This section describes the procedure for configuring a controller node (to maintain a storage cluster configured from AWS Marketplace) with the EC2 console.
-
To use EBS encryption, you need to add rights to access AWS Key Management Service to an IAM role created in this procedure. For details, see the AWS user guide.
-
Note the following additional requirement for the controller node on which the prerequisite packages are installed (as shown in Installing the prerequisite packages later).
Item
Requirement
OS
Windows 10 (64 bit)(x64)*
Windows 11 (64 bit)(x64)*
Windows Server 2022 (64 bit)(x64)
SUSE Linux Enterprise Server 15 SP6 (64 bit)(x64)
Red Hat Enterprise Linux 9.2 (64 bit)(x64)
Red Hat Enterprise Linux 9.4 (64 bit)(x64)
Debian 12 (64 bit)(x64)
* If the client OS is Windows, a controller node is assumed to be configured and operated in an on-premise environment.
Create an EC2 instance for a controller node that meets the requirements as described in Controller node requirements and deploy it in the subnet for the control network you created in Configuring a storage cluster. When deploying an EC2 instance for a controller node in a subnet different from the subnet for control network, allow communication with the subnet for control network.
For example security group settings to allow communication, see Example security group settings for controller nodes. For supplementary information for OS image and settings for a controller node, see Additional information for controller node deployment (OS image and settings).
When all of the following conditions are met, you must set a security group for the control network created in Configuring a storage cluster to the EC2 instance for a controller node in addition to the preceding security group. In this case, you can confirm the security group for control network by opening the stack window of NetworkResources, and then referring to ControlSecurityGroup in the Resources tab according to the procedure of step 14 in Configuring a storage cluster.
- Single-AZ configuration
- When IPv4 CIDR of the control network subnet has been specified for ControlNetworkCidrBlock during the procedures of Configuring a storage cluster.
- When EC2 instances for a controller node are placed in a subnet different from the control network subnet.
Grant the IAM role that has the following privileges to the created controller node.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:ListStackResources",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:CreateUploadBucket",
"cloudformation:GetTemplate",
"cloudformation:GetTemplateSummary",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInternetGateways",
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DeleteVpc",
"ec2:DescribeVpcs",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:DescribeSubnets",
"ec2:ModifySubnetAttribute",
"ec2:DescribeRouteTables",
"ec2:CreateNetworkAcl",
"ec2:DeleteNetworkAcl",
"ec2:DescribeNetworkAcls",
"ec2:ReplaceNetworkAclAssociation",
"ec2:CreateNetworkAclEntry",
"ec2:DeleteNetworkAclEntry",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:AssignPrivateIpAddresses",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeImages",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:CreateLaunchTemplateVersion",
"ec2:DescribeLaunchTemplateVersions",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolumeAttribute",
"ec2:DescribeVolumesModifications",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:GetSerialConsoleAccessStatus",
"ec2-instance-connect:SendSerialConsoleSSHPublicKey",
"autoscaling:DescribeAutoScalingInstances",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:SetRulePriorities",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:DescribeTags",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"aws-portal:ViewBilling",
"iam:PassRole",
"iam:GetRole",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:TagInstanceProfile",
"iam:UntagInstanceProfile",
"iam:ListInstanceProfileTags",
"iam:CreateServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:DeleteServiceLinkedRole",
"sts:AssumeRole",
"ssm:GetParameter",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource": "*",
"Effect": "Allow"
}
]
}