When deploying an AWS-based
PowerProtect Data Manager instance, you can use IAM user roles assigned a minimum number of permissions to restrict user access. You can also use an IAM CloudFormation role assigned a minimum number of permissions to restrict CloudFormation access.
IAM user roles and permissions
The following table lists the minimum permissions that are required for the IAM user roles.
Table 1. Minimum permissions of IAM user roles required to deploy
PowerProtect Data ManagerMinimum permissions of IAM user roles required to deploy
PowerProtect Data Manager
The following table lists where the
PowerProtect Data Manager and
DDVE roles are selected from when creating the CloudFormation stack.
Table 2. Selection of IAM
PowerProtect Data Manager and
DDVE roles during stack creationSelection of IAM
PowerProtect Data Manager and
DDVE roles during stack creation
Role
CloudFormation template location
PowerProtect Data Manager
CloudFormation > Stacks > Create stack > Configure stack options > PowerProtect Data Manager Instance and Network Configuration > IAM Role (Optional)
DDVE
CloudFormation > Stacks > Create stack > Configure stack options > DDVE Instance Configuration > IAM Role for S3 access
IAM CloudFormation role and permissions
The AWS CloudFormation service deploys the
PowerProtect Data Manager and
DDVE instances. By default, this service uses the same roles and permissions as the logged-in user. These permissions can be changed by selecting an IAM CloudFormation role.
When you create the CloudFormation stack, the IAM CloudFormation role is selected from
CloudFormation > Stacks > Create stack > Configure stack options > Permissions > IAM role name.
The following table lists the minimum permissions that are required for the IAM CloudFormation role.
Table 3. Minimum permissions of IAM CloudFormation role required to deploy
PowerProtect Data ManagerMinimum permissions of IAM CloudFormation role required to deploy
PowerProtect Data Manager