Using K10 with AWS EBS

The following permissions are needed by Kasten to operate on EBS, AWS EC2's underlying block storage solution

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AvailabilityZone",
        "ec2:CopySnapshot",
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteSnapshot",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DescribeSnapshotAttribute",
        "ec2:ModifySnapshotAttribute",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeSnapshots",
        "ec2:DescribeTags",
        "ec2:DescribeVolumeAttribute",
        "ec2:DescribeVolumesModifications",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes",
        "ec2:Encrypted",
        "ec2:ParentSnapshot",
        "ec2:Region",
        "ec2:ResourceTag/*",
        "ec2:VolumeIops",
        "ec2:VolumeSize",
        "ec2:VolumeType",
        "aws:RequestTag/*",
        "aws:TagKeys"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Using K10 with AWS S3

While K10 can use AWS S3 to migrate applications between different clusters or even clouds, the access permissions should not be specified as a part of K10 install but instead later as a part of creating Import or Export profiles. The credentials used for the profile should have the following permissions on the needed buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:DeleteBucketPolicy",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ],
      "Resource": [
        "arn:aws:s3:::${BUCKET_NAME}",
        "arn:aws:s3:::${BUCKET_NAME}/*"
      ]
    }
  ]
}

Using K10 with AWS EFS

Note

AWS EFS support is currently only available for preview. We welcome your feedback on this feature and expect it to become generally available in the near future.

We assume that the user has successfully provisioned an EFS volume and is using the EFS CSI driver to mount the volume within Kubernetes. While K10 will transparently work with this setup, there are a couple of things to be aware of when using K10 to backup EFS that is different than EBS.

  • We create our own vault to backup EKS

  • EKS volumes are created externally and today require manual cleanup when all references to it from Kubernetes are gone. This also means that when a restore happens, a manual cleanup of the old volumes will be needed.

  • Unlike EBS, EFS backups can be slow because of underlying AWS performance constraints with different data sets. Backup policy action frequencies should be set to accommodate this performance difference.

Finally, to operate on AWS EFS, K10 will need the following permissions to perform backup and restores.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "backup:CreateBackupVault",
                "backup:DeleteRecoveryPoint",
                "backup:DescribeBackupJob",
                "backup:DescribeRecoveryPoint",
                "backup:DescribeRestoreJob",
                "backup:GetRecoveryPointRestoreMetadata",
                "backup:ListRecoveryPointsByBackupVault",
                "backup:ListRecoveryPointsByResource",
                "backup:ListTags",
                "backup:StartBackupJob",
                "backup:StartRestoreJob",
                "backup:TagResource",
                "elasticfilesystem:CreateFileSystem",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:CreateTags",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteMountTarget",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeTags",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeSubnets",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeNetworkInterfaceAttribute",
                "iam:PassRole",
                "sts:GetCallerIdentity"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Optional KMS Permissions

When operating on Encrypted EBS volumes, K10 will ensure snapshots and any new volumes created from those snapshots are encrypted with the same key.

If Customer Managed Keys (CMKs) are used to encrypt the EBS volumes, the following permissions should be granted for all KMS keys.

{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Effect": "Allow",
        "Action": [
            "kms:GenerateDataKeyWithoutPlaintext",
            "kms:DescribeKey",
            "kms:ReEncryptTo",
            "kms:ReEncryptFrom"
        ],
        "Resource": "arn:aws:kms:::key/${KMS_KEY_ID}"
      }
  ]
}