- Notes, cautions, and warnings
- Preface
- Getting Started
- Preparing for a Deployment
- Deployment
- Configuration
- Glossary
When deploying an AWS-based PowerProtect Data Manager instance, you can use IAM user roles assigned a minimum number of permissions to restrict user access. You can also use an IAM CloudFormation role assigned a minimum number of permissions to restrict CloudFormation access.
The following table lists the minimum permissions that are required for the IAM user roles.
Service | Actions | Resources | Request conditions |
---|---|---|---|
EC2 | All EC2 actions (*) | All resources | None |
SNS |
ListTopics GetTopicAttributes |
All resources | None |
Marketplace |
ViewSubscriptions Subscribe Unsubscribe ListBuilds DescribeBuilds |
All resources | None |
IAM |
Write PassRole ListRoles |
All resources | None |
CloudFormation | All CloudFormation actions (*) | All resources | None |
The following JSON code can be used set these permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ListBuilds", "aws-marketplace:DescribeBuilds", "iam:ListRoles", "iam:ListInstanceProfiles", "sns:GetTopicAttributes", "sns:ListTopics" ], "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudformation:*" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } } ] }
When creating the CloudFormation stack, select the PowerProtect Data Manager role from .
The AWS CloudFormation service deploys the PowerProtect Data Managerinstance. By default, this service uses the same roles and permissions as the logged-in user. These permissions can be changed by selecting an IAM CloudFormation role.
When you create the CloudFormation stack, the IAM CloudFormation role is selected from
.The following table lists the minimum permissions that are required for the IAM CloudFormation role.
Service | Actions | Resources | Request conditions |
---|---|---|---|
EC2 | All EC2 actions (*) | All resources | None |
IAM |
Write PassRole ListRoles |
All resources | IAM:PassedToService (StringLike ecs.amazonaws.com) |
The following JSON code can be used set these permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "ec2.amazonaws.com" } } } ] }