AWS permissions for the Connector
Suggest changes
PDFs
When BlueXP launches the Connector instance in AWS, it attaches a policy to the instance that provides the Connector with permissions to manage resources and processes within that AWS account. The Connector uses the permissions to make API calls to several AWS services, including EC2, S3, CloudFormation, IAM, the Key Management Service (KMS), and more.
IAM policies
The IAM policies available below provide the permissions that a Connector needs to manage resources and processes within your public cloud environment based on your AWS region.
Note the following:
-
If you create a Connector in a standard AWS region directly from BlueXP, BlueXP automatically applies policies to the Connector.
-
You need to set up the policies yourself if you deploy the Connector from the AWS Marketplace, if you manually install the Connector on a Linux host, or if you want to add additional AWS credentials to BlueXP.
-
In either case, you need to ensure that the policies are up to date as new permissions are added in subsequent releases. If new permissions are required, they will be listed in the release notes.
-
If needed, you can restrict the IAM policies by using the IAM
Conditionelement. AWS documentation: Condition element -
To view step-by-step instructions for using these policies, refer to the following pages:
Select your region to view the required policies:
Standard regions
For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:CreatePlacementGroup",
"ec2:DescribeReservedInstancesOfferings",
"ec2:AssignPrivateIpAddresses",
"ec2:CreateRoute",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:UnassignPrivateIpAddresses",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteRoute",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups",
"ec2:DescribeVolumesModifications",
"ec2:ModifyVolume",
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DeleteStack",
"iam:PassRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:ListInstanceProfiles",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteInstanceProfile",
"iam:GetRolePolicy",
"iam:GetRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRole",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicy",
"s3:GetBucketAcl",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"kms:List*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:CreateGrant",
"fsx:Describe*",
"fsx:List*",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "cvoServicePolicy"
},
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSecurityGroup",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"kms:List*",
"kms:Describe*",
"ec2:DescribeVpcEndpoints",
"kms:ListAliases",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryExecution",
"glue:GetDatabase",
"glue:GetTable",
"glue:CreateTable",
"glue:CreateDatabase",
"glue:GetPartitions",
"glue:BatchCreatePartition",
"glue:BatchDeletePartition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "backupPolicy"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketAcl",
"s3:PutBucketPublicAccessBlock",
"s3:GetObject",
"s3:PutEncryptionConfiguration",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteBucket",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:PutObjectVersionTagging",
"s3:PutObjectRetention",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketVersioning",
"s3:BypassGovernanceRetention",
"s3:PutBucketPolicy",
"s3:PutBucketOwnershipControls"
],
"Resource": [
"arn:aws:s3:::netapp-backup-*"
],
"Effect": "Allow",
"Sid": "backupS3Policy"
},
{
"Action": [
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::fabric-pool*"
],
"Effect": "Allow",
"Sid": "fabricPoolS3Policy"
},
{
"Action": [
"ec2:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "fabricPoolPolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/netapp-adc-manager": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "tagServicePolicy"
}
]
}GovCloud (US) regions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"ec2:ModifyVolumeAttribute",
"sts:DecodeAuthorizationMessage",
"ec2:DescribeImages",
"ec2:DescribeRouteTables",
"ec2:DescribeInstances",
"iam:PassRole",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:StopInstances",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"kms:List*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:CreateGrant",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::fabric-pool*"
]
},
{
"Sid": "backupPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::netapp-backup-*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-us-gov:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:volume/*"
]
}
]
}Secret regions
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"kms:List*",
"kms:Describe*",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso-b:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso-b:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso-b:ec2:*:*:volume/*"
]
}
]
}Top Secret regions
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"kms:List*",
"kms:Describe*",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso:ec2:*:*:volume/*"
]
}
]
}How the AWS permissions are used
The following sections describe how the permissions are used for each BlueXP service. This information can be helpful if your corporate policies dictate that permissions are only provided as needed.
Amazon FSx for ONTAP
The Connector makes the following API requests to manage an Amazon FSx for ONTAP file system:
-
ec2:DescribeInstances
-
ec2:DescribeInstanceStatus
-
ec2:DescribeInstanceAttribute
-
ec2:DescribeRouteTables
-
ec2:DescribeImages
-
ec2:CreateTags
-
ec2:DescribeVolumes
-
ec2:DescribeSecurityGroups
-
ec2:DescribeNetworkInterfaces
-
ec2:DescribeSubnets
-
ec2:DescribeVpcs
-
ec2:DescribeDhcpOptions
-
ec2:DescribeSnapshots
-
ec2:DescribeKeyPairs
-
ec2:DescribeRegions
-
ec2:DescribeTags
-
ec2:DescribeIamInstanceProfileAssociations
-
ec2:DescribeReservedInstancesOfferings
-
ec2:DescribeVpcEndpoints
-
ec2:DescribeVpcs
-
ec2:DescribeVolumesModifications
-
ec2:DescribePlacementGroups
-
kms:List*
-
kms:Describe*
-
kms:CreateGrant
-
kms:ListAliases
-
fsx:Describe*
-
fsx:List*
Amazon S3 bucket discovery
The Connector makes the following API request to discover Amazon S3 buckets:
s3:GetEncryptionConfiguration
Backup and recovery
The Connector makes the following API requests to manage backups in Amazon S3:
-
s3:GetBucketLocation
-
s3:ListAllMyBuckets
-
s3:ListBucket
-
s3:CreateBucket
-
s3:GetLifecycleConfiguration
-
s3:PutLifecycleConfiguration
-
s3:PutBucketTagging
-
s3:ListBucketVersions
-
s3:GetBucketAcl
-
s3:PutBucketPublicAccessBlock
-
kms:List*
-
kms:Describe*
-
s3:GetObject
-
ec2:DescribeVpcEndpoints
-
kms:ListAliases
-
s3:PutEncryptionConfiguration
The Connector makes the following API requests when you use the Search & Restore method to restore volumes and files:
-
s3:CreateBucket
-
s3:DeleteObject
-
s3:DeleteObjectVersion
-
s3:GetBucketAcl
-
s3:ListBucket
-
s3:ListBucketVersions
-
s3:ListBucketMultipartUploads
-
s3:PutObject
-
s3:PutBucketAcl
-
s3:PutLifecycleConfiguration
-
s3:PutBucketPublicAccessBlock
-
s3:AbortMultipartUpload
-
s3:ListMultipartUploadParts
-
athena:StartQueryExecution
-
athena:GetQueryResults
-
athena:GetQueryExecution
-
athena:StopQueryExecution
-
glue:CreateDatabase
-
glue:CreateTable
-
glue:BatchDeletePartition
The Connector makes the following API requests when you use DataLock and Ransomware protection for your volume backups:
-
s3:GetObjectVersionTagging
-
s3:GetBucketObjectLockConfiguration
-
s3:GetObjectVersionAcl
-
s3:PutObjectTagging
-
s3:DeleteObject
-
s3:DeleteObjectTagging
-
s3:GetObjectRetention
-
s3:DeleteObjectVersionTagging
-
s3:PutObject
-
s3:GetObject
-
s3:PutBucketObjectLockConfiguration
-
s3:GetLifecycleConfiguration
-
s3:ListBucketByTags
-
s3:GetBucketTagging
-
s3:DeleteObjectVersion
-
s3:ListBucketVersions
-
s3:ListBucket
-
s3:PutBucketTagging
-
s3:GetObjectTagging
-
s3:PutBucketVersioning
-
s3:PutObjectVersionTagging
-
s3:GetBucketVersioning
-
s3:GetBucketAcl
-
s3:BypassGovernanceRetention
-
s3:PutObjectRetention
-
s3:GetBucketLocation
-
s3:GetObjectVersion
The Connector makes the following API requests if you use a different AWS account for your Cloud Volumes ONTAP backups than you're using for the source volumes:
-
s3:PutBucketPolicy
-
s3:PutBucketOwnershipControls
Classification
The Connector makes the following API requests to deploy the BlueXP classification instance:
-
ec2:DescribeInstances
-
ec2:DescribeInstanceStatus
-
ec2:RunInstances
-
ec2:TerminateInstances
-
ec2:CreateTags
-
ec2:CreateVolume
-
ec2:AttachVolume
-
ec2:CreateSecurityGroup
-
ec2:DeleteSecurityGroup
-
ec2:DescribeSecurityGroups
-
ec2:CreateNetworkInterface
-
ec2:DescribeNetworkInterfaces
-
ec2:DeleteNetworkInterface
-
ec2:DescribeSubnets
-
ec2:DescribeVpcs
-
ec2:CreateSnapshot
-
ec2:DescribeRegions
-
cloudformation:CreateStack
-
cloudformation:DeleteStack
-
cloudformation:DescribeStacks
-
cloudformation:DescribeStackEvents
-
iam:AddRoleToInstanceProfile
-
ec2:AssociateIamInstanceProfile
-
ec2:DescribeIamInstanceProfileAssociations
The Connector makes the following API requests to scan S3 buckets when you use BlueXP classification:
-
iam:AddRoleToInstanceProfile
-
ec2:AssociateIamInstanceProfile
-
ec2:DescribeIamInstanceProfileAssociations
-
s3:GetBucketTagging
-
s3:GetBucketLocation
-
s3:ListAllMyBuckets
-
s3:ListBucket
-
s3:GetBucketPolicyStatus
-
s3:GetBucketPolicy
-
s3:GetBucketAcl
-
s3:GetObject
-
iam:GetRole
-
s3:DeleteObject
-
s3:DeleteObjectVersion
-
s3:PutObject
-
sts:AssumeRole
Cloud Volumes ONTAP
The Connector makes the following API requests to deploy and manage Cloud Volumes ONTAP in AWS.
| Purpose | Action | Used for deployment? | Used for daily operations? | Used for deletion? |
|---|---|---|---|---|
Create and manage IAM roles and instance profiles for Cloud Volumes ONTAP instances |
iam:ListInstanceProfiles |
Yes |
Yes |
No |
iam:CreateRole |
Yes |
No |
No |
|
iam:DeleteRole |
No |
Yes |
Yes |
|
iam:PutRolePolicy |
Yes |
No |
No |
|
iam:CreateInstanceProfile |
Yes |
No |
No |
|
iam:DeleteRolePolicy |
No |
Yes |
Yes |
|
iam:AddRoleToInstanceProfile |
Yes |
No |
No |
|
iam:RemoveRoleFromInstanceProfile |
No |
Yes |
Yes |
|
iam:DeleteInstanceProfile |
No |
Yes |
Yes |
|
iam:PassRole |
Yes |
No |
No |
|
ec2:AssociateIamInstanceProfile |
Yes |
Yes |
No |
|
ec2:DescribeIamInstanceProfileAssociations |
Yes |
Yes |
No |
|
ec2:DisassociateIamInstanceProfile |
No |
Yes |
No |
|
Decode authorization status messages |
sts:DecodeAuthorizationMessage |
Yes |
Yes |
No |
Describe the specified images (AMIs) available to the account |
ec2:DescribeImages |
Yes |
Yes |
No |
Describe the route tables in a VPC (required for HA pairs only) |
ec2:DescribeRouteTables |
Yes |
No |
No |
Stop, start, and monitor instances |
ec2:StartInstances |
Yes |
Yes |
No |
ec2:StopInstances |
Yes |
Yes |
No |
|
ec2:DescribeInstances |
Yes |
Yes |
No |
|
ec2:DescribeInstanceStatus |
Yes |
Yes |
No |
|
ec2:RunInstances |
Yes |
No |
No |
|
ec2:TerminateInstances |
No |
No |
Yes |
|
ec2:ModifyInstanceAttribute |
No |
Yes |
No |
|
Verify that enhanced networking is enabled for supported instance types |
ec2:DescribeInstanceAttribute |
No |
Yes |
No |
Tag resources with the "WorkingEnvironment" and "WorkingEnvironmentId" tags which are used for maintenance and cost allocation |
ec2:CreateTags |
Yes |
Yes |
No |
Manage EBS volumes that Cloud Volumes ONTAP uses as back-end storage |
ec2:CreateVolume |
Yes |
Yes |
No |
ec2:DescribeVolumes |
Yes |
Yes |
Yes |
|
ec2:ModifyVolumeAttribute |
No |
Yes |
Yes |
|
ec2:AttachVolume |
Yes |
Yes |
No |
|
ec2:DeleteVolume |
No |
Yes |
Yes |
|
ec2:DetachVolume |
No |
Yes |
Yes |
|
Create and manage security groups for Cloud Volumes ONTAP |
ec2:CreateSecurityGroup |
Yes |
No |
No |
ec2:DeleteSecurityGroup |
No |
Yes |
Yes |
|
ec2:DescribeSecurityGroups |
Yes |
Yes |
Yes |
|
ec2:RevokeSecurityGroupEgress |
Yes |
No |
No |
|
ec2:AuthorizeSecurityGroupEgress |
Yes |
No |
No |
|
ec2:AuthorizeSecurityGroupIngress |
Yes |
No |
No |
|
ec2:RevokeSecurityGroupIngress |
Yes |
Yes |
No |
|
Create and manage network interfaces for Cloud Volumes ONTAP in the target subnet |
ec2:CreateNetworkInterface |
Yes |
No |
No |
ec2:DescribeNetworkInterfaces |
Yes |
Yes |
No |
|
ec2:DeleteNetworkInterface |
No |
Yes |
Yes |
|
ec2:ModifyNetworkInterfaceAttribute |
No |
Yes |
No |
|
Get the list of destination subnets and security groups |
ec2:DescribeSubnets |
Yes |
Yes |
No |
ec2:DescribeVpcs |
Yes |
Yes |
No |
|
Get DNS servers and the default domain name for Cloud Volumes ONTAP instances |
ec2:DescribeDhcpOptions |
Yes |
No |
No |
Take snapshots of EBS volumes for Cloud Volumes ONTAP |
ec2:CreateSnapshot |
Yes |
Yes |
No |
ec2:DeleteSnapshot |
No |
Yes |
Yes |
|
ec2:DescribeSnapshots |
No |
Yes |
No |
|
Capture the Cloud Volumes ONTAP console, which is attached to AutoSupport messages |
ec2:GetConsoleOutput |
Yes |
Yes |
No |
Get the list of available key pairs |
ec2:DescribeKeyPairs |
Yes |
No |
No |
Get the list of available AWS regions |
ec2:DescribeRegions |
Yes |
Yes |
No |
Manage tags for resources associated with Cloud Volumes ONTAP instances |
ec2:DeleteTags |
No |
Yes |
Yes |
ec2:DescribeTags |
No |
Yes |
No |
|
Create and manage stacks for AWS CloudFormation templates |
cloudformation:CreateStack |
Yes |
No |
No |
cloudformation:DeleteStack |
Yes |
No |
No |
|
cloudformation:DescribeStacks |
Yes |
Yes |
No |
|
cloudformation:DescribeStackEvents |
Yes |
No |
No |
|
cloudformation:ValidateTemplate |
Yes |
No |
No |
|
Create and manage an S3 bucket that a Cloud Volumes ONTAP system uses as a capacity tier for data tiering |
s3:CreateBucket |
Yes |
Yes |
No |
s3:DeleteBucket |
No |
Yes |
Yes |
|
s3:GetLifecycleConfiguration |
No |
Yes |
No |
|
s3:PutLifecycleConfiguration |
No |
Yes |
No |
|
s3:PutBucketTagging |
No |
Yes |
No |
|
s3:ListBucketVersions |
No |
Yes |
No |
|
s3:GetBucketPolicyStatus |
No |
Yes |
No |
|
s3:GetBucketPublicAccessBlock |
No |
Yes |
No |
|
s3:GetBucketAcl |
No |
Yes |
No |
|
s3:GetBucketPolicy |
No |
Yes |
No |
|
s3:PutBucketPublicAccessBlock |
No |
Yes |
No |
|
s3:GetBucketTagging |
No |
Yes |
No |
|
s3:GetBucketLocation |
No |
Yes |
No |
|
s3:ListAllMyBuckets |
No |
No |
No |
|
s3:ListBucket |
No |
Yes |
No |
|
Enable data encryption of Cloud Volumes ONTAP using the AWS Key Management Service (KMS) |
kms:List* |
Yes |
Yes |
No |
kms:ReEncrypt* |
Yes |
No |
No |
|
kms:Describe* |
Yes |
Yes |
No |
|
kms:CreateGrant |
Yes |
Yes |
No |
|
kms:GenerateDataKeyWithoutPlaintext |
Yes |
Yes |
No |
|
Create and manage an AWS spread placement group for two HA nodes and the mediator in a single AWS Availability Zone |
ec2:CreatePlacementGroup |
Yes |
No |
No |
ec2:DeletePlacementGroup |
No |
Yes |
Yes |
|
Create reports |
fsx:Describe* |
No |
Yes |
No |
fsx:List* |
No |
Yes |
No |
|
Create and manage aggregates that support the Amazon EBS Elastic Volumes feature |
ec2:DescribeVolumesModifications |
No |
Yes |
No |
ec2:ModifyVolume |
No |
Yes |
No |
|
Check whether the Availability Zone is an AWS Local Zone and validates that all deployment parameters are compatible |
ec2:DescribeAvailabilityZones |
Yes |
No |
Yes |
Change log
As permissions are added and removed, we'll note them in the sections below.
9 September 2024
Permissions were removed from policy #2 for standard regions because BlueXP no longer supports BlueXP edge caching and discovery and management of Kubernetes clusters.
View the permissions that were removed from the policy
{
"Action": [
"ec2:DescribeRegions",
"eks:ListClusters",
"eks:DescribeCluster",
"iam:GetInstanceProfile"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "K8sServicePolicy"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudwatch:GetMetricStatistics",
"cloudformation:ListStacks"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "GFCservicePolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/GFCInstance": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},9 May 2024
The following permissions is now required for Cloud Volumes ONTAP:
ec2:DescribeAvailabilityZones
6 June 2023
The following permission is now required for Cloud Volumes ONTAP:
kms:GenerateDataKeyWithoutPlaintext
14 February 2023
The following permission is now required for BlueXP tiering:
ec2:DescribeVpcEndpoints