Required permissions for the Connector in AWS

Contributors netapp-bcammett

Cloud Manager requires permissions to perform actions in your cloud provider. These permissions are included in the policies provided by NetApp. You might want to understand what Cloud Manager does with these permissions.

Cloud Manager uses an AWS account to make API calls to several AWS services, including EC2, S3, CloudFormation, IAM, the Security Token Service (STS), and the Key Management Service (KMS).

Actions Purpose

"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",

Launches a Cloud Volumes ONTAP instance and stops, starts, and monitors the instance.

"ec2:DescribeInstanceAttribute",

Verifies that enhanced networking is enabled for supported instance types.

"ec2:DescribeRouteTables",
"ec2:DescribeImages",

Launches a Cloud Volumes ONTAP HA configuration.

"ec2:CreateTags",

Tags every resource that Cloud Manager creates with the "WorkingEnvironment" and "WorkingEnvironmentId" tags. Cloud Manager uses these tags for maintenance and cost allocation.

"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume",

Manages the EBS volumes that Cloud Volumes ONTAP uses as back-end storage.

"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",

Creates predefined security groups for Cloud Volumes ONTAP.

"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",

Creates and manages network interfaces for Cloud Volumes ONTAP in the target subnet.

"ec2:DescribeSubnets",
"ec2:DescribeVpcs",

Gets the list of destination subnets and security groups, which is needed when creating a new working environment for Cloud Volumes ONTAP.

"ec2:DescribeDhcpOptions",

Determines DNS servers and the default domain name when launching Cloud Volumes ONTAP instances.

"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",

Takes snapshots of EBS volumes during initial setup and whenever a Cloud Volumes ONTAP instance is stopped.

"ec2:GetConsoleOutput",

Captures the Cloud Volumes ONTAP console, which is attached to AutoSupport messages.

"ec2:DescribeKeyPairs",

Obtains the list of available key pairs when launching instances.

"ec2:DescribeRegions",

Gets a list of available AWS regions.

"ec2:DeleteTags",
"ec2:DescribeTags",

Manages tags for resources associated with Cloud Volumes ONTAP instances.

"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",

Launches Cloud Volumes ONTAP instances.

"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",

Launches a Cloud Volumes ONTAP HA configuration.

"iam:ListInstanceProfiles",
"sts:DecodeAuthorizationMessage",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",

Manages instance profiles for Cloud Volumes ONTAP instances.

"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket"

Obtains information about AWS S3 buckets so Cloud Manager can integrate with the NetApp Data Fabric Cloud Sync service.

"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"

Manages the S3 bucket that a Cloud Volumes ONTAP system uses as a capacity tier for data tiering.

"kms:List*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:CreateGrant",

Enables data encryption of Cloud Volumes ONTAP using the AWS Key Management Service (KMS).

"ce:GetReservationUtilization",
"ce:GetDimensionValues",
"ce:GetCostAndUsage",
"ce:GetTags"

Obtains AWS cost data for Cloud Volumes ONTAP.

"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"

When you deploy an HA configuration in a single AWS Availability Zone, Cloud Manager launches the two HA nodes and the mediator in an AWS spread placement group.

"ec2:DescribeReservedInstancesOfferings"

Cloud Manager uses the permission as part of Cloud Data Sense deployment to choose which instance type to use.

"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"tag:TagResources",
"tag:UntagResources"

Enables you to manage tags on your AWS resources using the Cloud Manager Tagging service.

"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation"
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"

Cloud Manager uses these permissions when you enable the Backup to S3 service.

"eks:ListClusters",
"eks:DescribeCluster",
"iam:GetInstanceProfile",

Enables discovery of Amazon EKS clusters.

"ec2:DescribePlacementGroups",
"iam:GetRolePolicy",

Creates an AWS spread placement group for an HA pair that’s deployed in a single Availability Zone (AZ).