Create a role with the permissions to deploy and manage XProtect VMS

You must create a new AWS account or use an existing AWS account that the administrator in your organization has created and a CloudFormation service role with the necessary permissions.

If you are an AWS Identity and Access Management (IAM) Administrator, you have more permissions than necessary to run XProtect. To limit the permissions you have, you must create a custom policy and attach it to a specific role.

Create a policy with the necessary permissions

For improved security of your XProtect production environment, you should create a CloudFormation role with only the necessary permissions for XProtect.

1. Go to https://console.aws.amazon.com/iam/.
2. Select the Policies node and select the Create Policy button.
3. Select the JSON tab and copy and paste the content from the Identity and Access Management (IAM) policy .
4. On the Review and create page, enter a policy name and a description for the policy and select the Create policy button.

Create a role

All users should use this role when deploying the XProtect stack:

1. Return to the Identity and Access Management (IAM) page and select the Roles node and then the Create role button.

2. On the Select trusted entity page select:

   • AWS service as the trusted entity type.

   • CloudFormation as the use case.

   Then, select Next.

3. In the Filter policies field, enter the first letters of the name of the policy that you created earlier.

4. Select the policy and select Next.

5. Enter a name and description for the role and select the Create role button.