Using a role template for AWS

Prerequisite

You must have the HYCU account ID of your subscription. To get the HYCU account ID, click  <EmailAddress> in the toolbar, and then click Subscription Information to open the Subscription Information dialog box. The account ID is listed under the HYCU Account section.

Considerations

• Make sure that the AWS account for which you are creating the role is not already added as a source or as compute to R‑Cloud, otherwise the creation of the least-permissions role will fail. If you already added the AWS account as a source or as compute, delete its role or the AWS CloudFormation stack with which you created the original role or use a different account.

• By default, the IAM role created by R‑Cloud allows performing data protection actions on all resources in your AWS account. In addition to creating a custom role with the least-privilege permissions as described in this topic, you can also limit R‑Cloud to have access only to the resources that are relevant for data protection by specifying them in the AWS Management Console. You should do this each time you add new resources that should be accessible to R‑Cloud.

   Note   To make sure that the targets that are automatically created by R‑Cloud will be accessible, keep the default resource accessibility settings for the automatically created targets. For details on how to identify the automatically created targets, see Resources created by R‑Cloud.

  For details on how Amazon S3 works with IAM and how to specify the resources that should be accessible to R‑Cloud, see AWS documentation.

• To ensure the highest level of security when using the least-permissions role, consider limiting R‑Cloud access only to the buckets that are protected or used as targets. In the AWS Management Console, do the following:

  • Update the required S3 bucket permissions to be applicable only to the protected buckets and to those that are used as targets.

  • Update the required S3 object permissions to be applicable only for the contents that are stored within the relevant buckets.

  To achieve this, instead of using a wildcard character for the Resource element in the IAM policy statement, define the buckets to which you want to allow access. For instructions, see AWS documentation about defining the Resource IAM JSON policy element.

Procedure

To add the role template to your AWS account, perform the following:

1. Open the following URL in your browser:

   https://us-east-2.console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/quickcreate?templateUrl=https%3A%2F%2Fhycu-resources.s3.amazonaws.com%2Fcloudformation%2F08082022-HycuRoleTemplate-AWSLeastPermissions.json&stackName=HycuStack&param_ExternalId=<HYCUAccountId>

   In this URL, <HYCUAccountId> at the end of the URL is the account ID of your subscription.

    Important  You must be signed in to the AWS Management Console with the AWS account for which you are creating roles. If you are already signed in to the AWS Management Console with a different account when you create the IAM roles, the creation fails.

2. In the AWS Management Console, on the Quick create stack page, confirm the capabilities required by R‑Cloud by clicking I acknowledge that AWS CloudFormation might create IAM resources, and then click Create stack.

AWS permissions required by R‑Cloud

Depending on your data protection environment needs, you can add an AWS account to R‑Cloud as a source or compute. Each option requires a different set of AWS permissions.