Small fixes for the AWS Backup EC2/EBS RP scan permission boundary (#107)

Veetaha · web-flow · commit 5f0702d5d7c2 · 2025-03-25T21:55:14.000+02:00
diff --git a/codegen/src/policies/ElastioAwsBackupEc2Scan.ts b/codegen/src/policies/ElastioAwsBackupEc2Scan.ts
@@ -1,7 +1,7 @@
 import * as iam from "../iam";
 
 export default {
-  description: "Allows Elastio to scan AWS Backup recovery points.",
+  description: "Allows Elastio to scan AWS Backup EC2 and EBS recovery points.",
 
   statements: [
     {
@@ -41,7 +41,7 @@ export default {
         // Common for all resources
         "ec2:DescribeTags",
 
-        // Used for cost estimation
+        // Used for cost estimation and scanning itself
         "ebs:ListSnapshotBlocks",
         "ebs:ListChangedBlocks",
       ],
@@ -70,14 +70,15 @@ export default {
       Action: ["ec2:ModifySnapshotAttribute"],
       Resource: "*",
       Condition: {
-        // Needed to add createVolumePermission for the sharing the snapshot
+        // Needed to add createVolumePermission for sharing the snapshot
         // with the connector account.
         StringLike: {
           "ec2:Add/userId": "*",
         },
       },
     },
 
+    // Required for encrypted backups
     {
       Sid: "KmsAccess",
 
diff --git a/iam-policies/terraform/.module.toml b/iam-policies/terraform/.module.toml
@@ -2,4 +2,4 @@
 name = "aws-elastio-iam-policies"
 description = "A collection of AWS IAM policies for use with Elastio"
 type = "terraform"
-version = "0.33.0"
+version = "0.33.1"
diff --git a/iam-policies/terraform/README.md b/iam-policies/terraform/README.md
@@ -9,7 +9,7 @@ This Terraform module deploys additional Elastio IAM managed policies that you c
 ```tf
 module "elastio_policies" {
   source  = "terraform.cloudsmith.io/public/elastio-iam-policies/aws"
-  version = "0.33.0"
+  version = "0.33.1"
 
   // Provide input parameters
 }
@@ -30,7 +30,7 @@ See the basic [usage example](./examples/basic/main.tf).
 | Policy                                                       | Description                                                    |
 | ------------------------------------------------------------ | -------------------------------------------------------------- |
 | [`ElastioAssetAccountDeployer`][ElastioAssetAccountDeployer] | Permissions required to deploy the Elastio Asset Account stack |
-| [`ElastioAwsBackupEc2Scan`][ElastioAwsBackupEc2Scan]         | Allows Elastio to scan AWS Backup recovery points.             |
+| [`ElastioAwsBackupEc2Scan`][ElastioAwsBackupEc2Scan]         | Allows Elastio to scan AWS Backup EC2 and EBS recovery points. |
 
 [ElastioAssetAccountDeployer]: ../../codegen/src/policies/ElastioAssetAccountDeployer.ts
 [ElastioAwsBackupEc2Scan]: ../../codegen/src/policies/ElastioAwsBackupEc2Scan.ts
diff --git a/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json b/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json
@@ -1,5 +1,5 @@
 {
-  "Description": "Allows Elastio to scan AWS Backup recovery points.",
+  "Description": "Allows Elastio to scan AWS Backup EC2 and EBS recovery points.",
   "PolicyDocument": {
     "Version": "2012-10-17",
     "Statement": [

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "Description": "Allows Elastio to scan AWS Backup recovery points.",`
	`2`	`+ "Description": "Allows Elastio to scan AWS Backup EC2 and EBS recovery points.",`
`3`	`3`	`"PolicyDocument": {`
`4`	`4`	`"Version": "2012-10-17",`
`5`	`5`	`"Statement": [`