- Notes, cautions, and warnings
- Preface
- Getting Started
- Preparing for a Deployment
- Deployment
- Configuration
When deploying an AWS-based PowerProtect Data Manager instance, you can use IAM user roles assigned a minimum number of permissions to restrict user access. You can also use an IAM CloudFormation role assigned a minimum number of permissions to restrict CloudFormation access.
The following table lists the minimum permissions that are required for the IAM user roles.
Service | Actions | Resources | Request conditions |
---|---|---|---|
EC2 | All EC2 actions (*) | All resources | None |
SNS |
ListTopics GetTopicAttributes |
All resources | None |
Marketplace |
ViewSubscriptions Subscribe Unsubscribe ListBuilds DescribeBuilds |
All resources | None |
IAM |
Write PassRole ListRoles |
All resources | None |
CloudFormation | All CloudFormation actions (*) | All resources | None |
The following JSON code can be used set these permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ListBuilds", "aws-marketplace:DescribeBuilds", "iam:ListRoles", "iam:ListInstanceProfiles", "sns:GetTopicAttributes", "sns:ListTopics" ], "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudformation:*" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } } ] }
The following table lists where the PowerProtect Data Manager and DDVE roles are selected from when creating the CloudFormation stack.
Role | CloudFormation template location |
---|---|
PowerProtect Data Manager | |
DDVE |
The AWS CloudFormation service deploys the PowerProtect Data Manager and DDVE instances. By default, this service uses the same roles and permissions as the logged-in user. These permissions can be changed by selecting an IAM CloudFormation role.
When you create the CloudFormation stack, the IAM CloudFormation role is selected from
.The following table lists the minimum permissions that are required for the IAM CloudFormation role.
Service | Actions | Resources | Request conditions |
---|---|---|---|
EC2 | All EC2 actions (*) | All resources | None |
IAM |
Write PassRole ListRoles |
All resources | IAM:PassedToService (StringLike ecs.amazonaws.com) |
The following JSON code can be used set these permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "ec2.amazonaws.com" } } } ] }