Configure a role-based IAM user for AWS

The following steps have been provided as an example to help you create a role-based cloud account:

Steps

  1. Log in to the AWS Management Console.
  2. Complete the following steps to create a role:
    1. In the navigation pane of the IAM console, select Roles, and then click Create role.
    2. Select the type of trusted entity as Another AWS Account.
    3. Copy the Trusted Account number from Cloud Snapshot Manager and paste it in the Account ID field of the console.
    4. In Options, select Require external ID.
      Do not select Require MFA.
    5. Copy the External ID value from Cloud Snapshot Manager to the External ID field of the console, and then click Next: Permissions.
    6. Click Next: Tags.
    7. Click Next: Review.
    8. Enter a unique role name, review the role, and click Create role.
    9. Search for the new role and copy the role ARN value.
  3. Complete the following to create a policy:
    1. Copy content from AWS minimum permission policy.
      For details about each AWS permission and how it is used by Cloud Snapshot Manager, see AWS permission usage.
    2. In the navigation pane of the IAM console, select Policies, and then click Create policy.
    3. Select the JSON tab, and paste the copied content from the portal.
    4. Click Review policy.
    5. Enter a policy name and click Create policy.
  4. Associate the policy with the role using the following steps:
    1. Search for the role in the Roles page and click on it.
    2. Under the Permissions tab, click Attach Policies and search for the newly created policy.
    3. Select the policy and click Next: Review.
    4. Click Attach Policy.
  5. (Optional) Establish a trust relationship using the following steps:
    This step is required only if you want to copy data from a cloud account to PowerProtect DD Virtual Edition (DDVE) or restore data from DDVE. The step can be performed at a later stage whenever you want to copy to DDVE.
    1. Search for the role in the Roles page and click on it.
    2. Under the Trust Relationships tab, click Edit Trust Relationship. The following generated JSON content is displayed: 
            { 
          "Version": "<POLICY_VERSION_DATE>",
          "Statement": [ 
           { 
            "Effect": "Allow",
            "Principal": {
             "AWS": "<CLOUD_ACCOUNT_NUMBER>" 
            },
            "Action": "sts:AssumeRole",
            "Condition": { 
            "StringEquals": { "sts:ExternalId": "<EXTERNALID>" 
            }
           } 
          },
         ]
        }
      NOTE: If the trusted account number is 069562425525, replace the <CLOUD_ACCOUNT_NUMBER> with the new trusted account number 903193600893 to migrate from an old trusted account to a new trusted account.
    3. Append the following to the existing Statement array: 
        {
       "Effect": "Allow",
       "Principal": {
       "Service": "ecs-tasks.amazonaws.com"
      },
   "Action": "sts:AssumeRole"
}
    4. Click Update Trust Policy.
  6. Paste the role ARN value for the newly created role in the corresponding field in Cloud Snapshot Manager.
  7. Click Save.