Leveraging AWS Marketplace Storage Solutions for Microsoft SharePoint
AWS Whitepaper


SoftNAS IAM Policy and Role

Prior to deploying the SoftNAS Cloud NAS instances you need to create a custom IAM role that allows the setup and configuration of SoftNAS Snap high availability (HA). You must use the name SoftNAS_HA_IAM for the role because the IAM role is hard coded in the SoftNAS Snap HA application.

Create the SoftNAS_HA_IAM role with the following policy:

{   "Version": "2012-10-17",   "Statement": [     {       "Sid": "Stmt1444200186000",       "Effect": "Allow",       "Action": [         "ec2:ModifyInstanceAttribute",         "ec2:DescribeInstances",         "ec2:CreateVolume",         "ec2:DeleteVolume",         "ec2:CreateSnapshot",         "ec2:DeleteSnapshot",         "ec2:CreateTags",         "ec2:DeleteTags",         "ec2:AttachVolume",         "ec2:DetachVolume",         "ec2:DescribeInstances",         "ec2:DescribeVolumes",         "ec2:DescribeSnapshots",         "aws-marketplace:MeterUsage",         "ec2:DescribeRouteTables",         "ec2:DescribeAddresses",         "ec2:DescribeTags",         "ec2:DescribeInstances",         "ec2:ModifyNetworkInterfaceAttribute",         "ec2:ReplaceRoute",         "ec2:CreateRoute",         "ec2:DeleteRoute",         "ec2:AssociateAddress",         "ec2:DisassociateAddress",         "s3:CreateBucket",         "s3:Delete*",         "s3:Get*",         "s3:List*",         "s3:Put*"       ],       "Resource": [         "*"       ]     }   ] }

The IAM policy grants users permissions to access APIs for Amazon EC2, Amazon S3, and AWS Marketplace.

  • Amazon EC2 permissions allow for management of instance attributes, volumes, tags, snapshots, route tables, routes, network attributes, and IP addresses.

  • Amazon S3 permissions allow for the setup of SoftNAS Snap Replication and SnapHA.

  • AWS Marketplace permissions allow for metered billing.

Marketplace AMI Deployment with EC2 Console

You can deploy the SoftNAS Cloud NAS using the Amazon EC2 console. To do this, open the console, select Launch Instance, choose AWS Marketplace, type SoftNAS in the search box, and then select the appropriate SoftNAS storage configuration from the results list.

After you choose a SoftNAS Cloud NAS configuration you can complete the rest of the process to deploy and configure the SoftNAS Cloud NAS instance. You need to deploy two SoftNAS Cloud NAS instances to configure fault tolerance and high-availability, but you need to deploy each instance independently so that you can select separate Availability Zones.

For this implementation you add instance storage to accommodate the WSFC quorum majority disk, SharePoint databases (for example, tempdb, content, usage, search, transaction logs), a Microsoft WSFC witness file share, and SharePoint RBS Storage using separate Amazon EBS volumes for each database as recommended by Microsoft for optimal performance. You can also add initial or additional storage from the SoftNAS GUI after deployment. For more information, see Storage and SQL Server capacity planning and configuration (SharePoint Server 2013) at

To complete the instance deployment, follow the Amazon EC2 launch wizard, providing the appropriate input for instance type, instance configuration details, addition of storage, tags, and security group configuration. After you review the launch configuration, you need to select a key pair to use for post-deployment administration prior to launching the SoftNAS Cloud NAS instance. Select the appropriate key pair and then launch the instance.

Limited Access Security Group

SoftNAS Cloud NAS instances require access for administration on ports TCP 22 and TCP 443, and access for iSCSI connectivity on port TCP 3260. SoftNAS Snap Replicate and Snap HA require SSH between instances as well as the additional ICMP Echo Request and Echo Reply configuration. Configure inbound security group rules to accommodate this connectivity and to limit inbound traffic from authorized sources.

You can limit access to the SoftNAS storage to accept only traffic from authorized sources by adding the appropriate sources in the configuration. Management access on ports 22 and 443 is required only from the jump server instances, iSCSI and CIFS access is required only from the Microsoft SQL Server database instances and WSFC file share witness. ICMP and SSH connectivity are required between the subnets used by the SoftNAS Cloud NAS instances.

Security Group Inbound Source Type Ports
SoftnasAdmin Jump Servers and RDGW Servers



TCP 22

TCP 443

SoftnasISCSI Microsoft SQL Servers ISCSI TCP 3260
SoftnasCIFS WSFC Witness Server




UDP 137 & 138

TCP 139 & 445

TCP 389

SoftnasCluster SoftNAS Replication and HA members




TCP 22

Echo Request

Echo Reply