Profile Applicability:
- Level 2
Description:
AWS Elastic Disaster Recovery (EDR) requires specific IAM roles and policies to securely perform replication, recovery, and failback operations. Proper IAM configuration ensures that the service can access required AWS resources, and that access is limited to only what is necessary, following the principle of least privilege.
Rationale:
Proper IAM configuration ensures:
AWS EDR can perform replication and launch recovery instances
Security best practices are followed by applying least-privilege principles
Auditing and compliance controls are maintained
Failovers, drills, and failbacks function without permission errors
Default Value:
By default, some roles may be auto-created during setup, but they may not meet organizational security policies. Manual validation and fine-tuning is recommended.
Impact:
Pros:
• Enables smooth functioning of EDR operations
• Prevents unauthorized access to recovery infrastructure
• Supports compliance with IAM governance standards
Cons:
• Requires understanding of IAM policy structure
• Misconfiguration may cause replication or failover failures
• Needs periodic review to align with changing security requirements
Pre-requisites:
IAM Permissions Required:
iam:CreateRole, iam:PutRolePolicy, iam:AttachRolePolicy, iam:PassRole
drs:*
Administrator access or delegated security management role
Remediation:
Test Plan:
Using AWS Console:
- Log in to the AWS Management Console
- Navigate to IAM > Roles
- Search for roles starting with AWS-ElasticDisasterRecovery-*
- Open each role and review attached policies
- Confirm the presence of AWSElasticDisasterRecoveryRecoveryInstancePolicy, AWSElasticDisasterRecoveryReplicationServerPolicy, and trusted relationships
- Ensure no excessive permissions are included
Using AWS CLI:
aws iam list-roles aws iam list-attached-role-policies \ --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole aws iam get-role \ --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole
Implementation Plan:
Using AWS Console:
- Navigate to IAM > Policies, click Create policy
- Define a custom least-privilege policy for specific access needs
- Navigate to IAM > Roles, create or edit EDR roles
- Attach managed policies like AWSElasticDisasterRecoveryReplicationServerPolicy
- Define trusted entities (e.g., drs.amazonaws.com) in the trust relationship
- Save and verify that the role is used in EDR settings
Using AWS CLI:
Step 1: Create a trust policy JSON (trust-policy.json):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "drs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Step 2: Create the role:
aws iam create-role \ --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole \ --assume-role-policy-document file://trust-policy.json
Step 3: Attach the managed policy:
aws iam attach-role-policy \ --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole \ --policy-arn arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryReplicationServerPolicy
Backout Plan:
Using AWS Console:
- Revert trust relationships or remove permissions from IAM roles
- Detach or delete custom policies that exceed least-privilege
Using AWS CLI:
aws iam detach-role-policy \ --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole \ --policy-arn arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryReplicationServerPolicy aws iam delete-role \ --role-name AWS-ElasticDisasterRecovery-ReplicationServerRole