Home > App Management > Manage App Profiles for Amazon Tenants > Create App Profiles for Amazon Tenants
Download this articleCreate App Profiles for Amazon Tenants
In Management > App management, the Tenant Owner and Service Administrators can click Create and follow the steps below to create app profiles.
-
Select services – Select a tenant and select services for which you want to create app profiles. Click Next.
NOTEBefore you create an app profile, you must ensure that the tenant has been connected to AvePoint Online Services. For more details on connecting tenants, refer to Connect Tenants.
-
Choose setup method – Modern mode is the recommended mode for all AvePoint’s default apps. In this mode, the related apps are listed in a service-based view, and you can consent to apps separately for the selected services.
-
Consent to apps – To consent to an app, click Consent next to the app.
For an Amazon tenant, creating an app profile for the Cloud Backup for AWS app requires an IAM user. Enter your Access key ID and Secret access key to specify an IAM user with at least the following required permissions:
-
iam:CreatePolicy
-
iam:GetRole
-
iam:UpdateAssumeRolePolicy
-
iam:ListPolicyVersions
-
iam:ListAccountAliases
-
iam:CreateRole
-
iam:AttachRolePolicy
-
iam:UpdateRole
-
iam:CreatePolicyVersion
-
iam:\DeletePolicyVersion
-
iam:GetAccountSummary
-
iam:SetDefaultPolicyVersion
-
-
When you finish creating app profiles, you can click Finish to exit the Create app profile wizard.
Permissions Required by Cloud Backup for AWS
Once you create an app profile of the Cloud Backup for AWS app type, the IAM role AWSBackupAdminRole and the IAM policy AWSS3BackupAdminPolicy will be created in your AWS environment. Below are the policies which will be added to the IAM role/policy:
The IAM policy AWSS3BackupAdminPolicy is used only for Cloud Backup for IaaS + PaaS > Amazon S3. If you don't use the Amazon S3 service, you can manually remove this policy.
AWSBackupAdminRole
-
ebs:*
-
ec2:AttachVolume
-
ec2:CopySnapshot
-
ec2:\DeleteSnapshot
-
ec2:\DescribeAddresses
-
ec2:\DescribeInstances
-
ec2:\DescribeInstanceAttribute
-
ec2:\DescribeRegions
-
ec2:CreateImage
-
ec2:\DescribeSnapshots
-
ec2:\DeleteVolume
-
ec2:\DescribeNetworkInterfaces
-
ec2:StartInstances
-
ec2:CreateSecurityGroup
-
ec2:\DescribeVolumes
-
ec2:CreateSnapshot
-
ec2:\DescribeKeyPairs
-
ec2:\DescribeInstanceStatus
-
ec2:CreateInstanceExportTask
-
ec2:\DetachVolume
-
ec2:TerminateInstances
-
ec2:CreateTags
-
ec2:RegisterImage
-
ec2:ModifyNetworkInterfaceAttribute
-
ec2:RunInstances
-
ec2:StopInstances
-
ec2:AllocateAddress
-
ec2:\DescribeSecurityGroups
-
ec2:CreateVolume
-
ec2:CreateNetworkInterface
-
ec2:\DescribeImages
-
ec2:CreateSnapshots
-
ec2:AssociateAddress
-
ec2:ModifySnapshotAttribute
-
ec2:\DescribeInstanceTypeOfferings
-
ec2:\DescribeAvailabilityZones
-
ec2:\DescribeVpcs
-
ec2:\DescribeInstanceTypes
-
ec2:\DescribeSubnets
-
iam:\PassRole
-
elasticloadbalancing:\DescribeLoadBalancers
-
elasticloadbalancing:RegisterInstancesWithLoadBalancer
AWSS3BackupAdminPolicy
You can manually remove permissions that are not required.
-
DescribeJob
-
DescribeMultiRegionAccessPointOperation
-
GetAccelerateConfiguration
-
GetAccessGrant
-
GetAccessGrantsInstance
-
GetAccessGrantsInstanceForPrefix
-
GetAccessGrantsInstanceResourcePolicy
-
GetAccessGrantsLocation
-
GetAccessPoint
-
GetAccessPointConfigurationForObjectLambda
-
GetAccessPointForObjectLambda
-
GetAccessPointPolicy
-
GetAccessPointPolicyForObjectLambda
-
GetAccessPointPolicyStatus
-
GetAccessPointPolicyStatusForObjectLambda
-
GetAccountPublicAccessBlock
-
GetAnalyticsConfiguration
-
GetBucketAbac
-
GetBucketAcl
-
GetBucketCORS
-
GetBucketLocation
-
GetBucketLogging
-
GetBucketMetadataTableConfiguration
-
GetBucketNotification
-
GetBucketObjectLockConfiguration
-
GetBucketOwnershipControls
-
GetBucketPolicy
-
GetBucketPolicyStatus
-
GetBucketPublicAccessBlock
-
GetBucketRequestPayment
-
GetBucketTagging
-
GetBucketVersioning
-
GetBucketWebsite
-
GetDataAccess
-
GetEncryptionConfiguration
-
GetIntelligentTieringConfiguration
-
GetInventoryConfiguration
-
GetJobTagging
-
GetLifecycleConfiguration
-
GetMetricsConfiguration
-
GetMultiRegionAccessPoint
-
GetMultiRegionAccessPointPolicy
-
GetMultiRegionAccessPointPolicyStatus
-
GetMultiRegionAccessPointRoutes
-
GetObject
-
GetObjectAcl
-
GetObjectAttributes
-
GetObjectLegalHold
-
GetObjectRetention
-
GetObjectTagging
-
GetObjectTorrent
-
GetObjectVersion
-
GetObjectVersionAcl
-
GetObjectVersionAttributes
-
GetObjectVersionForReplication
-
GetObjectVersionTagging
-
GetObjectVersionTorrent
-
GetReplicationConfiguration
-
GetStorageLensConfiguration
-
GetStorageLensConfigurationTagging
-
GetStorageLensDashboard
-
GetStorageLensGroup
-
AbortMultipartUpload
-
CreateAccessPoint
-
CreateAccessPointForObjectLambda
-
CreateBucket
-
CreateBucketMetadataTableConfiguration
-
CreateJob
-
CreateMultiRegionAccessPoint
-
CreateStorageLensGroup
-
DeleteAccessPoint
-
DeleteAccessPointForObjectLambda
-
DeleteBucket
-
DeleteBucketMetadataTableConfiguration
-
DeleteBucketWebsite
-
DeleteMultiRegionAccessPoint
-
DeleteObject
-
DeleteObjectVersion
-
DeleteStorageLensConfiguration
-
DeleteStorageLensGroup
-
InitiateReplication
-
PauseReplication
-
PutAccelerateConfiguration
-
PutAccessPointConfigurationForObjectLambda
-
PutAnalyticsConfiguration
-
PutBucketAbac
-
PutBucketCORS
-
PutBucketLogging
-
PutBucketNotification
-
PutBucketObjectLockConfiguration
-
PutBucketRequestPayment
-
PutBucketVersioning
-
PutBucketWebsite
-
PutEncryptionConfiguration
-
PutIntelligentTieringConfiguration
-
PutInventoryConfiguration
-
PutLifecycleConfiguration
-
PutMetricsConfiguration
-
PutObject
-
PutObjectLegalHold
-
PutObjectRetention
-
PutReplicationConfiguration
-
PutStorageLensConfiguration
-
ReplicateDelete
-
ReplicateObject
-
RestoreObject
-
SubmitMultiRegionAccessPointRoutes
-
UpdateBucketMetadataInventoryTableConfiguration
-
UpdateBucketMetadataJournalTableConfiguration
-
UpdateJobPriority
-
UpdateJobStatus
-
UpdateObjectEncryption
-
UpdateStorageLensGroup
-
ListAccessGrants
-
ListAccessGrantsInstances
-
ListAccessGrantsLocations
-
ListAccessPoints
-
ListAccessPointsForObjectLambda
-
ListAllMyBuckets
-
ListBucket
-
ListBucketMultipartUploads
-
ListBucketVersions
-
ListCallerAccessGrants
-
ListJobs
-
ListMultipartUploadParts
-
ListMultiRegionAccessPoints
-
ListStorageLensConfigurations
-
ListStorageLensGroups
-
ListTagsForResource
-
DeleteJobTagging
-
DeleteObjectTagging
-
DeleteObjectVersionTagging
-
DeleteStorageLensConfigurationTagging
-
PutBucketTagging
-
PutJobTagging
-
PutObjectTagging
-
PutObjectVersionTagging
-
PutStorageLensConfigurationTagging
-
ReplicateTags
-
TagResource
-
UntagResource
-
AssociateAccessGrantsIdentityCenter
-
BypassGovernanceRetention
-
CreateAccessGrant
-
CreateAccessGrantsInstance
-
CreateAccessGrantsLocation
-
DeleteAccessGrant
-
DeleteAccessGrantsInstance
-
DeleteAccessGrantsInstanceResourcePolicy
-
DeleteAccessGrantsLocation
-
DeleteAccessPointPolicy
-
DeleteAccessPointPolicyForObjectLambda
-
DeleteBucketPolicy
-
DissociateAccessGrantsIdentityCenter
-
ObjectOwnerOverrideToBucketOwner
-
PutAccessGrantsInstanceResourcePolicy
-
PutAccessPointPolicy
-
PutAccessPointPolicyForObjectLambda
-
PutAccessPointPublicAccessBlock
-
PutAccountPublicAccessBlock
-
PutBucketAcl
-
PutBucketOwnershipControls
-
PutBucketPolicy
-
PutBucketPublicAccessBlock
-
PutMultiRegionAccessPointPolicy
-
PutObjectAcl
-
PutObjectVersionAcl
-
UpdateAccessGrantsLocation