Permissions for BlueXP workload factory
Suggest changes
PDFs
To use BlueXP workload factory features and services, you'll need to provide permissions so that workload factory can perform operations in your cloud environment.
Why use permissions
When you provide read-only or read/write mode permissions, workload factory attaches a policy to the instance with permissions to manage resources and processes within that AWS account. This allows workload factory to execute various operations starting from discovery of your storage environments to deploying AWS resources such as file systems in storage management or knowledge bases for GenAI workloads.
For database workloads for example, when workload factory is granted with the required permissions, it scans all EC2 instances in a given account and region, and filters all Windows-based machines. If AWS Systems Manager (SSM) Agent is installed and running on the host and System Manager networking is configured properly, workload factory can access the Windows machine and verify whether SQL Server software is installed or not.
Permissions by workload
Each workload uses permissions to perform certain tasks in workload factory. Scroll to the workload you use to view the list of permissions, their purpose, where they are used, and which modes support them.
Permissions for Storage
The IAM policies available for Storage provide the permissions that workload factory needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.
Select your operational mode to view the required IAM policies:
IAM policies for Storage
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"fsx:Describe*",
"fsx:ListTagsForResource",
"ec2:Describe*",
"kms:Describe*",
"elasticfilesystem:Describe*",
"kms:List*",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"fsx:*",
"ec2:Describe*",
"ec2:CreateTags",
"ec2:CreateSecurityGroup",
"iam:CreateServiceLinkedRole",
"kms:Describe*",
"elasticfilesystem:Describe*",
"kms:List*",
"kms:CreateGrant",
"cloudwatch:PutMetricData",
"cloudwatch:GetMetricData",
"iam:SimulatePrincipalPolicy",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/AppCreator": "NetappFSxWF"
}
}
}
]
}The following table displays the permissions for Storage.
Table of permissions for Storage
| Purpose | Action | Where used | Mode |
|---|---|---|---|
Create an FSx for ONTAP file system |
fsx:CreateFileSystem* |
Deployment |
Read/Write |
Create a security group for an FSx for ONTAP file system |
ec2:CreateSecurityGroup |
Deployment |
Read/Write |
Add tags to a security group for an FSx for ONTAP file system |
ec2:CreateTags |
Deployment |
Read/Write |
Authorize security group egress and ingress for an FSx for ONTAP file system |
ec2:AuthorizeSecurityGroupEgress |
Deployment |
Read/Write |
ec2:AuthorizeSecurityGroupIngress |
Deployment |
Read/Write |
|
Granted role provides communication between FSx for ONTAP and other AWS services |
iam:CreateServiceLinkedRole |
Deployment |
Read/Write |
Get details to fill in the FSx for ONTAP file system deployment form |
ec2:DescribeVpcs |
|
|
ec2:DescribeSubnets |
|
|
|
ec2:DescribeRegions |
|
|
|
ec2:DescribeSecurityGroups |
|
|
|
ec2:DescribeRouteTables |
|
|
|
ec2:DescribeNetworkInterfaces |
|
|
|
ec2:DescribeVolumeStatus |
|
|
|
Get KMS key details and use for FSx for ONTAP encryption |
kms:CreateGrant |
Deployment |
Read/Write |
kms:Describe* |
Deployment |
|
|
kms:List* |
Deployment |
|
|
Get volume details for EC2 instances |
ec2:DescribeVolumes |
|
|
Get details for EC2 instances |
ec2:DescribeInstances |
Explore savings |
|
Describe Elastic File System in the savings calculator |
elasticfilesystem:Describe* |
Explore savings |
Read-only |
List tags for FSx for ONTAP resources |
fsx:ListTagsForResource |
Inventory |
|
Manage security group egress and ingress for an FSx for ONTAP file system |
ec2:RevokeSecurityGroupIngress |
Management operations |
Read/Write |
ec2:DeleteSecurityGroup |
Management operations |
Read/Write |
|
Create, view, and manage FSx for ONTAP file system resources |
fsx:CreateVolume* |
Management operations |
Read/Write |
fsx:TagResource* |
Management operations |
Read/Write |
|
fsx:CreateStorageVirtualMachine* |
Management operations |
Read/Write |
|
fsx:DeleteFileSystem* |
Management operations |
Read/Write |
|
fsx:DeleteStorageVirtualMachine* |
Management operations |
Read/Write |
|
fsx:DescribeFileSystems* |
Inventory |
|
|
fsx:DescribeStorageVirtualMachines* |
Inventory |
|
|
fsx:UpdateFileSystem* |
Management operations |
Read/Write |
|
fsx:UpdateStorageVirtualMachine* |
Management operations |
Read/Write |
|
fsx:DescribeVolumes* |
Inventory |
|
|
fsx:UpdateVolume* |
Management operations |
Read/Write |
|
fsx:DeleteVolume* |
Management operations |
Read/Write |
|
fsx:UntagResource* |
Management operations |
Read/Write |
|
fsx:DescribeBackups* |
Management operations |
|
|
fsx:CreateBackup* |
Management operations |
Read/Write |
|
fsx:CreateVolumeFromBackup* |
Management operations |
Read/Write |
|
Report CloudWatch metrics |
cloudwatch:PutMetricData |
Management operations |
Read/Write |
Get file system and volume metrics |
cloudwatch:GetMetricData |
Management operations |
|
cloudwatch:GetMetricStatistics |
Management operations |
|
Permissions for Database workloads
The IAM policies available for Database workloads provide the permissions that workload factory needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.
Select your operational mode to view the required IAM policies:
IAM policies for Database workloads
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CommonGroup",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"sns:ListTopics",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeKeyPairs",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeAddresses",
"kms:ListAliases",
"kms:ListKeys",
"kms:DescribeKey",
"cloudformation:ListStacks",
"cloudformation:DescribeAccountLimits",
"ds:DescribeDirectories",
"fsx:DescribeVolumes",
"fsx:DescribeBackups",
"fsx:DescribeStorageVirtualMachines",
"fsx:DescribeFileSystems",
"servicequotas:ListServiceQuotas",
"ssm:GetParametersByPath",
"ssm:GetCommandInvocation",
"ssm:SendCommand",
"ssm:GetConnectionStatus",
"ssm:DescribePatchBaselines",
"ssm:DescribeInstancePatchStates",
"ssm:ListCommands",
"ssm:DescribeInstanceInformation",
"fsx:ListTagsForResource"
"logs:DescribeLogGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "SSMParameterStore",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameters"
],
"Resource": "arn:aws:ssm:*:*:parameter/netapp/wlmdb/*"
},
{
"Sid": "SSMResponseCloudWatch",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:PutRetentionPolicy"
],
"Resource": "arn:aws:logs:*:*:log-group:netapp/wlmdb/*"
},
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2Group",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AllocateHosts",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:AssociateVpcCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateVolume",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DetachNetworkInterface",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DisassociateVpcCidrBlock",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyInstancePlacement",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ReleaseAddress",
"ec2:ReplaceRoute",
"ec2:ReplaceRouteTableAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/aws:cloudformation:stack-name": "WLMDB*"
}
}
},
{
"Sid": "FSxNGroup",
"Effect": "Allow",
"Action": [
"fsx:TagResource"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/aws:cloudformation:stack-name": "WLMDB*"
}
}
},
{
"Sid": "CommonGroup",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeAccountLimits",
"cloudwatch:GetMetricStatistics",
"ds:DescribeDirectories",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVpcEndpoint",
"ec2:Describe*",
"ec2:Get*",
"ec2:RunInstances",
"ec2:ModifyVpcAttribute",
"ec2messages:*",
"fsx:CreateFileSystem",
"fsx:UpdateFileSystem",
"fsx:CreateStorageVirtualMachine",
"fsx:CreateVolume",
"fsx:UpdateVolume",
"fsx:Describe*",
"fsx:List*",
"kms:CreateGrant",
"kms:Describe*",
"kms:List*",
"kms:GenerateDataKey",
"kms:Decrypt",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLog*",
"logs:GetLog*",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:TagResource",
"logs:PutRetentionPolicy",
"servicequotas:ListServiceQuotas",
"sns:ListTopics",
"sns:Publish",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:PutInventory",
"ssm:SendCommand",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssmmessages:*",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:PutRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetEC2InstanceRecommendations",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances"
],
"Resource": "*"
},
{
"Sid": "ArnGroup",
"Effect": "Allow",
"Action": [
"cloudformation:SignalResource"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/WLMDB*",
"arn:aws:logs:*:*:log-group:WLMDB*"
]
},
{
"Sid": "IAMGroup",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IAMGroup1",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ec2.amazonaws.com"
}
}
},
{
"Sid": "IAMGroup2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "SSMParameterStore",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
"ssm:DeleteParameters"
],
"Resource": "arn:aws:ssm:*:*:parameter/netapp/wlmdb/*"
},
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}The following table displays the permissions for database workloads.
Table of permissions for database workloads
| Purpose | Action | Where used | Mode |
|---|---|---|---|
Get metric statistics for FSx for ONTAP, EBS, and FSx for Windows File Server and for compute optimization recommendation |
cloudwatch:GetMetricStatistics |
|
|
Gather performance metrics saved to Amazon CloudWatch from registered SQL nodes. Data generates in performance trend charts on the manage instance screen for registered SQL instances. |
cloudwatch:GetMetricData |
Inventory |
Read-only |
List and set triggers for events |
sns:ListTopics |
Deployment |
|
Get details for EC2 instances |
ec2:DescribeInstances |
|
|
ec2:DescribeKeyPairs |
Deployment |
|
|
ec2:DescribeNetworkInterfaces |
Deployment |
|
|
ec2:DescribeInstanceTypes |
|
|
|
Get details to fill in the FSx for ONTAP deployment form |
ec2:DescribeVpcs |
|
|
ec2:DescribeSubnets |
|
|
|
ec2:DescribeSecurityGroups |
Deployment |
|
|
ec2:DescribeImages |
Deployment |
|
|
ec2:DescribeRegions |
Deployment |
|
|
ec2:DescribeRouteTables |
|
|
|
Get any existing VPC endpoints to determine if new endpoints need to be created before deployments |
ec2:DescribeVpcEndpoints |
|
|
Create VPC endpoints if they don't exist for required services irrespective of public network connectivity on EC2 instances |
ec2:CreateVpcEndpoint |
Deployment |
Read/Write |
Get instance types available in region for validation nodes (t2.micro/t3.micro) |
ec2:DescribeInstanceTypeOfferings |
Deployment |
|
Get snapshot details of each attached EBS volumes for pricing and savings estimate |
ec2:DescribeSnapshots |
Explore savings |
|
Get details of each attached EBS volumes for pricing and savings estimate |
ec2:DescribeVolumes |
|
|
Get KMS key details for FSx for ONTAP file system encryption |
kms:ListAliases |
Deployment |
|
kms:ListKeys |
Deployment |
|
|
kms:DescribeKey |
Deployment |
|
|
Get list of CloudFormation stacks running in the environment to check quota limit |
cloudformation:ListStacks |
Deployment |
|
Check account limits for resources before triggering deployment |
cloudformation:DescribeAccountLimits |
Deployment |
|
Get list of AWS-managed Active Directories in the region |
ds:DescribeDirectories |
Deployment |
|
Get lists and details of volumes, backups, SVMs, file systems in AZs, and tags for FSx for ONTAP file system |
fsx:DescribeVolumes |
|
|
fsx:DescribeBackups |
|
|
|
fsx:DescribeStorageVirtualMachines |
|
|
|
fsx:DescribeFileSystems |
|
|
|
fsx:ListTagsForResource |
Manage operations |
|
|
Get service quota limits for CloudFormation and VPC |
servicequotas:ListServiceQuotas |
Deployment |
|
Use SSM-based query to get the updated list of FSx for ONTAP supported regions |
ssm:GetParametersByPath |
Deployment |
|
Poll for SSM response after sending command for manage operations post deployment |
ssm:GetCommandInvocation |
|
|
Send commands over SSM to EC2 instances |
ssm:SendCommand |
|
|
Get the SSM connectivity status on instances post deployment |
ssm:GetConnectionStatus |
|
|
Fetch SSM association status for a group of managed EC2 instances (SQL nodes) |
ssm:DescribeInstanceInformation |
Inventory |
Read |
Get the list of available patch baselines for operating system patch assessment |
ssm:DescribePatchBaselines |
Optimization |
|
Get the patching state on Windows EC2 instances for operating system patch assessment |
ssm:DescribeInstancePatchStates |
Optimization |
|
List commands executed by AWS Patch Manager on EC2 instances for operating system patch management |
ssm:ListCommands |
Optimization |
|
Check if account is enrolled in AWS Compute Optimizer |
compute-optimizer:GetEnrollmentStatus |
|
Read/Write |
Update an existing recommendation preference in AWS Compute Optimizer to tailor suggestions for SQL server workloads |
compute-optimizer:PutRecommendationPreferences |
|
Read/Write |
Get recommendation preferences that are in effect for a given resource from AWS Compute Optimizer |
compute-optimizer:GetEffectiveRecommendationPreferences |
|
Read/Write |
Fetch recommendations that AWS Compute Optimizer generates for Amazon Elastic Compute Cloud (Amazon EC2) instances |
compute-optimizer:GetEC2InstanceRecommendations |
|
Read/Write |
Check for instance association to auto-scaling groups |
autoscaling:DescribeAutoScalingGroups |
|
Read/Write |
autoscaling:DescribeAutoScalingInstances |
|
Read/Write |
|
Get, list, create, and delete SSM parameters for AD, FSx for ONTAP, and SQL user credentials used during deployment or managed in your AWS account |
ssm:GetParameter 1 |
|
|
ssm:GetParameters 1 |
Manage operations |
|
|
ssm:PutParameter 1 |
|
|
|
ssm:DeleteParameters 1 |
Manage operations |
|
|
Associate network resources to SQL nodes and validation nodes, and add additional secondary IPs to SQL nodes |
ec2:AllocateAddress 1 |
Deployment |
Read/Write |
ec2:AllocateHosts 1 |
Deployment |
Read/Write |
|
ec2:AssignPrivateIpAddresses 1 |
Deployment |
Read/Write |
|
ec2:AssociateAddress 1 |
Deployment |
Read/Write |
|
ec2:AssociateRouteTable 1 |
Deployment |
Read/Write |
|
ec2:AssociateSubnetCidrBlock 1 |
Deployment |
Read/Write |
|
ec2:AssociateVpcCidrBlock 1 |
Deployment |
Read/Write |
|
ec2:AttachInternetGateway 1 |
Deployment |
Read/Write |
|
ec2:AttachNetworkInterface 1 |
Deployment |
Read/Write |
|
Attach EBS volumes required to the SQL nodes for deployment |
ec2:AttachVolume |
Deployment |
Read/Write |
Attach security groups and modify rules for the provisioned nodes |
ec2:AuthorizeSecurityGroupEgress |
Deployment |
Read/Write |
ec2:AuthorizeSecurityGroupIngress |
Deployment |
Read/Write |
|
Create EBS volumes required to the SQL nodes for deployment |
ec2:CreateVolume |
Deployment |
Read/Write |
Remove the temporary validation nodes created of type t2.micro and for rollback or retry of failed EC2 SQL nodes |
ec2:DeleteNetworkInterface |
Deployment |
Read/Write |
ec2:DeleteSecurityGroup |
Deployment |
Read/Write |
|
ec2:DeleteTags |
Deployment |
Read/Write |
|
ec2:DeleteVolume |
Deployment |
Read/Write |
|
ec2:DetachNetworkInterface |
Deployment |
Read/Write |
|
ec2:DetachVolume |
Deployment |
Read/Write |
|
ec2:DisassociateAddress |
Deployment |
Read/Write |
|
ec2:DisassociateIamInstanceProfile |
Deployment |
Read/Write |
|
ec2:DisassociateRouteTable |
Deployment |
Read/Write |
|
ec2:DisassociateSubnetCidrBlock |
Deployment |
Read/Write |
|
ec2:DisassociateVpcCidrBlock |
Deployment |
Read/Write |
|
Modify attributes for created SQL instances. Only applicable to names that start with WLMDB. |
ec2:ModifyInstanceAttribute |
Deployment |
Read/Write |
ec2:ModifyInstancePlacement |
Deployment |
Read/Write |
|
ec2:ModifyNetworkInterfaceAttribute |
Deployment |
Read/Write |
|
ec2:ModifySubnetAttribute |
Deployment |
Read/Write |
|
ec2:ModifyVolume |
Deployment |
Read/Write |
|
ec2:ModifyVolumeAttribute |
Deployment |
Read/Write |
|
ec2:ModifyVpcAttribute |
Deployment |
Read/Write |
|
Disassociate and destroy validation instances |
ec2:ReleaseAddress |
Deployment |
Read/Write |
ec2:ReplaceRoute |
Deployment |
Read/Write |
|
ec2:ReplaceRouteTableAssociation |
Deployment |
Read/Write |
|
ec2:RevokeSecurityGroupEgress |
Deployment |
Read/Write |
|
ec2:RevokeSecurityGroupIngress |
Deployment |
Read/Write |
|
Start the deployed instances |
ec2:StartInstances |
Deployment |
Read/Write |
Stop the deployed instances |
ec2:StopInstances |
Deployment |
Read/Write |
Tag custom values for Amazon FSx for NetApp ONTAP resources created by WLMDB to get billing details during resource management |
fsx:TagResource 1 |
|
Read/Write |
Create and validate CloudFormation template for deployment |
cloudformation:CreateStack |
Deployment |
Read/Write |
cloudformation:DescribeStackEvents |
Deployment |
Read/Write |
|
cloudformation:DescribeStacks |
Deployment |
Read/Write |
|
cloudformation:ListStacks |
Deployment |
Read/Write |
|
cloudformation:ValidateTemplate |
Deployment |
Read/Write |
|
Fetch directories available in the region |
ds:DescribeDirectories |
Deployment |
Read/Write |
Add rules for the Security Group attached to provisioned EC2 instances |
ec2:AuthorizeSecurityGroupEgress |
Deployment |
Read/Write |
ec2:AuthorizeSecurityGroupIngress |
Deployment |
Read/Write |
|
Create nested stack templates for retry and rollback |
ec2:CreateLaunchTemplate |
Deployment |
Read/Write |
ec2:CreateLaunchTemplateVersion |
Deployment |
Read/Write |
|
Manage tags and network security on created instances |
ec2:CreateNetworkInterface |
Deployment |
Read/Write |
ec2:CreateSecurityGroup |
Deployment |
Read/Write |
|
ec2:CreateTags |
Deployment |
Read/Write |
|
Delete the Security Group created temporarily for validation nodes |
ec2:DeleteSecurityGroup |
Deployment |
Read/Write |
Get instance details for provisioning |
ec2:Describe* |
|
Read/Write |
ec2:Get* |
|
Read/Write |
|
Start the created instances |
ec2:RunInstances |
Deployment |
Read/Write |
Systems Manager uses AWS message delivery service endpoint for API operations |
ec2messages:* |
|
Read/Write |
Create FSx for ONTAP resources required for provisioning. For existing FSx for ONTAP systems, a new SVM is created to host SQL volumes. |
fsx:CreateFileSystem |
Deployment |
Read/Write |
fsx:CreateStorageVirtualMachine |
Deployment |
Read/Write |
|
fsx:CreateVolume |
|
Read/Write |
|
Get FSx for ONTAP details |
fsx:Describe* |
|
Read/Write |
fsx:List* |
|
Read/Write |
|
Resize FSx for ONTAP file system to remediate file system headroom |
fsx:UpdateFilesystem |
Optimization |
Read/Write |
Resize volumes to remediate log and TempDB drive sizes |
fsx:UpdateVolume |
Optimization |
Read/Write |
Get KMS key details and use for FSx for ONTAP encryption |
kms:CreateGrant |
Deployment |
Read/Write |
kms:Describe* |
Deployment |
Read/Write |
|
kms:List* |
Deployment |
Read/Write |
|
kms:GenerateDataKey |
Deployment |
Read/Write |
|
Create CloudWatch logs for validation and provisioning scripts running on EC2 instances |
logs:CreateLogGroup |
Deployment |
Read/Write |
logs:CreateLogStream |
Deployment |
Read/Write |
|
logs:DescribeLog* |
Deployment |
Read/Write |
|
logs:GetLog* |
Deployment |
Read/Write |
|
logs:ListLogDeliveries |
Deployment |
Read/Write |
|
logs:PutLogEvents |
|
Read/Write |
|
logs:TagResource |
Deployment |
Read/Write |
|
Workload factory switches to Amazon CloudWatch logs for the SQL instance upon encountering SSM output truncation |
logs:GetLogEvents |
|
|
Allow workload factory to get current log groups and check that retention is set for log groups created by workload factory |
logs:DescribeLogGroups |
|
Read-only |
Allow workload factory to set a one-day retention policy for log groups created by workload factory to avoid unnecessary accumulation of log streams for SSM command outputs |
logs:PutRetentionPolicy |
|
|
Create secrets in a user account for the credentials provided for SQL, domain, and FSx for ONTAP |
servicequotas:ListServiceQuotas |
Deployment |
Read/Write |
List customer SNS topics and publish to WLMDB backend SNS as well as customer SNS if selected |
sns:ListTopics |
Deployment |
Read/Write |
sns:Publish |
Deployment |
Read/Write |
|
Required SSM permissions to run the discovery script on provisioned SQL instances and to fetch latest list of FSx for ONTAP supported AWS regions. |
ssm:Describe* |
Deployment |
Read/Write |
ssm:Get* |
|
Read/Write |
|
ssm:List* |
Deployment |
Read/Write |
|
ssm:PutComplianceItems |
Deployment |
Read/Write |
|
ssm:PutConfigurePackageResult |
Deployment |
Read/Write |
|
ssm:PutInventory |
Deployment |
Read/Write |
|
ssm:SendCommand |
|
Read/Write |
|
ssm:UpdateAssociationStatus |
Deployment |
Read/Write |
|
ssm:UpdateInstanceAssociationStatus |
Deployment |
Read/Write |
|
ssm:UpdateInstanceInformation |
Deployment |
Read/Write |
|
ssmmessages:* |
|
Read/Write |
|
Save credentials for FSx for ONTAP, Active Directory, and SQL user (only for SQL user authentication) |
ssm:GetParameter 1 |
|
Read/Write |
ssm:GetParameters 1 |
|
Read/Write |
|
ssm:PutParameter 1 |
|
Read/Write |
|
ssm:DeleteParameters 1 |
|
Read/Write |
|
Signal CloudFormation stack on success or failure. |
cloudformation:SignalResource 1 |
Deployment |
Read/Write |
Add EC2 role created by template to the instance profile of EC2 to allow scripts on EC2 to access the required resources for deployment. |
iam:AddRoleToInstanceProfile |
Deployment |
Read/Write |
Create instance profile for EC2 and attach the created EC2 role. |
iam:CreateInstanceProfile |
Deployment |
Read/Write |
Create EC2 role through template with permissions listed below |
iam:CreateRole |
Deployment |
Read/Write |
Create role linked to EC2 service |
iam:CreateServiceLinkedRole 2 |
Deployment |
Read/Write |
Delete instance profile created during deployment specifically for the validation nodes |
iam:DeleteInstanceProfile |
Deployment |
Read/Write |
Get the role and policy details to determine any gaps in permission and validate for deployment |
iam:GetPolicy |
Deployment |
Read/Write |
iam:GetPolicyVersion |
Deployment |
Read/Write |
|
iam:GetRole |
Deployment |
Read/Write |
|
iam:GetRolePolicy |
Deployment |
Read/Write |
|
iam:GetUser |
Deployment |
Read/Write |
|
Pass the role created to EC2 instance |
iam:PassRole 3 |
Deployment |
Read/Write |
Add policy with required permissions to the EC2 role created |
iam:PutRolePolicy |
Deployment |
Read/Write |
Detach role from the provisioned EC2 instance profile |
iam:RemoveRoleFromInstanceProfile |
Deployment |
Read/Write |
Simulate workload operations to validate available permissions and compare with required AWS account permissions |
iam:SimulatePrincipalPolicy |
Deployment |
|
-
Permission is restricted to resources starting with WLMDB.
-
"iam:CreateServiceLinkedRole" limited by "iam:AWSServiceName": "ec2.amazonaws.com"*
-
"iam:PassRole" limited by "iam:PassedToService": "ec2.amazonaws.com"*
Permissions for GenAI workloads
The IAM policies for VMware workloads provide the permissions that workload factory for VMware needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.
GenAI IAM policies are only available in read/write mode:
IAM policies for GenAI workloads
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudformationGroup",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DescribeStacks"
],
"Resource": "arn:aws:cloudformation:*:*:stack/wlmai*/*"
},
{
"Sid": "EC2Group",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/aws:cloudformation:stack-name": "wlmai*"
}
}
},
{
"Sid": "EC2DescribeGroup",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:CreateVpcEndpoint",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances"
],
"Resource": "*"
},
{
"Sid": "IAMGroup",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:TagRole"
],
"Resource": "*"
},
{
"Sid": "IAMGroup2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "FSXNGroup",
"Effect": "Allow",
"Action": [
"fsx:DescribeVolumes",
"fsx:DescribeFileSystems",
"fsx:DescribeStorageVirtualMachines",
"fsx:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "FSXNGroup2",
"Effect": "Allow",
"Action": [
"fsx:UntagResource",
"fsx:TagResource"
],
"Resource": [
"arn:aws:fsx:*:*:volume/*/*",
"arn:aws:fsx:*:*:storage-virtual-machine/*/*"
]
},
{
"Sid": "SSMParameterStore",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:PutParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/netapp/wlmai/*"
},
{
"Sid": "SSM",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:*:*:parameter/aws/service/*"
},
{
"Sid": "SSMMessages",
"Effect": "Allow",
"Action": [
"ssm:GetCommandInvocation"
],
"Resource": "*"
},
{
"Sid": "SSMCommandDocument",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWS-RunShellScript"
]
},
{
"Sid": "SSMCommandInstance",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetConnectionStatus"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:cloudformation:stack-name": "wlmai-*"
}
}
},
{
"Sid": "KMS",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "SNS",
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "*"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "CloudWatchAiEngine",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:TagResource",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:log-group:/netapp/wlmai*"
},
{
"Sid": "CloudWatchAiEngineLogStream",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/netapp/wlmai*:*"
},
{
"Sid": "BedrockGroup",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModelWithResponseStream",
"bedrock:InvokeModel",
"bedrock:ListFoundationModels",
"bedrock:GetFoundationModelAvailability",
"bedrock:GetModelInvocationLoggingConfiguration",
"bedrock:PutModelInvocationLoggingConfiguration",
"bedrock:ListInferenceProfiles"
],
"Resource": "*"
},
{
"Sid": "CloudWatchBedrock",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:TagResource"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/bedrock*"
},
{
"Sid": "BedrockLoggingAttachRole",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/NetApp_AI_Bedrock*"
},
{
"Sid": "BedrockLoggingIamOperations",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy"
],
"Resource": "*"
},
{
"Sid": "QBusiness",
"Effect": "Allow",
"Action": [
"qbusiness:ListApplications"
],
"Resource": "*"
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}The following table provides details about the permissions for GenAI workloads.
Table of permissions for GenAI workloads
| Purpose | Action | Where used | Mode |
|---|---|---|---|
Create AI engine cloudformation stack during deploy and rebuild operations |
cloudformation:CreateStack |
Deployment |
Read/Write |
Create the AI engine cloudformation stack |
cloudformation:DescribeStacks |
Deployment |
Read/Write |
List regions for the AI engine deployment wizard |
ec2:DescribeRegions |
Deployment |
Read/Write |
Display AI engine tags |
ec2:DescribeTags |
Deployment |
Read/Write |
List S3 buckets |
s3:ListAllMyBuckets |
Deployment |
Read/Write |
List VPC endpoints before AI engine stack creation |
ec2:CreateVpcEndpoint |
Deployment |
Read/Write |
Create an AI engine security group during the AI engine stack creation during deploy and rebuild operations |
ec2:CreateSecurityGroup |
Deployment |
Read/Write |
Tag resources created by AI engine stack creation during deploy and rebuild operations |
ec2:CreateTags |
Deployment |
Read/Write |
Publish encrypted events to the WLMAI backend from the AI engine stack |
kms:GenerateDataKey |
Deployment |
Read/Write |
kms:Decrypt |
Deployment |
Read/Write |
|
Publish events and custom resources to the WLMAI backend from the ai-engine stack |
sns:Publish |
Deployment |
Read/Write |
List VPCs during AI engine deployment wizard |
ec2:DescribeVpcs |
Deployment |
Read/Write |
List subnets on the ai-engine deployment wizard |
ec2:DescribeSubnets |
Deployment |
Read/Write |
Get route tables during AI engine deployment and rebuild |
ec2:DescribeRouteTables |
Deployment |
Read/Write |
List key-pairs during AI engine deployment wizard |
ec2:DescribeKeyPairs |
Deployment |
Read/Write |
List security groups during AI engine stack creation (to find security groups on the private endpoints) |
ec2:DescribeSecurityGroups |
Deployment |
Read/Write |
Get VPC endpoints to determine if any should be created during the AI engine deployment |
ec2:DescribeVpcEndpoints |
Deployment |
Read/Write |
List the Amazon Q Business applications |
qbusiness:ListApplications |
Deployment |
Read/Write |
List instances to find out the AI engine state |
ec2:DescribeInstances |
Troubleshooting |
Read/Write |
List images during the AI engine stack creation during deploy and rebuild operations |
ec2:DescribeImages |
Deployment |
Read/Write |
Create and update AI instance and private endpoint security group during the AI instance stack creation during deploy and rebuild operations |
ec2:RevokeSecurityGroupEgress |
Deployment |
Read/Write |
ec2:RevokeSecurityGroupIngress |
Deployment |
Read/Write |
|
Run AI engine during cloudformation stack creation during deploy and rebuild operations |
ec2:RunInstances |
Deployment |
Read/Write |
Attach security group and modify rules for the AI engine during stack creation during deploy and rebuild operations |
ec2:AuthorizeSecurityGroupEgress |
Deployment |
Read/Write |
ec2:AuthorizeSecurityGroupIngress |
Deployment |
Read/Write |
|
Query Amazon Bedrock / Amazon CloudWatch logging status during AI engine deployment |
bedrock:GetModelInvocationLoggingConfiguration |
Deployment |
Read/Write |
Initiate chat request to one of the foundation models |
bedrock:InvokeModelWithResponseStream |
Deployment |
Read/Write |
Begin chat/embedding request for foundation models |
bedrock:InvokeModel |
Deployment |
Read/Write |
Show the available foundation models in a region |
bedrock:ListFoundationModels |
Deployment |
Read/Write |
Get information about a foundation model |
bedrock:GetFoundationModel |
Deployment |
Read/Write |
Verify access to the foundation model |
bedrock:GetFoundationModelAvailability |
Deployment |
Read/Write |
Verify need to create Amazon CloudWatch log group during deploy and rebuild operations |
logs:DescribeLogGroups |
Deployment |
Read/Write |
Get regions that support FSx and Amazon Bedrock during the AI engine wizard |
ssm:GetParametersByPath |
Deployment |
Read/Write |
Get the latest Amazon Linux image for the AI engine deployment during deploy and rebuild operations |
ssm:GetParameters |
Deployment |
Read/Write |
Get the SSM response from the command sent to the AI engine |
ssm:GetCommandInvocation |
Deployment |
Read/Write |
Check the SSM connection to the AI engine |
ssm:SendCommand |
Deployment |
Read/Write |
ssm:GetConnectionStatus |
Deployment |
Read/Write |
|
Create AI engine instance profile during stack creation during deploy and rebuild operations |
iam:CreateRole |
Deployment |
Read/Write |
iam:CreateInstanceProfile |
Deployment |
Read/Write |
|
iam:AddRoleToInstanceProfile |
Deployment |
Read/Write |
|
iam:PutRolePolicy |
Deployment |
Read/Write |
|
iam:GetRolePolicy |
Deployment |
Read/Write |
|
iam:GetRole |
Deployment |
Read/Write |
|
iam:TagRole |
Deployment |
Read/Write |
|
iam:PassRole |
Deployment |
Read/Write |
|
Simulate workload operations to validate available permissions and compare with required AWS account permissions |
iam:SimulatePrincipalPolicy |
Deployment |
Read/Write |
List FSx for ONTAP file systems during the "Create knowledgebase" wizard |
fsx:DescribeVolumes |
Knowledge base creation |
Read/Write |
List FSx for ONTAP file system volumes during the "Create knowledgebase" wizard |
fsx:DescribeFileSystems |
Knowledge base creation |
Read/Write |
Manage knowledge bases on the AI engine during rebuild operations |
fsx:ListTagsForResource |
Troubleshooting |
Read/Write |
List FSx for ONTAP file system storage virtual machines during the "Create knowledgebase" wizard |
fsx:DescribeStorageVirtualMachines |
Deployment |
Read/Write |
Move the knowledgebase to a new instance |
fsx:UntagResource |
Troubleshooting |
Read/Write |
Manage knowledgebase on the AI engine during rebuild |
fsx:TagResource |
Troubleshooting |
Read/Write |
Save SSM secrets (ECR token, CIFS credentials, tenancy service accounts keys) in a secure way |
ssm:GetParameter |
Deployment |
Read/Write |
ssm:PutParameter |
Deployment |
Read/Write |
|
Send the AI engine logs to Amazon CloudWatch log group during deploy and rebuild operations |
logs:CreateLogGroup |
Deployment |
Read/Write |
logs:PutRetentionPolicy |
Deployment |
Read/Write |
|
Send the AI engine logs to Amazon CloudWatch log group |
logs:TagResource |
Troubleshooting |
Read/Write |
Get SSM response from Amazon CloudWatch (when the response is too long) |
logs:DescribeLogStreams |
Troubleshooting |
Read/Write |
Get the SSM response from Amazon CloudWatch |
logs:GetLogEvents |
Troubleshooting |
Read/Write |
Create an Amazon CloudWatch log group for Amazon Bedrock logs during the stack creation during deploy and rebuild operations |
logs:CreateLogGroup |
Deployment |
Read/Write |
logs:PutRetentionPolicy |
Deployment |
Read/Write |
|
logs:TagResource |
Deployment |
Read/Write |
|
Send bedrock logs to Amazon CloudWatch |
bedrock:PutModelInvocationLoggingConfiguration |
Troubleshooting |
Read/Write |
Create the role that enables sending Amazon Bedrock logs to Amazon CloudWatch |
iam:AttachRolePolicy |
Troubleshooting |
Read/Write |
Create the role that enables sending Amazon Bedrock logs to Amazon CloudWatch |
iam:PassRole |
Troubleshooting |
Read/Write |
Create the role that enables sending Amazon Bedrock logs to Amazon CloudWatch |
iam:createPolicy |
Troubleshooting |
Read/Write |
List inference profiles for the model |
bedrock:ListInferenceProfiles |
Troubleshooting |
Read/Write |
Permissions for VMware workloads
The IAM policies for VMware workloads provide the permissions that workload factory for VMware needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.
Select your operational mode to view the required IAM policies:
IAM policies for VMware workloads
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ssm:GetParametersByPath",
"kms:DescribeKey",
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"fsx:CreateFileSystem",
"fsx:DescribeFileSystems",
"fsx:CreateStorageVirtualMachine",
"fsx:DescribeStorageVirtualMachines",
"fsx:CreateVolume",
"fsx:DescribeVolumes",
"fsx:TagResource",
"sns:Publish",
"kms:DescribeKey",
"kms:ListKeys",
"kms:ListAliases",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeImages"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}The following table provides details about the permissions for VMware workloads.
Table of permissions for VMware workloads
| Purpose | Action | Where used | Mode |
|---|---|---|---|
Attach security groups and modify rules for the provisioned nodes |
ec2:AuthorizeSecurityGroupIngress |
Deployment |
Read/Write |
Create EBS volumes |
ec2:CreateVolume |
Deployment |
Read/Write |
Tag custom values for FSx for NetApp ONTAP resources created by VMware workloads |
fsx:TagResource |
Deployment |
Read/Write |
Create and validate the CloudFormation template |
cloudformation:CreateStack |
Deployment |
Read/Write |
Manage tags and network security on created instances |
ec2:CreateSecurityGroup |
Deployment |
Read/Write |
Start the created instances |
ec2:RunInstances |
Deployment |
Read/Write |
Get EC2 instance details |
ec2:DescribeInstances |
Deployment |
Read/Write |
List images during the stack creation during deploy and rebuild operations |
ec2:DescribeImages |
Deployment |
Read/Write |
Get the VPCs in the selected environment to complete deployment form |
ec2:DescribeVpcs |
|
|
Get the subnets in selected environment to complete deployment form |
ec2:DescribeSubnets |
|
|
Get the security groups in selected environment to complete deployment form |
ec2:DescribeSecurityGroups |
Deployment |
|
Get the availability zones in selected environment |
ec2:DescribeAvailabilityZones |
|
|
Get the regions with Amazon FSx for NetApp ONTAP support |
ec2:DescribeRegions |
Deployment |
|
Get KMS keys' aliases to be used for Amazon FSx for NetApp ONTAP encryption |
kms:ListAliases |
Deployment |
|
Get KMS keys to be used for Amazon FSx for NetApp ONTAP encryption |
kms:ListKeys |
Deployment |
|
Get KMS keys expiry details to be used for Amazon FSx for NetApp ONTAP encryption |
kms:DescribeKey |
Deployment |
|
SSM based query is used to get the updated list of Amazon FSx for NetApp ONTAP supported regions |
ssm:GetParametersByPath |
Deployment |
|
Create Amazon FSx for NetApp ONTAP resources required for provisioning |
fsx:CreateFileSystem |
Deployment |
Read/Write |
fsx:CreateStorageVirtualMachine |
Deployment |
Read/Write |
|
fsx:CreateVolume |
|
Read/Write |
|
Get Amazon FSx for NetApp ONTAP details |
fsx:Describe* |
|
Read/Write |
fsx:List* |
|
Read/Write |
|
Get KMS key details and use for Amazon FSx for NetApp ONTAP encryption |
kms:CreateGrant |
Deployment |
Read/Write |
kms:Describe* |
Deployment |
Read/Write |
|
kms:List* |
Deployment |
Read/Write |
|
kms:Decrypt |
Deployment |
Read/Write |
|
kms:GenerateDataKey |
Deployment |
Read/Write |
|
List customer SNS topics and publish to WLMVMC backend SNS as well as customer SNS if selected |
sns:Publish |
Deployment |
Read/Write |
Used to fetch latest list of Amazon FSx for NetApp ONTAP supported AWS regions |
ssm:Get* |
|
Read/Write |
Simulate workload operations to validate available permissions and compare with required AWS account permissions |
iam:SimulatePrincipalPolicy |
Deployment |
Read/Write |
SSM Parameter store is used to save credentials of Amazon FSx for NetApp ONTAP |
ssm:GetParameter |
|
Read/Write |
ssm:PutParameters |
|
Read/Write |
|
ssm:PutParameter |
|
Read/Write |
|
ssm:DeleteParameters |
|
Read/Write |
Change log
As permissions are added and removed, we'll note them in the sections below.
29 June 2025
The following permission is now available in read-only mode for Databases: cloudwatch:GetMetricData.
3 June 2025
The following permission is now available in read/write mode for GenAI: s3:ListAllMyBuckets.
4 May 2025
The following permission is now available in read/write mode for GenAI: qbusiness:ListApplications.
The following permissions are now available in read-only mode for Databases:
-
logs:GetLogEvents -
logs:DescribeLogGroups
The following permission is now available in read/write mode for Databases:
logs:PutRetentionPolicy.
2 April 2025
The following permission is now available in read-only mode for Databases: ssm:DescribeInstanceInformation.
30 March 2025
GenAI workload permissions update
The following permissions are now available in read/write mode for GenAI:
-
bedrock:PutModelInvocationLoggingConfiguration -
iam:AttachRolePolicy -
iam:PassRole -
iam:createPolicy -
bedrock:ListInferenceProfiles
The following permission has been removed from read/write mode for GenAI: Bedrock:GetFoundationModel.
iam:SimulatePrincipalPolicy permission update
The iam:SimulatePrincipalPolicy permission is part of all workload permission policies if you enable the automatic permissions check when adding additional AWS account credentials or adding a new workload capability from the workload factory console. The permission simulates workload operations and checks if you have the required AWS account permissions before deploying resources from workload factory. Enabling this check reduces the time and effort that you might need to clean up resources from failed operations and to add in missing permissions.
2 March 2025
The following permission is now available in read/write mode for GenAI: bedrock:GetFoundationModel.
3 February 2025
The following permission is now available in read-only mode for Databases: iam:SimulatePrincipalPolicy.