This section describes the procedure for configuring a controller node (to maintain a storage cluster configured from AWS Marketplace) with the EC2 console.
To use EBS encryption, you need to add rights to access AWS Key Management Service to an IAM role created in this procedure. For details, see the AWS user guide.
Create an EC2 instance for a controller node that meets the requirements as described in Controller node requirements and deploy it in the subnet for the control network you created in Configuring a storage cluster. When deploying an EC2 instance for a controller node in a subnet different from the subnet for control network, allow communication with the subnet for control network.
For example security group settings to allow communication, see Example security group settings for controller nodes. For supplementary information for OS image and settings for a controller node, see Additional information for controller node deployment (OS image and settings).
When all of the following conditions are met, you must set a security group for the control network created in Configuring a storage cluster to the EC2 instance for a controller node in addition to the preceding security group. In this case, you can confirm the security group for control network by opening the stack window of NetworkResources, and then referring to ControlSecurityGroup in the Resources tab according to the procedure of step 12 in Configuring a storage cluster.
- Single-AZ configuration
- When IPv4 CIDR of the control network subnet has been specified for ControlNetworkCidrBlock during the procedures of Configuring a storage cluster.
- When EC2 instances for a controller node are placed in a subnet different from the control network subnet.
Grant the IAM role that has the following privileges to the created controller node.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:ListStackResources",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:CreateUploadBucket",
"cloudformation:GetTemplate",
"cloudformation:GetTemplateSummary",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInternetGateways",
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DeleteVpc",
"ec2:DescribeVpcs",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:DescribeSubnets",
"ec2:ModifySubnetAttribute",
"ec2:DescribeRouteTables",
"ec2:CreateNetworkAcl",
"ec2:DeleteNetworkAcl",
"ec2:DescribeNetworkAcls",
"ec2:ReplaceNetworkAclAssociation",
"ec2:CreateNetworkAclEntry",
"ec2:DeleteNetworkAclEntry",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:AssignPrivateIpAddresses",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeImages",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:CreateLaunchTemplateVersion",
"ec2:DescribeLaunchTemplateVersions",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolumeAttribute",
"ec2:DescribeVolumesModifications",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:GetSerialConsoleAccessStatus",
"ec2-instance-connect:SendSerialConsoleSSHPublicKey",
"autoscaling:DescribeAutoScalingInstances",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:SetRulePriorities",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:DescribeTags",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"aws-portal:ViewBilling",
"iam:PassRole",
"iam:GetRole",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:TagInstanceProfile",
"iam:UntagInstanceProfile",
"iam:ListInstanceProfileTags",
"iam:CreateServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:DeleteServiceLinkedRole",
"sts:AssumeRole",
"ssm:GetParameter",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Resource": "*",
"Effect": "Allow"
}
]
}