iCompaas Support

Profile Applicability:

• Level 2

Description:

AWS Elastic Disaster Recovery (EDR) integrates with IAM to ensure that users and services have the appropriate permissions to perform disaster recovery tasks. Proper IAM configuration is essential for controlling access to EDR resources and ensuring security compliance. This includes creating roles, policies, and managing permissions for disaster recovery operations such as replication, failover, and recovery.

Rationale:

Proper IAM configuration ensures:

• Secure and controlled access to EDR resources
  

• Compliance with the principle of least privilege for disaster recovery tasks
  

• Effective management of roles and policies for users, applications, and services that interact with EDR
  

• Prevents unauthorized access to critical recovery resources during a disaster recovery event

Default Value:

By default, IAM roles and policies for EDR are not configured. Manual configuration is required to grant permissions to users and services for interacting with EDR resources.

Impact:

Pros:
 • Provides secure, granular access control for users and services interacting with EDR
• Reduces the risk of unauthorized actions during disaster recovery processes
 • Supports compliance with security best practices, such as least privilege

Cons:
 • Requires careful management of IAM roles and policies to avoid misconfigurations
• Misconfigured policies could lead to access denials or unauthorized access to sensitive resources
 • Requires ongoing review and maintenance to ensure compliance with security policies

Pre-requisites:

IAM Permissions Required:
 iam:CreateRole, iam:AttachRolePolicy, iam:PutRolePolicy, drs:UpdateSettings
 Administrator permissions to configure IAM roles and policies for disaster recovery operations

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the AWS Management Console
2.  Navigate to IAM > Roles
3. Ensure that appropriate roles for Elastic Disaster Recovery are created and associated with the required policies
      Verify that the policies attached to these roles allow the necessary actions (e.g., drs:StartRecovery, drs:DescribeRecoveryInstances)
4. Navigate to Elastic Disaster Recovery and verify that the correct roles are assigned to the users, services, or EC2 instances interacting with EDR
5. Test permissions by performing a recovery operation and confirming that the IAM roles and policies allow the necessary actions

Using AWS CLI:

aws iam list-roles
aws iam list-attached-role-policies \
  --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole
aws iam get-role \
  --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole

Implementation Plan:

Using AWS Console:

1. Navigate to IAM > Roles and create a new role for EDR
2. Attach the following AWS managed policies to the role:    

   • AWSElasticDisasterRecoveryReplicationServerPolicy
     

   • AWSElasticDisasterRecoveryRecoveryInstancePolicy

3. Create any custom policies if required to allow specific actions for disaster recovery
4. Under Trust relationships, ensure that the service principal is set to drs.amazonaws.com to allow EDR to assume the role
5. Assign the roles to the appropriate EC2 instances or IAM users that will interact with EDR resources

Using AWS CLI:
 Step 1: Create a trust policy (e.g., trust-policy.json)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "drs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Step 2: Create the role

aws iam create-role \
  --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole \
  --assume-role-policy-document file://trust-policy.json

Step 3: Attach the managed policy

aws iam attach-role-policy \
  --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole \
  --policy-arn arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryReplicationServerPolicy

Step 4: Assign the role to the EC2 instance or IAM user

aws iam attach-user-policy \
  --user-name <user-name> \
  --policy-arn arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryReplicationServerPolicy

Step 5: Verify the role is correctly configured

aws iam get-role \
  --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole

Backout Plan:

Using AWS Console:

1. If the wrong IAM role is assigned, remove the role and policy from the instance or user
2. Modify the role's trust policy or permissions as necessary
3. Revert to a known-good role or policy configuration if needed

Using AWS CLI:
 To detach the policy from the role:

aws iam detach-role-policy \
  --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole \
  --policy-arn arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryReplicationServerPolicy

To delete the role:

aws iam delete-role \
  --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole

References:

• https://docs.aws.amazon.com/drs/latest/userguide/iam-roles.html
• https://docs.aws.amazon.com/cli/latest/reference/iam/index.html
• https://aws.amazon.com/disaster-recovery/