Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell APEX Navigator for Multicloud Storage Using Your Service

PDF

Dell APEX Block Storage for AWS

The following tables list the Dell APEX Block Storage for AWS permissions.

Access permissions

Associated permissions enable APEX Navigator's access to assume a dedicated AWS role in the AWS account. Permissions in this statement block also enable auditing of Dell's access using session tags and source identity behind who triggered the action. This policy statement is required for all Dell APEX Navigator functionality.

Table 1. APEX Navigator AccessDell APEX Navigator access-related permissions.
AWS Permission Description Required Impact if not permitted Job Type
iam:ListAccountAliases Shows account alias in Dell APEX Navigator Optional

AWS account alias will not be visible in APEX Navigator.

AWS account ID will be displayed when viewing the AWS account instead of the AWS account alias.

AWS_ACCOUNTS
sts:SetSourceIdentity Audits the APEX user (user's email) or Dell APEX Navigator service account who triggered the action in the AWS account. Required Access to the AWS account fails without the permission to set source identity. All jobs that require access to AWS including, AWS_ACCOUNTS (CREATE MODIFY)
sts:TagSession
  • Audits AWS actions to a specific APEX Job
  • Audits AWS actions taken by Dell
Required Access to the AWS account fails without the permission to set session tags. All jobs that require access to AWS including, AWS_ACCOUNTS (CREATE MODIFY)

Deployment permissions

Table 2. APEX Block Storage DeployThis table lists the permissions related to deployment.
AWS Permission Description Required Impact if not permitted Job Type
ec2:AuthorizeSecurityGroupIngress Adds the specified outbound (ingress) rules to a security group created by Dell APEX Navigator. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:CreateKeyPair Creates an SSH key pair with the specified name for each APEX Block Storage deployment. The SSH key pair is then stored in AWS Secret Manager. You can retrieve the SSH key from your AWS secrets manager directly and use them to SSH into the instance. Dell APEX Navigator never stores your SSH key pair files into its own inventory. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:CreateNetworkInterface Creates a network interface in the specified subnet Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:CreateSecurityGroup Creates a security group. A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:CreateSubnet Creates a subnet in the specified VPC Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:CreateTags Creates only the Dell APEX Navigator specific tags for the APEX Block Storage for AWS and SCG resources. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:DescribeAvailabilityZones Describes the Availability Zones (AZ) within a given region. Required for Dell APEX Navigator to select availability zones to deploy APEX Block Storage. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:DescribeImages Describes the Amazon Machine Images (AMIs) within the given region required to launch APEX Block Storage and SCG EC2 instances. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:DescribeInstanceStatus Describes the status of the specified instances or all the instances. This permission is used to wait until the instances are ready as the target group fails if the instances are not in a running state. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:DescribeInstanceTypeOfferings Returns a list of all instance types offered. The results can be filtered by location (Region or availability zone). Required to determine the AZs that support the required APEX Block Storage instance types. Required Deployment job is unable to continue, and enters a paused state. Deployment
ec2:DescribeInstanceTypes Describes the details of the instance types that are offered in a given region and availability zones. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:DescribeSecurityGroups Required to check if there is enough security groups left in the user's AWS quota before provisioning. Required Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state. Deployment
ec2:DescribeSubnets Describes the existing subnets in the given VPC. Required to:
  • Provide the user with the existing routable subnets on the Dell APEX Navigator Deployment wizard for existing VPC
  • Check if there is enough subnets left in the user's AWS quota for any new subnets to be created by Dell APEX Navigator
Required The deployment wizard is unable to continue when an existing VPC is selected. Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state. Deployment
ec2:DescribeVolumes Required to determine if there is sufficient availability of storage in the user's AWS quota Required Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state. Deployment
ec2:DescribeVpcAttribute Required to determine whether the DNS hostname resolution and support is enabled in the given VPC. APEX Block Storage uses private DNS names for internode communication. Required Required for deployment pre-validation. If permission is not provided, the deployment job enters a failed state. Deployment
ec2:DescribeVpcs Describes the existing VPCs in the user's AWS account. Required to:
  • Provide the user with the existing VPCs on Dell APEX Navigator Deployment wizard.
  • Determine if there is enough VPCs left in the user's AWS quota for deployment with a new VPC option.
Required The deployment wizard is unable to continue if the user wants to select an existing VPC option. The deployment prevalidation fails and the deployment job enters a failed state if the deployment started with a new VPC option. Deployment
ec2:GetEbsEncryptionByDefault Required to determine if EBS encryption by default is enabled in a given region for the AWS account. Required Deployments succeed when the EBS encryption by default is enabled and is managed in the following ways:
  • AWS-managed key: No impact.
  • Customer-managed key and key is in the same AWS account: Key has a key policy allowing the AWS role granted to Dell APEX Navigator the necessary access to the key.
  • Customer-managed key and key is in a different AWS account: Key has a key policy allowing the AWS role granted to Dell APEX Navigator necessary access to the key and the permission policy is attached to that role.
If EBS encryption by default is disabled, deployment will succeed. 		Deployment
ec2:ModifyNetworkInterfaceAttribute Modifies the specified network interface attribute. This alias is used to disable source or destination checks which ensure that the instance is either the source or the destination of any traffic that it receives while provisioning the network interface. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:RunInstances Required to create and run EC2 instances for APEX Block Storage and SCG. Required The deployment job is unable to continue, and enters a paused state. Deployment
ec2:StartInstances Required to start an EC2 instances for APEX Block Storage. Required The deployment job is unable to continue, and enters a failed state. Deployment
ec2:StopInstances Required to stop an EC2 instances for APEX Block Storage. Required The deployment job is unable to continue, and enters a failed state. Deployment
elasticloadbalancing:AddTags Used to add tags to the elastic network load balancer created by Dell APEX Navigator for APEX Block Storage deployment. Required The deployment job is unable to continue, and enters a paused state. Deployment
elasticloadbalancing:CreateListener Creates the listener for the elastic network load balancer created by Dell APEX Navigator for APEX Block Storage deployment. Required The deployment job is unable to continue, and enters a paused state. Deployment
elasticloadbalancing:CreateLoadBalancer Creates the elastic load balancer resource in AWS. This is used for creating the network load balancer for APEX Block Storage. Required The deployment job is unable to continue, and enters a paused state. Deployment
elasticloadbalancing:CreateTargetGroup Creates the target group resource in AWS. This is used for creating the target group of APEX Block Storage nodes for the elastic network load balancer in APEX Block Storage Deployment. Required The deployment job is unable to continue, and enters a paused state. Deployment
elasticloadbalancing:DescribeLoadBalancers Describes the current load balancers in the region. This is used to determine if there is enough network load balancer left in the user's AWS quota. Required The deployment job is unable to continue, and enters a paused state. Deployment
elasticloadbalancing:DescribeTargetGroups Describes the current Target groups in the region. This is used to determine if there is enough target groups left in the user's AWS quota. Required The deployment job is unable to continue, and enters a paused state. Deployment
elasticloadbalancing:modifyLoadBalancerAttributes Updates the attributes of the network load balancer created for APEX Block Storage. This is required to enable cross-zone load balancing in multi availability zone APEX Block Storage deployments. Required The deployment job is unable to continue, and enters a paused state. Deployment
elasticloadbalancing:RegisterTargets Registers the APEX Block Storage instance targets with the specified target group. This is required when Dell APEX Navigator is creating a target group for the APEX Block Storage elastic network load balancer. Required The deployment job is unable to continue, and enters a paused state. Deployment
secretsmanager:CreateSecret Creates a new secret in the AWS secrets manager to store the SSH .pem files. You can then retrieve the SSH key from your AWS secrets manager directly and use them to SSH into the instance. Dell APEX Navigator never stores your SSH key pair files to its own inventory. Required The deployment job is unable to continue, and enters a paused state. Deployment
secretsmanager:DeleteSecret Deletes a secret used to store SSH key pair from the AWS secrets manager and all its versions. This is only used to delete a secret created by Dell APEX Navigator when Dell APEX Navigator encounters an unrecoverable error during the deployment and tries to rollback the changes. Required The deployment rollback is unable to continue, and enters a paused state. Deployment (rollback)
servicequotas:ListAWSDefaultServiceQuotas Describes the default quotas on your AWS account. Required Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state. Deployment
servicequotas:ListServiceQuotas Describes the user-defined quotas on your account. Required Required for deployment prevalidation. If permission is not provided, the deployment job enters a failed state. Deployment

Permissions related to new VPC

These associated permissions enable Dell APEX Navigator policy if deploying to an existing VPC.

These permissions are required for decommissioning when the VPC was created by Dell APEX Navigator.

Table 3. APEX Block Storage New VPCAPEX Block Storage Permissions related to new VPC.
AWS Permission Description Required Impact if not permitted Job Type
ec2:AssociateVpcCidrBlock Associates a CIDR block with the given VPC. This permission is only required if you are using Dell APEX Navigator to deploy a new VPC during deployment. Optional, only required when deploying with a new VPC option selected. The deployment job is unable to continue, and enters a paused state. Deployment
ec2: AttachInternetGateway Attaches an Internet Gateway to a VPC, enabling SCG connectivity to Dell Secure Connectivity access servers through the Internet Gateway. This is triggered only when APEX Block Storage deployment using a new VPC option is started. Optional, only required when deploying with a new VPC option selected. The deployment job is unable to continue, and enters a paused state. Deployment (SCG)
ec2:CreateInternetGateway Creates a new Internet Gateway to enable Internet connectivity from the new VPC to Dell Secure Connectivity Enterprise and Global access servers. Optional, only required when deploying with a new VPC option selected. The deployment job is unable to continue, and enters a failed state, and triggers a rollback. Deployment
ec2:CreateVpc Creates a new VPC using the CIDR blocks provided when a new VPC option is selected for the APEX Block Storage deployment. Optional, only required when deploying with a new VPC option selected. The deployment job is unable to continue, and enters a paused state. Deployment
ec2:DeleteInternetGateway Deletes an Internet Gateway created for SCG in a new VPC. Dell APEX Navigator never deletes an Internet Gateway unless it was provisioned by Dell APEX Navigator. Optional, only required when deploying with a new VPC option selected. The decommission job and a deployment entering rollback are unable to continue, and enters a paused state. Deployment (Rollback), Decommission
ec2:DeleteVpc Deletes the new VPC created by Dell APEX Navigator when an APEX Block Storage deployment using a new VPC option fails and Dell APEX Navigator rolls back the changes. For any other cases, Dell APEX Navigator never deletes a VPC. Optional, only required when deploying with a new VPC option selected. The deployment job is unable to rollback when it encounters an unrecoverable error, and enters a paused state. Deployment (Rollback)
ec2:DisassociateVpcCidrBlock Disassociates the subnet CIDR block only from a new VPC created by Dell APEX Navigator. This is triggered only when APEX Block Storage deployment using a new VPC option fails and Dell APEX Navigator rolls back the changes. Optional, only required when deploying with a new VPC option selected. The deployment rollback is unable to continue, and enters a paused state. Deployment (Rollback)
ec2:ModifyVpcAttribute Updates the new VPC to enable DNS hostname resolution and support required for internode communication using private DNS names between APEX Block Storage cluster nodes. Optional, only required when deploying with a new VPC option selected. The deployment job is unable to continue and enters a paused state. Deployment

Decommission permissions

Table 4. APEX Block Storage DecommissionThis table lists the permissions related to decommission.
AWS Permission Description Required Impact if not permitted Job Type
ec2:DeleteKeyPair Deletes the AWS SSH key pair created by Dell APEX Navigator for APEX Block Storage and Secure Connect Gateway EC2 instances. This is only used to delete a key pair created by Dell APEX Navigator when Dell APEX Navigator encounters an unrecoverable error during the deployment and tries to rollback the changes. Required The deployment rollback is unable to continue and enters paused state. Deployment (Rollback)
ec2:DeleteNetworkInterface Deletes only the network interfaces created by Dell APEX Navigator for APEX Block Storage and Secure Connect Gateway EC2 instances. Required The deployment Rollback and Decommission are unable to continue and enters a paused state. Deployment (Rollback), Decommission
ec2:DeleteSecurityGroup Deletes only the security groups created by Dell APEX Navigator for APEX Block Storage and Secure Connect Gateway. This is only triggered during APEX Block Storage deployment when Dell APEX Navigator encounters an unrecoverable error and tries to rollback the changes, or during decommissioning operation. Required The deployment Rollback and Decommission are unable to continue and enters a paused state. Deployment (Rollback), Decommission
ec2:DeleteSubnet Deletes only the subnets created by Dell APEX Navigator for APEX Block Storage and SCG. This is only triggered during APEX Block Storage deployment when Dell APEX Navigator encounters an unrecoverable error and tries to rollback the changes, or during decommissioning operation. Required The deployment Rollback and Decommission are unable to continue, and enters a paused state. Deployment (Rollback), Decommission
ec2:DescribeNetworkInterfaces
  • Checks if there is enough network interfaces left in the user's AWS quota before provisioning.
  • Describes the status of network interface during deployment rollback or decommission to identify that a network interface is not in a used state.
Required The deployment prevalidation fails , and deployment enters a failed state. Decommission is unable to continue and enters a paused state. Deployment, Decommission
ec2:TerminateInstances Terminates EC2 Instances created by Dell APEX Navigator for APEX Block Storage and SCG. This is only triggered during APEX Block Storage deployment when Dell APEX Navigator encounters an unrecoverable error and tries to rollback the changes, or during decommissioning operation. Required The deployment Rollback and Decommission is unable to continue and enters a paused state. Deployment (Rollback), Decommission
elasticloadbalancing:DeleteLoadBalancer Deletes the specified network load balancer. Deleting a load balancer also deletes its listeners. Required Delete permission is used in the provisioning workflow of a rollback and decommissioning. PowerFlex Decommissioning Workflow
elasticloadbalancing:DeleteTargetGroup Deletes the target group which is provisioned during PowerFlex deployment. Required You cannot delete a target group, and the subsequent workflow fails due to a dependent resource error. PowerFlex resource decommission workflow

Load balancer permissions

This permission enables an AWS-managed role that the elastic load balancer assumes to perform actions. This service-linked role is disabled by default in the AWS accounts, and this statement block can be removed if it is enabled in the account manually. See "Elastic Load Balancing service-linked role" in Elastic Load Balancing User Guide in Amazon documentation.

Table 5. APEX Block Storage Load BalancerThis table lists the permissions required for Dell APEX Block Storage Load Balancer.
AWS Permission Description Required Impact if not permitted Job Type
iam:CreateServiceLinkedRole Enables an AWS-managed role that the elastic load balancer assumes to perform actions. Optional The deployment job is unable to continue and enters a paused state. AWS_ACCOUNTS

Monitor permissions

These associated permissions enable collection of AWS infrastructure telemetry to correlate with APEX Block Storage telemetry for viewing in APEX AIOps Observability.

Table 6. APEX Navigator MonitorAPEX Navigator monitoring related permissions.
AWS Permission Description Required Impact if not permitted Job Type
ec2:DescribeInstances Collects EC2 details for APEX Block Storage deployment. The EC2 instances used by APEX Block Storage for AWS are displayed in the APEX AIOps Observability UI, for monitoring. The following properties are stored in APEX AIOps Observability:
  • instanceId
  • instanceType
  • privateIpAddress
  • publicIpAddress
  • state
  • availabilityZone
  • vpcId
Optional Impacts the cloud infrastructure monitoring. Cloud infrastructure details for Dell APEX Navigator deployed storage systems in the given AWS account are not available on APEX AIOps Observability. N/A
ec2:DescribeVolumes Collects EBS volume details for Dell APEX Navigator deployed APEX Block Storage systems. These details are currently not displayed on either Dell Premier or APEX AIOps Observability portal. Optional Impacts the cloud infrastructure monitoring. Cloud infrastructure details for Dell APEX Navigator deployed storage systems in the given AWS account are not available on APEX AIOps Observability. N/A
ec2:DescribeVpcs Collects VPC details for APEX Block Storage deployment using Dell APEX Navigator. Optional Impacts the cloud infrastructure monitoring. Cloud infrastructure details for Dell APEX Navigator deployed storage systems in the given AWS account are not available on APEX AIOps Observability. N/A

SCG networking permissions

Groups the required AWS permissions to support deploying SCG into a VPC which is required for Dell APEX Block Storage.

Table 7. SCG NetworkingThis table lists the permissions related to SCG networking.
AWS Permission Description Required Impact if not permitted Job Type
ec2:AllocateAddress Allocates an Elastic IP address for SCG. This is triggered only when the first APEX Block Storage deployment in that VPC automatically installs SCG. Optional, only required when you install the first APEX Block Storage system in the given VPC. The deployment job is unable to continue and enters a paused state. Deployment (SCG)
ec2:AssociateAddress Associates Elastic IP with an instance or network interface created by Dell APEX Navigator for SCG. This is triggered only when the first APEX Block Storage deployment in that VPC automatically installs SCG. Optional, only required when you install the first APEX Block Storage system in the given VPC. The deployment job is unable to continue and enters a paused state. Deployment (SCG)
ec2:AssociateRouteTable Associates a subnet with a route table created by Dell APEX Navigator for SCG in the given VPC. This is triggered only when the first APEX Block Storage deployment in that VPC automatically installs SCG. Optional, only required when you install the first APEX Block Storage system in the given VPC. The deployment job is unable to continue and enters a paused state. Deployment (SCG)
ec2:AuthorizeSecurityGroupEgress Adds the specified outbound rules to an SCG security group created by Dell APEX Navigator for egress traffic. This is triggered only when the first APEX Block Storage deployment in that VPC automatically installs SCG. Optional, only required when you install the first APEX Block Storage system in the given VPC. The deployment job is unable to continue and enters a paused state. Deployment (SCG)
ec2:CreateRoute Creates a route in a route table within a VPC. This permission is used for adding a route for the Internet gateway provisioned for SCG Connectivity. This is triggered only when the first APEX Block Storage deployment in that VPC automatically installs SCG. Optional, only required when you install the first APEX Block Storage system in the given VPC. The deployment job is unable to continue and enters a paused state. Deployment (SCG)
ec2:CreateRouteTable Creates a route table for the specified VPC. This permission is used to add routes for Internet gateways and associate the table with a subnet. This is triggered only when the first APEX Block Storage deployment in that VPC automatically installs SCG. Optional, only required when you install the first APEX Block Storage system in the given VPC. The deployment job is unable to continue and enters a paused state. Deployment (SCG)
ec2:DescribeRouteTables Checks the following:
  • Existence of route table in the VPC where SCG is provisioned
  • Presence of a network route from the SCG subnet to Internet gateway
Required Required for deployment pre-validation. If permission is not provided, the deployment job enters a failed state. Deployment (SCG)
ec2:DeleteRoute Deletes only the network routes created by Dell APEX Navigator for Secure Connect Gateway. This deletion is only triggered when the first APEX Block Storage deployment in that VPC installs SCG and encounters an unrecoverable error and tries to rollback the changes or during SCG decommissioning. Optional, only required when you install the first APEX Block Storage system or decommission the last APEX block storage system in the given VPC. The deployment Rollback and Decommission are unable to continue, and enters a paused state. Deployment (Rollback), Decommission
ec2:DeleteRouteTable Deletes only the route table created by Dell APEX Navigator for SCG. This deletion is only triggered when the first APEX Block Storage deployment in that VPC installs SCG, encounters an unrecoverable error, and tries to rollback the changes, or during SCG decommissioning. Optional, only required when you install the first APEX Block Storage system or decommission the last APEX block storage system in the given VPC. The deployment Rollback and Decommission are unable to continue, and enters a paused state. Deployment (Rollback), Decommission
ec2:DescribeInternetGateways Describes the Internet gateways that exist in the region. Required to:
  • Check for existing Internet gateways while provisioning SCG
  • Check the quotas for regional Internet gateways in the user's AWS account before provisioning. (quota validation for SCG)
Optional, only required when you install the first APEX Block Storage system in the given VPC. The deployment job is unable to continue and enters a paused state. Deployment (SCG)
ec2:DetachInternetGateway Detaches only the Internet gateway created by Dell APEX Navigator when an APEX Block Storage deployment using a new VPC option fails and Dell APEX Navigator rolls back the changes, or during SCG decommissioning. Optional, only required when deploying with a new VPC option selected. The deployment Rollback and decommission are unable to continue, and enters a paused state. Deployment (Rollback), Decommission
ec2:DisassociateRouteTable Disassociates only the route table created by Dell APEX Navigator from an SCG subnet in the given VPC. Optional, only required when you decommission the last APEX block storage system in the given VPC. The deployment Rollback and decommission are unable to continue, and enters a paused state. Deployment (Rollback), Decommission
ec2:ModifyInstanceAttribute Disables Termination Protection on the SCG EC2 instance. This is triggered only when the first APEX Block Storage deployment in that VPC that installs SCG and encounters an unrecoverable error and tries to rollback the changes or during SCG decommissioning. Optional, only required when you install the first APEX Block Storage system or decommission the last APEX block storage system in the given VPC. The deployment Rollback and decommission are unable to continue, and enters a paused state. Deployment (Rollback), Decommission
ec2:ReleaseAddress Releases only the specified Elastic IP address allocated by Dell APEX Navigator for SCG. This is triggered when the first APEX Block Storage deployment in that VPC that installs SCG and encounters an unrecoverable error and tries to rollback the changes or during SCG decommissioning. Optional, only required when you install the first APEX Block Storage system or decommission the last APEX block storage system in the given VPC. The deployment Rollback and decommission are unable to continue, and enters a paused state. Deployment (Rollback), Decommission

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\