Overview
Security Controls for Everpure Cloud Dedicated for AWS describe the core safeguards used to secure a deployment in AWS, including private-subnet network design, interface-specific security groups, required IAM roles, encryption options, and optional AWS audit logging. Pure Storage Cloud Dedicated (PSCD) uses four interfaces—system, replication, iSCSI, and management—and each interface has distinct access requirements that are enforced during deployment.
Key Benefits
The high-level win is stronger security without losing operational simplicity. PSCD is designed to run on private subnets, isolate traffic by interface, and use purpose-built security groups so customers can reduce exposure while keeping the deployment model straightforward.
A second benefit is better data protection and governance. PSCD includes encryption as a core data service, supports customer-managed KMS keys for organizations that require tighter key control, and can be paired with AWS CloudTrail for account-level event tracking and longer-term audit retention.
Audience & Use Cases
This topic is for cloud architects, AWS administrators, security engineers, and storage or platform teams deploying PSCD in an Amazon VPC.
Use it when you need to:
- plan secure VPC, subnet, and route-table design for a PSCD deployment,
- define required security groups and IAM permissions,
- choose between AWS-managed and customer-managed encryption keys, or
- enable AWS-side event logging for security monitoring and investigations.
How it Works
- Build the PSCD network in AWS using private subnets for the PSCD interfaces, and provide internet access only where required for the system subnet.
- Create and apply dedicated security groups for replication, iSCSI, and management traffic, while the system security group is created automatically during deployment.
- Create the required IAM policy and deployment role so CloudFormation can deploy, upgrade, and manage the PSCD resources.
- Deploy PSCD through the AWS Marketplace and CloudFormation workflow, selecting the subnets, security groups, key pair, license key, and IAM role as part of the stack configuration.
- Optionally enable CloudTrail to retain AWS event history and support troubleshooting, activity tracking, and security investigations.
Prerequisites
- an AWS VPC with private subnets for PSCD interfaces, plus a public subnet and NAT path for required system-subnet internet access,
- security groups for replication, iSCSI, and management in the same region and VPC,
- an IAM policy and the
PurityServiceRole, plus theAWSServiceRoleForApplicationAutoScaling_DynamoDBTableservice-linked role, - VPC endpoints for Amazon S3 and DynamoDB, with VPC DNS resolution enabled, and
- an EC2 key pair and a PSCD license key.
- replication: TCP 8117,
- iSCSI: TCP 3260, and
- management: TCP 22, 80, 443, and 8084.
- PSCD releases follow Purity//FA releases and use the same code base,
- deploy only in supported AWS regions, and note that some generally supported regions still have Availability Zones that do not offer the required
c5n.9xlargeandc5n.18xlargeinstances, - ActiveCluster with Pure1 Mediator is not supported in Oregon (
us-west-2), - customer-driven controller software upgrades are supported for Purity 6.6.6 and higher, customer-driven capacity upgrades are supported for 6.6.2 and higher, and encrypted DNS is available from 6.8.1 and is disabled by default.
Deployment
To start building, go to the AWS Marketplace listing for Pure Storage Cloud Dedicated, then select Continue to Subscribe > Continue to Configuration > choose the version and region > Continue to Launch > Launch. This opens the CloudFormation stack workflow, where you provide the stack name, array name, license key, key pair, subnets, security groups, and PurityServiceRole.
Additional Information
- Pure Storage Cloud Dedicated for AWS Deployment — deployment overview and architecture context.
- Deploying Pure Storage Cloud Dedicated for GUI — click path for AWS Marketplace and CloudFormation deployment.
- Security Requirements — security groups, IAM policy, and required deployment roles.
- Network Requirements — private subnet design, VPC endpoints, DNS, and internet-access requirements.
- AWS Regions Support — current AWS support matrix and AZ caveats.
- Creating a Pure Storage Cloud Dedicated Customer-managed Encryption Key — KMS CMK setup for EBS volume encryption.
- Supported Capabilities and Features — version-gated feature support, including CMK, encrypted DNS, and upgrade support.
- FlashArray REST API Reference Guides — REST API reference entry point for Purity//FA-based management and automation.