AWS sql-server-ec2 documentation change
Summary
Updated prerequisites for VSS restore automation: Added VolumeMapping.json metadata file requirement, clarified IAM permission requirements, and added granular invoker role permissions for automation execution control.
Security assessment
The changes add detailed IAM policy requirements (including ssm:StartAutomationExecution, iam:PassRole, and execution management permissions) to restrict automation access. This enforces least privilege but does not indicate a resolved security vulnerability. The documentation improves security posture by guiding users to limit permissions.
Diff
diff --git a/sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md b/sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md index 4086c33c8..9d5569972 100644 --- a//sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md +++ b//sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md @@ -19 +19 @@ The `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook only supports re - * **Configure settings to save VSS metadata files** – To successfully initiate a restore operation, the following two VSS metadata files are required. These files are generated for each snapshot set taken during the snapshotting process. + * **Configure settings to save VSS metadata files** – To successfully initiate a restore operation, VSS metadata files are required. The following files are generated for each snapshot set taken during the snapshotting process. @@ -21 +21 @@ The `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook only supports re - * `{Snapshot set id}-{timestamp}-BackupComponentDocument.xml` + * `{Snapshot set id}-{timestamp}-BCD.xml` @@ -24,0 +25,6 @@ The `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook only supports re + * `{Snapshot set id}-{timestamp}-VolumeMapping.json` + +###### Note + +The volume mapping metadata file (`{Snapshot set id}-{timestamp}-VolumeMapping.json`) maps Windows drives to their corresponding snapshots and is used in VSS restore operations to create EBS volumes from snapshots that contains database files to be restored. + @@ -34 +40 @@ To ensure that these files are generated, set the `SaveVssMetadata` parameter to -The `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook needs permission to perform the Amazon EC2 and Systems Manager operations that the runbook uses to restore the database. Follow these steps to grant the appropriate permissions. +Executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook to restore databases needs permissions to perform necessary Amazon EC2 and Systems Manager operations. Follow these steps to grant the appropriate permissions. @@ -38 +44,3 @@ The `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook needs permission - 2. Attach the IAM policy to the role that's used for the automation runbook. + 2. Attach the IAM policy to the role that's used for the automation execution. + + 3. Grant IAM permissions to the invoker role for starting and managing automation executions. @@ -174 +182 @@ JSON -### Attach the IAM policy to the role that's used for the automation runbook +### Attach the IAM policy to the role that's used for the automation execution @@ -176 +184 @@ JSON -You can choose from the following options to attach your policy to the role that Systems Manager uses for the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook. +You can choose from the following options to attach your policy to the role that Systems Manager uses for interacting with the Amazon EC2 and Systems Manager when executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook. @@ -178 +186 @@ You can choose from the following options to attach your policy to the role that - * Create a role, attach your policy, and add a PassRole policy to restrict access. The automation assumes the role that's specified in the `AutomationAssumeRole` parameter. Expand the `Invoke automation with an assumed role (recommended)` section to see detailed steps. + * Create a role, attach your policy, and add a PassRole policy to restrict access. Use the ARN of this role for the `AutomationAssumeRole` parameter when invoking the automation, and the automation execution will assume this role. Expand the `Invoke automation with an assumed role (recommended)` section to see detailed steps. @@ -180 +188 @@ You can choose from the following options to attach your policy to the role that - * Attach the policy to your console role. The automation uses the console role that's defined for your current session. Expand the `Invoke automation with current session’s console role` section to see detailed steps. + * Attach the policy to the invoker role that initiates the automation execution, without specifying the `AutomationAssumeRole` parameter. For example, if you start the automation execution from the AWS console, the console role acts as the invoker role. Expand the `Invoke automation without an assumed role` section to see detailed steps. @@ -235 +243 @@ Copy the **Role ARN** from the **Summary** panel to use in the next steps, then - 2. In the navigation pane, choose **Roles** , and then select the role that your current console session is using. The current role appears in the upper right corner of the console, where you'll see the following pattern: + 2. In the navigation pane, choose **Roles** , and then select the role that will be used to start the automation execution. For example, if you will start the automation execution from console, you should choose the current console role, which appears in the upper right corner of the console: @@ -245,0 +254,71 @@ Copy the **Role ARN** from the **Summary** panel to use in the next steps, then +### Grant IAM permissions to the invoker role for starting and managing automation executions + +To attach necessary permissions to the role that starts and manages the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation executions, follow these steps. + + 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). + + 2. In the navigation pane, choose **Roles** , and then select the role that will be used to start the automation execution. + + 3. Choose **Add inline policy** from the **Add permissions** menu. This opens the **Specify permissions** page. + + 4. Select the **JSON** policy editor and copy the following JSON policy content into the editor. The policy allows the role to: + + * Execute the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook. + + * Stop and send signals to an automation execution. + + * View details about the automation execution after it has been started. + +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "StartVssRestoreAutomationExecution", + "Effect": "Allow", + "Action": "ssm:StartAutomationExecution", + "Resource": [ + "arn:aws:ssm:*:*:document/AWSEC2-RestoreSqlServerDatabaseWithVss", + "arn:aws:ssm:*:*:automation-execution/*" + ] + }, + { + "Sid": "ManageVssRestoreAutomationExecution", + "Effect": "Allow", + "Action": [ + "ssm:StopAutomationExecution", + "ssm:GetAutomationExecution", + "ssm:DescribeAutomationExecutions", + "ssm:DescribeAutomationStepExecutions", + "ssm:SendAutomationSignal" + ], + "Resource": [ + "arn:aws:ssm:*:*:automation-execution/*" + ] + } + ] + } + + + 5. If you are to start the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation with an assume role by providing a role arn to the `AutomationAssumeRole` parameter, you will need to add the following permission to the above policy statements, and replace the `[AutomationAssumeRole's ARN]` placeholder with the ARN of the role created in step `Invoke runbook automation with an assumed role (recommended)`. The permission allows the invoker role to pass the automation assume role to Systems Manager. + + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": [ + "[AutomationAssumeRole's ARN]" + ] + } + + 6. Choose **Next** to review your policy. This opens the review and create page. + + 7. On the **Review Policy** page, enter a name (for example, `VssRestoreRunSSMAutomationPolicy`) and then choose **Next** to create and add the inline policy to your role. + + + +