddress
 - ec2:CreateVpcEndpoint
 - ec2:AttachNetworkInterface
 - ec2:CreateNetworkAclEntry
Loadbalancer Recovery Access
 permissions:
 - elasticloadbalancing:Describe
 - elasticloadbalancing:Set
 - elasticloadbalancing:AttachLoadBalancerToSubnets
 - elasticloadbalancing:ConfigureHealthCheck
 - elasticloadbalancing:AddTags
 - elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer
 - elasticloadbalancing:Modify
 - elasticloadbalancing:Register
 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
 - elasticloadbalancing:AddListenerCertificates
 - elasticloadbalancing:Create
Loadbalancer V2 Recovery Access
 permissions:
 - elasticloadbalancing:Set
 - elasticloadbalancing:Modify
 - elasticloadbalancing:Register
 - elasticloadbalancing:Add
 - elasticloadbalancing:Create
ACM Discovery Access
 permissions:
 - acm:DescribeCertificate
 - acm:ListCertificates
 - acm:ListTagsForCertificate
KMS Access For Encrypted Resource Recovery
 permissions:
 - kms:ListKeys
 - kms:Decrypt
 - kms:Encrypt
 - kms:ListAliases
 - kms:ReEncryptTo
 - kms:DescribeKey*
 - kms:RetireGrant
 - kms:CreateGrant
 - kms:ReEncryptFrom
 - kms:GenerateDataKey*
Cloud Formation Stack Create And Update Access
 permissions:
 - cloudformation:CreateUploadBucket
 - cloudformation:CancelUpdateStack
 - cloudformation:UpdateStackInstances
 - cloudformation:ListTypes
 - cloudformation:UpdateTerminationProtection
 - cloudformation:DescribeStackResource
 - cloudformation:UpdateStackSet
 - cloudformation:CreateChangeSet
 - cloudformation:ContinueUpdateRollback
 - cloudformation:EstimateTemplateCost
 - cloudformation:DescribeStackEvents
 - cloudformation:UpdateStack
 - cloudformation:DescribeChangeSet
 - cloudformation:ListStackResources
 - cloudformation:SetStackPolicy
 - cloudformation:ListStacks
 - cloudformation:DescribeType
 - cloudformation:DescribeStackResources
 - cloudformation:GetTemplateSummary
 - cloudformation:DescribeStacks
 - cloudformation:RollbackStack
 - cloudformation:CreateStack
 - cloudformation:GetTemplate
 - cloudformation:TagResource
 - cloudformation:ValidateTemplate
 - cloudformation:ListChangeSets
 - cloudformation:ListTypeVersions
RDS Recovery Access
  permissions:
  - rds:AuthorizeDBSecurityGroupIngress
  - rds:StartDBCluster
  - rds:ModifyOptionGroup
  - rds:RestoreDBClusterFromSnapshot
  - rds:RemoveRoleFromDBCluster
  -  rds:CreateOptionGroup
  - rds:CreateDBSubnetGroup
  - rds:StopDBInstanceAutomatedBackupsReplication
  - rds:ModifyCustomDBEngineVersion
  - rds:ModifyDBParameterGroup
  - rds:Describe*
  - rds:CreateDBInstance
  - rds:ModifyDBInstance
  - rds:ModifyDBClusterParameterGroup
  - rds:AddTagsToResource
  - rds:CreateDBClusterEndpoint
  - rds:StopDBCluster
  - rds:CreateDBParameterGroup
  - rds:StartDBInstanceAutomatedBackupsReplication
  - rds:StopDBInstance
  - rds:PromoteReadReplica
  - rds:StartDBInstance
  - rds:RebootDBCluster
  - rds:ModifyCertificates
  - rds:ListTagsForResource
  - rds:CreateDBSecurityGroup
  - rds:RestoreDBInstanceFromDBSnapshot
  - rds:RebootDBInstance
  - rds:CreateDBCluster
  - rds:ModifyDBClusterEndpoint
  - rds:ModifyDBCluster
  - rds:CreateDBClusterParameterGroup
  - rds:CreateDBInstanceReadReplica
  - rds:PromoteReadReplicaDBCluster
  - rds:RemoveRoleFromDBInstance
  - rds:ModifyDBSubnetGroup
EFS Recovery Access
  permissions:
  - elasticfilesystem:ModifyMountTargetSecurityGroups
  - elasticfilesystem:Describe*
  - elasticfilesystem:Restore
  - elasticfilesystem:CreateFileSystem
  - elasticfilesystem:ListTagsForResource
  - elasticfilesystem:ClientWrite
  - elasticfilesystem:TagResource
  - elasticfilesystem:CreateTags
  - elasticfilesystem:CreateMountTarget
  - elasticfilesystem:ClientMount
  - elasticfilesystem:PutLifecycleConfiguration
  - elasticfilesystem:Backup
  - elasticfilesystem:PutBackupPolicy
  - elasticfilesystem:ClientRootAccess
  - elasticfilesystem:CreateAccessPoint
  - elasticfilesystem:PutFileSystemPolicy
  - elasticfilesystem:UpdateFileSystem
Backup Service Access For Resource Recovery
  permissions:
  - backup:ListTags
  - backup:ListBackupJobs
  - backup:DescribeBackupJob
  - backup:DescribeRestoreJob
  - backup:ListRestoreJobs
  - backup:GetBackupVaultAccessPolicy
  - backup:ListBackupVaults
  - backup:GetRecoveryPointRestoreMetadata
  - backup:DescribeRecoveryPoint
  - backup:DescribeBackupVault
  - backup:ListRecoveryPointsByResource
  - backup:StartRestoreJob
  - backup:ListRecoveryPointsByBackupVault
Backup Storage Access For Resource Recovery
  permissions:
  - backup-storage:Mount
  - backup-storage:MountCapsule
Pass Role For Resource recovery Access
  permissions:
  - iam:PassRole
Cloud Formation Stack Delete Access
  permissions:
  - cloudformation:ListStacks
  - cloudformation:CancelUpdateStack
  - cloudformation:RollbackStack
  - cloudformation:DescribeStackSet
  - cloudformation:DeleteStack
  - cloudformation:DescribeStackResource
  - cloudformation:UntagResource
  - cloudformation:DeleteChangeSet
  - cloudformation:ListChangeSets
  - cloudformation:ContinueUpdateRollback
  - cloudformation:DescribeStacks
  - cloudformation:ListStackResources
EC2 Reset Access
  permissions:
  - ec2:Describe*
  - ec2:DeleteSubnet
  - ec2:UnmonitorInstances
  - ec2:DeleteClientVpnEndpoint
  - ec2:DeleteVpcPeeringConnection
  - ec2:DeleteVpcEndpoints
  - ec2:UpdateSecurityGroupRuleDescriptionsIngress
  - ec2:DeleteRouteTable
  - ec2:DisassociateVpcCidrBlock
  - ec2:DeleteVolume
  - ec2:DeleteVpnGateway
  - ec2:UnassignIpv6Addresses
  - ec2:DeleteInternetGateway
  - ec2:UnassignPrivateIpAddresses
  - ec2:DeleteVpnConnection
  - ec2:DisableImageDeprecation
  - ec2:DetachVolume
  - ec2:UpdateSecurityGroupRuleDescriptionsEgress
  - ec2:DeleteNetworkInterface
  - ec2:DeletePublicIpv4Pool
  - ec2:DetachInternetGateway
  - ec2:StopInstances
  - ec2:DisassociateRouteTable
  - ec2:DetachVpnGateway
  - ec2:DeleteTransitGatewayRoute
  - ec2:AssociateDhcpOptions
  - ec2:DeleteDhcpOptions
  - ec2:DeleteNatGateway
  - ec2:DeleteVpc
  - ec2:DeleteTransitGateway
  - ec2:DeleteKeyPair
  - ec2:DeleteNetworkAclEntry
  - ec2:DeleteQueuedReservedInstances
  - ec2:DeleteCarrierGateway
  - ec2:DisassociateAddress
  - ec2:DeregisterImage
  - ec2:DeleteSnapshot
  - ec2:DeleteNetworkAcl
  - ec2:ReplaceNetworkAclAssociation
  - ec2:ReleaseAddress
  - ec2:DeleteEgressOnlyInternetGateway
  - ec2:TerminateInstances
  - ec2:DetachNetworkInterface
  - ec2:DeletePlacementGroup
  - ec2:DeleteRoute
  - ec2:DeprovisionPublicIpv4PoolCidr
  - ec2:DisassociateSubnetCidrBlock
  - ec2:DeleteVpnConnectionRoute
  - ec2:DeleteCustomerGateway
  - ec2:DeleteClientVpnRoute
  - ec2:DeleteSecurityGroup
  - ec2:DeleteTransitGatewayConnect
Loadbalancer Reset Access
  permissions:
  - elasticloadbalancing:Describe*
  - elasticloadbalancing:ModifyListener
  - elasticloadbalancing:DetachLoadBalancerFromSubnets
  - elasticloadbalancing:DeregisterTargets
  - elasticloadbalancing:RemoveListenerCertificates
  - elasticloadbalancing:DeleteTargetGroup
  - elasticloadbalancing:DeleteLoadBalancer
  - elasticloadbalancing:DeleteLoadBalancerPolicy
  - elasticloadbalancing:RemoveTags
  - elasticloadbalancing:ModifyRule
  - elasticloadbalancing:DeleteLoadBalancerListeners
  - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
  - elasticloadbalancing:ModifyLoadBalancerAttributes
  - elasticloadbalancing:ModifyTargetGroupAttributes
  - elasticloadbalancing:DeleteRule
  - elasticloadbalancing:ModifyTargetGroup
  - elasticloadbalancing:DeleteListener
  - elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer
Loadbalancer V2 Reset Access
  permissions:
  - elasticloadbalancing:Describe*
  - elasticloadbalancing:ModifyListener
  - elasticloadbalancing:DetachLoadBalancerFromSubnets
  - elasticloadbalancing:DeregisterTargets
  - elasticloadbalancing:RemoveListenerCertificates
  - elasticloadbalancing:DeleteTargetGroup
  - elasticloadbalancing:DeleteLoadBalancer
  - elasticloadbalancing:DeleteLoadBalancerPolicy
  - elasticloadbalancing:RemoveTags
  - elasticloadbalancing:ModifyRule
  - elasticloadbalancing:DeleteLoadBalancerListeners
  - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
  - elasticloadbalancing:ModifyLoadBalancerAttributes
  - elasticloadbalancing:ModifyTargetGroupAttributes
  - elasticloadbalancing:DeleteRule
  - elasticloadbalancing:ModifyTargetGroup
  - elasticloadbalancing:DeleteListener
  - elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer
RDS Reset Access
  permissions:
  - rds:Describe
  - rds:StopDBCluster
  - rds:RemoveRoleFromDBCluster
  - rds:DeleteDBSnapshot
  - rds:DeleteDBInstanceAutomatedBackup
  - rds:StopDBInstance
  - rds:DeleteDBSubnetGroup
  - rds:DeleteOptionGroup
  - rds:DeleteDBClusterSnapshot
  - rds:DeleteEventSubscription
  - rds:DeleteDBSecurityGroup
  - rds:DeleteDBClusterEndpoint
  - rds:DeleteDBParameterGroup
  - rds:DeleteDBClusterParameterGroup
  - rds:DeleteDBCluster
  - rds:RemoveRoleFromDBInstance
  - rds:DeleteDBInstance
EFS Reset Access
  permissions:
  - elasticfilesystem:Describe
  - elasticfilesystem:DeleteAccessPoint
  - elasticfilesystem:UntagResource
  - elasticfilesystem:DeleteReplicationConfiguration
  - elasticfilesystem:DeleteMountTarget
  - elasticfilesystem:DeleteFileSystem
  - elasticfilesystem:DeleteFileSystemPolicy
  - elasticfilesystem:DeleteTags

NOTE: This list of permissions may increase as Appranix adds more services for protection.

Need more help? Submit a ticket