Configure IAM granular permissions for IAM users with VSB to EC2

This section explains the steps and API permission policy required for the Arcserve UDP agent installed on the VSB Cloud proxy within Amazon EC2 Web Services. The permissions help perform the actions required for data transfer and Virtual Standby to the AWS EC2 Cloud.

Using the procedure, you can help an Amazon IAM user get control and interaction with the AWS API. The permissions policy is not only applied to the user directly, but also to a Role and Group within the IAM Security interface within Amazon Web Services.

Follow these steps:

  1. Log into Amazon Web Services as an administrator.
  1. Select My Security Credentials, click Users on the left side, and then click the Create New Users button.
  1. Enter desired user name.
  2. Note: Verify if the option for Generate an access key for each User is selected.
  3. Click the Create button.
  4. Click Download Credentials.
  5. The credentials contain your Access key and Secret that you need later within the UDP console.
  6. From the Users view, select the user from the list of users and then click the Permissions tab available at the bottom.
  7. From the Custom Policy option, create an inline custom policy for the user.
  1. Enter a name for the policy and paste the following content in Policy Document.
  2. {

    3. "Version": "2012-10-17",

    "Statement": [

    {

    "Sid": "Stmt1477881304097",

    "Action": [

    "ec2:AssignPrivateIpAddresses",

    "ec2:AssociateAddress",

    "ec2:AttachNetworkInterface",

    "ec2:AttachVolume",

    "ec2:AuthorizeSecurityGroupEgress",

    "ec2:AuthorizeSecurityGroupIngress",

    "ec2:CreateNetworkInterface",

    "ec2:CreateSnapshot",

    "ec2:CreateTags",

    "ec2:CreateVolume",

    "ec2:DeleteNetworkInterface",

    "ec2:DeleteSnapshot",

    "ec2:DeleteTags",

    "ec2:DeleteVolume",

    "ec2:DescribeAccountAttributes",

    "ec2:DescribeAddresses",

    "ec2:DescribeAvailabilityZones",

    "ec2:DescribeBundleTasks",

    "ec2:DescribeClassicLinkInstances",

    "ec2:DescribeConversionTasks",

    "ec2:DescribeCustomerGateways",

    "ec2:DescribeDhcpOptions",

    "ec2:DescribeExportTasks",

    "ec2:DescribeFlowLogs",

    "ec2:DescribeHosts",

    "ec2:DescribeHostReservations",

    "ec2:DescribeHostReservationOfferings",

    "ec2:DescribeIdentityIdFormat",

    "ec2:DescribeIdFormat",

    "ec2:DescribeImageAttribute",

    "ec2:DescribeImages",

    "ec2:DescribeImportImageTasks",

    "ec2:DescribeImportSnapshotTasks",

    "ec2:DescribeInstanceAttribute",

    "ec2:DescribeInstanceStatus",

    "ec2:DescribeInstances",

    "ec2:DescribeInternetGateways",

    "ec2:DescribeKeyPairs",

    "ec2:DescribeMovingAddresses",

    "ec2:DescribeNatGateways",

    "ec2:DescribeNetworkAcls",

    "ec2:DescribeNetworkInterfaceAttribute",

    "ec2:DescribeNetworkInterfaces",

    "ec2:DescribePlacementGroups",

    "ec2:DescribePrefixLists",

    "ec2:DescribeRegions",

    "ec2:DescribeReservedInstances",

    "ec2:DescribeReservedInstancesListings",

    "ec2:DescribeReservedInstancesModifications",

    "ec2:DescribeReservedInstancesOfferings",

    "ec2:DescribeRouteTables",

    "ec2:DescribeSecurityGroups",

    "ec2:DescribeSnapshotAttribute",

    "ec2:DescribeSnapshots",

    "ec2:DescribeSpotDatafeedSubscription",

    "ec2:DescribeSpotFleetInstances",

    "ec2:DescribeSpotFleetRequestHistory",

    "ec2:DescribeSpotFleetRequests",

    "ec2:DescribeSpotInstanceRequests",

    "ec2:DescribeSpotPriceHistory",

    "ec2:DescribeStaleSecurityGroups",

    "ec2:DescribeSubnets",

    "ec2:DescribeTags",

    "ec2:DescribeVolumeAttribute",

    "ec2:DescribeVolumeStatus",

    "ec2:DescribeVolumes",

    "ec2:DescribeVpcAttribute",

    "ec2:DescribeVpcClassicLink",

    "ec2:DescribeVpcEndpointServices",

    "ec2:DescribeVpcEndpoints",

    "ec2:DescribeVpcPeeringConnections",

    "ec2:DescribeVpcs",

    "ec2:DescribeVpnConnections",

    "ec2:DescribeVpnGateways",

    "ec2:DetachClassicLinkVpc",

    "ec2:DetachInternetGateway",

    "ec2:DetachNetworkInterface",

    "ec2:DetachVolume",

    "ec2:DetachVpnGateway",

    "ec2:DisableVgwRoutePropagation",

    "ec2:DisableVpcClassicLink",

    "ec2:DisableVpcClassicLinkDnsSupport",

    "ec2:DescribeVpcClassicLinkDnsSupport",

    "ec2:DetachNetworkInterface",

    "ec2:DetachVolume",

    "ec2:DisassociateAddress",

    "ec2:ModifyInstanceAttribute",

    "ec2:ModifyNetworkInterfaceAttribute",

    "ec2:ModifySnapshotAttribute",

    "ec2:ModifySubnetAttribute",

    "ec2:ModifyVolumeAttribute",

    "ec2:RevokeSecurityGroupEgress",

    "ec2:RevokeSecurityGroupIngress",

    "ec2:RunInstances",

    "ec2:StartInstances",

    "ec2:StopInstances",

    "ec2:TerminateInstances"

    ],

    "Effect": "Allow",

    "Resource": [

    "*"

    ]

    },

    {

    "Sid": "Stmt1477880716900",

    "Action": [

    "s3:CreateBucket",

    "s3:DeleteBucket",

    "s3:DeleteObject",

    "s3:GetObject",

    "s3:ListBucket",

    "s3:PutObject"

    ],

    "Effect": "Allow",

    "Resource": [

    "*"

    ]

    },

    {

    "Sid": "Stmt1477883239716",

    "Action": [

    "iam:GetUser"

    ],

    "Effect": "Allow",

    "Resource": [

    "*"

    ]

    }

    ]

}

  1. Click Apply Policy.
  1. In UDP console, use this IAM user’s access key and security access key to create VSB to EC2 plan.