ec2:AuthorizeSecurityGroupIngress
|
Adds the specified outbound (ingress) rules to a security group created by
Dell APEX Navigator.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:CreateKeyPair
|
Creates an SSH key pair with the specified name for each APEX Block Storage deployment. The SSH key pair is then stored in AWS Secret Manager. You can retrieve the SSH key from your AWS secrets manager directly and use them to SSH into the instance.
Dell APEX Navigator never stores your SSH key pair files into its own inventory.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:CreateNetworkInterface
|
Creates a network interface in the specified subnet
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:CreateSecurityGroup
|
Creates a security group. A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:CreateSubnet
|
Creates a subnet in the specified VPC
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:CreateTags
|
Creates only the
Dell APEX Navigator specific tags for the APEX Block Storage for AWS and SCG resources.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:DescribeAvailabilityZones
|
Describes the Availability Zones (AZ) within a given region. Required for
Dell APEX Navigator to select availability zones to deploy APEX Block Storage.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:DescribeImages
|
Describes the Amazon Machine Images (AMIs) within the given region required to launch APEX Block Storage and SCG EC2 instances.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:DescribeInstanceStatus
|
Describes the status of the specified instances or all the instances. This permission is used to wait until the instances are ready as the target group fails if the instances are not in a running state.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:DescribeInstanceTypeOfferings
|
Returns a list of all instance types offered. The results can be filtered by location (Region or availability zone). Required to determine the AZs that support the required APEX Block Storage instance types.
|
Required
|
Deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:DescribeInstanceTypes
|
Describes the details of the instance types that are offered in a given region and availability zones.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:DescribeSecurityGroups
|
Required to check if there is enough security groups left in the user's AWS quota before provisioning.
|
Required
|
Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state.
|
Deployment
|
ec2:DescribeSubnets
|
Describes the existing subnets in the given VPC. Required to:
- Provide the user with the existing routable subnets on the
Dell APEX Navigator Deployment wizard for existing VPC
- Check if there is enough subnets left in the user's AWS quota for any new subnets to be created by
Dell APEX Navigator
|
Required
|
The deployment wizard is unable to continue when an existing VPC is selected. Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state.
|
Deployment
|
ec2:DescribeVolumes
|
Required to determine if there is sufficient availability of storage in the user's AWS quota
|
Required
|
Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state.
|
Deployment
|
ec2:DescribeVpcAttribute
|
Required to determine whether the DNS hostname resolution and support is enabled in the given VPC. APEX Block Storage uses private DNS names for internode communication.
|
Required
|
Required for deployment pre-validation. If permission is not provided, the deployment job enters a failed state.
|
Deployment
|
ec2:DescribeVpcs
|
Describes the existing VPCs in the user's AWS account. Required to:
- Provide the user with the existing VPCs on
Dell APEX Navigator Deployment wizard.
- Determine if there is enough VPCs left in the user's AWS quota for deployment with a new VPC option.
|
Required
|
The deployment wizard is unable to continue if the user wants to select an existing VPC option. The deployment prevalidation fails and the deployment job enters a failed state if the deployment started with a new VPC option.
|
Deployment
|
ec2:GetEbsEncryptionByDefault
|
Required to determine if EBS encryption by default is enabled in a given region for the AWS account.
|
Required
|
Deployments succeed when the EBS encryption by default is enabled and is managed in the following ways:
- AWS-managed key: No impact.
- Customer-managed key and key is in the same AWS account: Key has a key policy allowing the AWS role granted to
Dell APEX Navigator the necessary access to the key.
- Customer-managed key and key is in a different AWS account: Key has a key policy allowing the AWS role granted to
Dell APEX Navigator necessary access to the key and the permission policy is attached to that role.
If EBS encryption by default is disabled, deployment will succeed.
|
Deployment
|
ec2:ModifyNetworkInterfaceAttribute
|
Modifies the specified network interface attribute. This alias is used to disable source or destination checks which ensure that the instance is either the source or the destination of any traffic that it receives while provisioning the network interface.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:RunInstances
|
Required to create and run EC2 instances for APEX Block Storage and SCG.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
ec2:StartInstances
|
Required to start an EC2 instances for APEX Block Storage.
|
Required
|
The deployment job is unable to continue, and enters a failed state.
|
Deployment
|
ec2:StopInstances
|
Required to stop an EC2 instances for APEX Block Storage.
|
Required
|
The deployment job is unable to continue, and enters a failed state.
|
Deployment
|
elasticloadbalancing:AddTags
|
Used to add tags to the elastic network load balancer created by
Dell APEX Navigator for APEX Block Storage deployment.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
elasticloadbalancing:CreateListener
|
Creates the listener for the elastic network load balancer created by
Dell APEX Navigator for APEX Block Storage deployment.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
elasticloadbalancing:CreateLoadBalancer
|
Creates the elastic load balancer resource in AWS. This is used for creating the network load balancer for APEX Block Storage.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
elasticloadbalancing:CreateTargetGroup
|
Creates the target group resource in AWS. This is used for creating the target group of APEX Block Storage nodes for the elastic network load balancer in APEX Block Storage Deployment.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
elasticloadbalancing:DescribeLoadBalancers
|
Describes the current load balancers in the region. This is used to determine if there is enough network load balancer left in the user's AWS quota.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
elasticloadbalancing:DescribeTargetGroups
|
Describes the current Target groups in the region. This is used to determine if there is enough target groups left in the user's AWS quota.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
elasticloadbalancing:modifyLoadBalancerAttributes
|
Updates the attributes of the network load balancer created for APEX Block Storage. This is required to enable cross-zone load balancing in multi availability zone APEX Block Storage deployments.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
elasticloadbalancing:RegisterTargets
|
Registers the APEX Block Storage instance targets with the specified target group. This is required when
Dell APEX Navigator is creating a target group for the APEX Block Storage elastic network load balancer.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
secretsmanager:CreateSecret
|
Creates a new secret in the AWS secrets manager to store the SSH
.pem files. You can then retrieve the SSH key from your AWS secrets manager directly and use them to SSH into the instance.
Dell APEX Navigator never stores your SSH key pair files to its own inventory.
|
Required
|
The deployment job is unable to continue, and enters a paused state.
|
Deployment
|
secretsmanager:DeleteSecret
|
Deletes a secret used to store SSH key pair from the AWS secrets manager and all its versions. This is only used to delete a secret created by
Dell APEX Navigator when
Dell APEX Navigator encounters an unrecoverable error during the deployment and tries to rollback the changes.
|
Required
|
The deployment rollback is unable to continue, and enters a paused state.
|
Deployment (rollback)
|
servicequotas:ListAWSDefaultServiceQuotas
|
Describes the default quotas on your AWS account.
|
Required
|
Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state.
|
Deployment
|
servicequotas:ListServiceQuotas
|
Describes the user-defined quotas on your account.
|
Required
|
Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state.
|
Deployment
|