Some limitations I encountered when running Zerto on AWS because of their handling with IAM:
Zertos Preflight Check during Installation and also some Scripts on ZASA and ZSAT can’t deal with paths in IAM. If you are like me running Zerto in a restricted Environment trying to limit IAM permissions by Path than you are out of luck! Zertos implementation try’s to extract the IAM Role Name from the Metadata Service and don’t expect a Path!
Zerto Scripts believe that IAM Role Name and IAM Instance Profile Name are the same! If you’re using AWS Console (UI) to create the IAM Role that happens to be the default, but if you are using IaC or other automation tools you must make sure the Name of those two Resources match!
Security Tip: Don’t follow Minimum Required AWS Permissions (zerto.com) when it comes to Action: iam:PassRole with Resource: “*”. Doing this would allow Zerto to impersonate any available Role in your AWS Account. You likely have some critical Roles, i.e. Administrator, which should never be assumed by apps like Zerto. I usually include a Path in my permission structure to solve this problem… that doesn’t work because of Point 1. Explicitly specify the ARN of your Role instead or at least limit it to “arn:aws:iam::*:role/zerto-*” and Name your Roles accordingly.
This might be helpful for others so they don’t have to learn this the hard way. Of course it would be most appreciated if Zerto Software handles this better.
Stephan R.
