Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

PowerProtect Data Manager 19.15 Amazon Web Services Deployment Guide

Minimum AWS IAM role permissions for deployment

When deploying an AWS-based PowerProtect Data Manager instance, you can use IAM user roles assigned a minimum number of permissions to restrict user access. You can also use an IAM CloudFormation role assigned a minimum number of permissions to restrict CloudFormation access.

IAM user roles and permissions

The following table lists the minimum permissions that are required for the IAM user roles.

Table 1. Minimum permissions of IAM user roles required to deploy PowerProtect Data ManagerMinimum permissions of IAM user roles required to deploy PowerProtect Data Manager
Service Actions Resources Request conditions
EC2 All EC2 actions (*) All resources None
SNS
ListTopics
GetTopicAttributes
All resources None
Marketplace
ViewSubscriptions
Subscribe
Unsubscribe
ListBuilds
DescribeBuilds
All resources None
IAM
Write PassRole
ListRoles
All resources None
CloudFormation All CloudFormation actions (*) All resources None

The following JSON code can be used set these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aws-marketplace:ViewSubscriptions",
                "aws-marketplace:Subscribe",
                "aws-marketplace:Unsubscribe",
                "aws-marketplace:ListBuilds",
                "aws-marketplace:DescribeBuilds",
                "iam:ListRoles",
                "iam:ListInstanceProfiles",
                "sns:GetTopicAttributes",
                "sns:ListTopics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
           ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com"
                    ]
                }
            }
        }
]
}

IAM PowerProtect Data Manager role

When creating the CloudFormation stack, select the PowerProtect Data Manager role from CloudFormation > Stacks > Create stack > Configure stack options > PowerProtect Data Manager Instance and Network Configuration > IAM Role (Optional).

IAM CloudFormation role and permissions

The AWS CloudFormation service deploys the PowerProtect Data Managerinstance. By default, this service uses the same roles and permissions as the logged-in user. These permissions can be changed by selecting an IAM CloudFormation role.

When you create the CloudFormation stack, the IAM CloudFormation role is selected from CloudFormation > Stacks > Create stack > Configure stack options > Permissions > IAM role name.

The following table lists the minimum permissions that are required for the IAM CloudFormation role.

Table 2. Minimum permissions of IAM CloudFormation role required to deploy PowerProtect Data ManagerMinimum permissions of IAM CloudFormation role required to deploy PowerProtect Data Manager
Service Actions Resources Request conditions
EC2 All EC2 actions (*) All resources None
IAM
Write PassRole
ListRoles
All resources IAM:PassedToService (StringLike ecs.amazonaws.com)

The following JSON code can be used set these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\