What Cloud Manager does with AWS permissions

Cloud Manager uses an AWS account to make API calls to several AWS services, including EC2, S3, CloudFormation, IAM, the Security Token Service (STS), and the Key Management Service (KMS). You might want to understand what Cloud Manager does with these permissions.

Permissions Purpose
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
Launches an ONTAP Cloud instance and stops, starts, and monitors the instance.
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
Launches an ONTAP Cloud HA configuration.
"ec2:CreateTags",
Tags every resource that Cloud Manager creates with the "WorkingEnvironment" and "WorkingEnvironmentId" tags. Cloud Manager uses these tags for maintenance and cost allocation.
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume",
Manages the EBS volumes that ONTAP Cloud uses as back-end storage.
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
Creates predefined security groups for ONTAP Cloud.
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
Creates and manages network interfaces for ONTAP Cloud in the target subnet.
"ec2:DescribeSubnets",                
"ec2:DescribeVpcs",
Gets the list of destination subnets and security groups, which is needed when creating a new working environment for ONTAP Cloud.
"ec2:DescribeDhcpOptions",
Determines DNS servers and the default domain name when launching ONTAP Cloud instances.
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
Takes snapshots of EBS volumes during initial setup and whenever an ONTAP Cloud instance is stopped.
"ec2:GetConsoleOutput",
Captures the ONTAP Cloud console, which is attached to AutoSupport messages.
"ec2:DescribeKeyPairs",
Obtains the list of available key pairs when launching instances.
"ec2:DescribeRegions",
Gets a list of available AWS regions.
"ec2:DeleteTags",
"ec2:DescribeTags",
Manages tags for resources associated with ONTAP Cloud instances.
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
Launches ONTAP Cloud instances.
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
Launches an ONTAP Cloud HA configuration.
"iam:ListInstanceProfiles",
"sts:DecodeAuthorizationMessage",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
Manages instance profiles for ONTAP Cloud instances.
"s3:GetObject",
"s3:ListBucket"
Obtains AWS cost data for ONTAP Cloud.
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
Obtains information about AWS S3 buckets so Cloud Manager can integrate with the NetApp Data Fabric Cloud Sync service.
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
Manages the S3 bucket that an ONTAP Cloud system uses as a capacity tier.
"kms:List*",
"kms:Describe*"
Obtains information about keys from the AWS Key Management Service.