Configuring Backups for Amazon DynamoDB Instances with STS Assume Role Authentication

You can configure backups for Amazon DynamoDB using STS assume role authentication. First, configure the AWS admin account in Commvault Cloud. Then, configure the AWS tenant accounts.

Configure the AWS Admin Account

Start the Configuration Wizard

From the navigation pane, go to Protect > Databases.

The database overview page appears.
Click Add Instance, and then click Cloud database service.

The Vendor page appears.
Select Amazon Web Services and click NEXT.

The Select a Database Service page appears.
Select DynamoDB and click NEXT.

The Backup Method page appears.
Review the information.
Click NEXT.

The Configure Permissions page of the Configure Amazon database - DynamoDB configuration wizard appears.

Configure Permissions

From the Authentication method list, select STS assume role with IAM policy.
Verify an existing CommvaultAdminRole IAM role or create a new CommvaultAdminRole IAM role in the AWS admin account:
- If the CommvaultAdminRole IAM role was previously created for another AWS workload, do the following:
  1. Verify that the CommvaultAdminRole-STSAssumePolicy IAM policy for the AWS workload is attached to the CommvaultAdminRole IAM role.
  2. At the bottom of the page, select the confirmation check box.
  3. Click NEXT.
    
    The Region page of the configuration wizard appears.
- If the CommvaultAdminRole IAM role does not exist yet, create it in AWS.
  Steps to create CommvaultAdminRole IAM role
  1. Click the Launch the CloudFormation Stack link to open the AWS console for the AWS admin account.
    
    Important
    
    If you do not have permission to create a role in the AWS account, copy the Launch the CloudFormation Stack link and share it with your AWS IAM administrator.
  2. Log on to the AWS console.
    
    The Quick create stack page appears.
  3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.
  4. Click Create stack.
    
    Wait for the CloudFormation Stack to finish creating the CommvaultAdminRole IAM role. The CloudFormation Stack creates an IAM policy called CommvaultAdminRole-STSAssumePolicy for STS Assume Role authentication, and then attaches the policy to CommvaultAdminRole.
  5. Return to the Commvault Cloud configuration wizard.

Region

Select the region that the databases reside in.

MSP admins and MSP tenants must be in the same region.
Click NEXT.

The Backup Gateway page of the configuration wizard appears.

Backup Gateway

Because this is a cross-account environment, if you create a new backup gateway, install it in an AWS admin account.

If AWS EBS encryption is enabled for your region in your AWS account, the user who uses the backup gateway template must be a key user for the default encryption key. To see if EBS encryption is enabled, in your AWS account, go to EC2 > EC2 Dashboard > Settings > EBS encryption. To see a list of key users for the default encryption key, in your AWS account, go to Key Management Service > Customer managed keys. If you do not have the correct level of access to use the template, you can copy the Launch Cloud Formation Stack link and share it with someone who has the correct level of access, such as your security administrator.
Determine the region of your AWS S3 storage. The backup gateway must reside in the same region as the primary storage.
Select an existing backup gateway or create a new backup gateway.
Steps to create a backup gateway
1. Click the add button .
  
  The Add a new backup gateway dialog box appears.
2. For Platform, select the OS for the backup gateway.
3. Click GENERATE LINK.
  
  An AWS CloudFormation template is created based on the region and the operating system that you selected.
4. Click the CloudFormation link to open the AWS console.
  
  Note
  
  If AWS EBS encryption is enabled for your region in your AWS account, to use the template, you must be a key user for the default encryption key. If you are not a key user for the default encryption key, copy the CloudFormation link and share it with someone who is a key user, such as your security administrator.
5. Log on to the AWS console.
  
  The Quick create stack page appears.
6. Under Parameters, enter the following information:
  1. From the EC2 Instance Type list, select the type of EC2 instance to use for the backup gateway.
  2. From the EC2 Key Pair list, select a key pair to use to access the Commvault Cloud backup gateway.
  3. From the VPC ID list, select an Amazon Virtual Private Cloud (VPC).
  4. From the Subnet ID list, select a subnet.
  5. From the VPC CIDR list, select a VPC CIDR.
  Note
  
  Port 8403 opens on backup gateways only when the request comes from the IP ranges that are listed in the VPC CIDR field.
7. Click Create stack.
  
  Wait for the Commvault Cloud backup gateway to be created.
8. Return to the Commvault Cloud configuration wizard.
9. Refresh the list of backup gateways, and then select the backup gateway that you created.
Click NEXT.

The Cloud Storage page of the configuration wizard appears.

Cloud Storage

To review the supported combinations of primary and secondary storage, see Commvault Cloud Storage Options.

Primary Copy

For the primary copy of the backup data, select an existing S3 storage bucket or create a new S3 storage bucket.
Steps to create an S3 storage bucket
1. Click the add button .
  
  The Add cloud storage dialog box appears.
2. From the Type list, select Amazon S3.
3. In Name, enter a descriptive name for the cloud storage.
4. For Storage Class, select the storage class for the type of access that you want to have for the data.
5. In the Service host box, enter the Amazon S3 endpoint in the format s3.region.amazonaws.com.
6. For Authentication, STS assume role with IAM role will be selected by default.
7. From the Credentials list, select or create credentials that have the ARN of CommvaultRole.
  
  To create credentials, do the following:
  1. Click Create new .
    
    The Add credential dialog box appears.
  2. The Account type, Vendor type, Authentication type, and Credential Vault are selected by default.
  3. In the Credential name box, enter a descriptive name for the credentials.
  4. In the Role ARN box, enter the ARN of CommvaultRole in the tenant AWS account.
  5. In the External ID box, enter the external ID if it is set at the IAM role trust policy.
  6. In the Description box, enter a description of the credentials.
  7. Click SAVE.
8. In Bucket, enter the Amazon S3 bucket name, and then click DETECT.
9. Click SAVE.
If you do not want to create a secondary copy, click NEXT.

Secondary Copy

Decide whether to store a secondary copy of the backup data for long-term retention.

To add a secondary copy of the backup data, move the Secondary copy toggle key to the right.
For Storage location, select an existing storage location or create a new storage location.
Steps to create a new storage location for secondary copy
1. Click the add button .
  
  The Add cloud storage dialog box appears.
2. From Type, select a storage type. Based on the storage type selected, specify the following:
  - Amazon S3
    1. In Name, enter a descriptive name for the cloud storage.
    2. For Storage Class, select the storage class for the type of access that you want to have for the data.
    3. From the Region list, select a region of your cloud storage.
    4. In the Service host box, enter the Amazon S3 endpoint in the format s3.region.amazonaws.com.
    5. For Authentication, select the authentication type.
      
      Access keys and secret keys: Enter the access key ID and the secret access key.
      
      STS assume role with IAM role: Enter the ARN of the CommvaultRole.
    6. From the Credentials list, select the required credential or create new credential.
    7. In Bucket, enter the Amazon S3 bucket name, and then click DETECT.
  - Air Gap Protect
    1. From the Cloud storage provider list, select a cloud service provider.
    2. For Storage Class, select the storage class for the type of access that you want to have for the data.
    3. From the Region list, select a region of your cloud storage.
  - Oracle Cloud Infrastructure Object Storage
    1. In the Name box, enter a name for the cloud storage.
    2. For Storage Class, select the storage class for the type of access that you want to have for the data.
    3. From the Region list, select a region of your cloud storage.
    4.In the Service host box, enter the service host details.
    1. From the Credentials list, select the required credential or create new credential.
    2. In the Compartment name box, enter a compartment name.
    3. In the Bucket box, enter a name for the bucket, and then click DETECT.
  - Microsoft Azure Storage
    1. In the Name box, enter a name for the cloud storage.
    2. For Storage Class, select the storage class for the type of access that you want to have for the data.
    3. From the Region list, select a region of your cloud storage.
    4.In the Service host box, enter the service host details.
    1. For Authentication, select the authentication type that you want to use. If you have selected IAM AD application, in the Account name box, enter the account name.
    2. From the Credentials list, select the required credential or create new credential.
    3. In Container, enter the container name, and then click DETECT.
3. Click SAVE.
Click NEXT.

The Plan page of the configuration wizard appears.

Plan

A backup plan specifies the storage to back up the data to and other settings such as recovery point objective (RPO) settings.

Select an existing backup plan or create a new backup plan.
Steps to create a backup plan
1. Click the add button .
  
  The Create server backup plan dialog box appears.
2. In the Plan name box, enter a descriptive name for the backup plan.
3. For the backup plan settings, select pre-defined settings or create custom settings:
  - To select pre-defined settings, under Retention rules, select one of the following:
    - Select Standard retention to retain the incremental backups for 1 month.
    - Select Extended retention for optimized storage where the incremental backups of primary and secondary copies are retained for 1 month, and extended retention for monthly and yearly full backups.
      
      Note
      
      The Extended retention option is available only when the secondary copy backup is selected.
  - To create custom settings, select Custom plan, and then specify the following:
    - For Retention, specify the amount of time to retain the backup jobs.
    - For Retention monthly full (Secondary copy), specify the amount of time to retain the monthly full backup on secondary copy.
    - For Retention yearly full (Secondary copy), specify the amount of time to retain the yearly full backup on secondary copy.
    - For Backups run every, specify how often to run backups.
4. Click DONE.
Click NEXT.

The Cloud Account page of the configuration wizard appears.

Cloud Account

The cloud account is used to access the databases for discovery, backups, and other operations.

Select an existing cloud account or create a new cloud account.
Steps to create a cloud account
1. Click the add button .
  
  The Add cloud account dialog box appears.
2. In the Name box, enter a descriptive name for the account.
3. Select or create credentials that have the ARN of CommvaultRole in the AWS tenant account and click SAVE.
  
  To create credentials, do the following:
  1. Click the add button .
    
    The Add credential dialog box appears.
  2. The Account type, Vendor type, Authentication type, and Credential Vault are selected by default.
  3. In the Credential name box, enter a descriptive name for the credentials.
  4. In the Role ARN box, enter the ARN of CommvaultRole in the tenant AWS account.
  5. In the External ID box, enter the external ID if it is set at the IAM role trust policy.
  6. In the Description box, enter a description of the credentials.
  7. Click SAVE.
Click NEXT.

The Instance Details page of the configuration wizard appears.

Instance Details

In the Instances box, update the instance name as required.
In the Staging bucket path box, enter the path to stage the data temporarily. Alternatively, click Browse to locate the path.

Note

Staging path should be of the same region as the S3 path.
Click NEXT.

The Backup Content page of the configuration wizard appears.

Backup Content

Review the list of tables that will be protected.
Click NEXT.

The Summary page of the configuration wizard appears.

Summary

Review the summary.
Click FINISH.

Configure the AWS Tenant Account

Start the Configuration Wizard

From the navigation pane, go to Protect > Databases.

The database overview page appears.
Click Add Instance, and then click Cloud database service.

The Vendor page appears.
Select Amazon Web Services and click NEXT.

The Select a Database Service page appears.
Select DynamoDB and click NEXT.

The Backup Method page appears.
Review the information.
Click NEXT.

The Configure Permissions page of the configuration wizard appears.

IAM Role

From the Authentication method list, select IAM Role.
Verify an existing CommvaultRole IAM role or create a new CommvaultRole IAM role in the AWS tenant account:
- If the CommvaultRole IAM role was previously created for another AWS workload, do the following:
  1. Verify that the IAM policies for the AWS workload is attached to the CommvaultRole IAM role.
  2. Verify that the trust relationship is set with the CommvaultAdminRole IAM Role in the AWS admin account.
  3. At the bottom of the page, select the confirmation check box.
  4. Click NEXT.
    
    The Region page of the configuration wizard appears.
- If the CommvaultRole IAM role does not exist yet, create it in AWS.
  Steps to create CommvaultRole IAM role
  1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS tenant account.
    
    Important
    
    If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.
  2. Log on to the AWS console.
    
    The Quick create stack page appears.
  3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.
  4. Click Create stack.
    
    Wait for the CloudFormation Stack to finish creating the CommvaultRole IAM Role. The CloudFormation Stack creates IAM policies for all supported AWS workloads, and then attaches the policies to CommvaultRole.
  5. Go to IAM, select the IAM Role, and then edit the Trust relationship.
  6. Add the ARN of the CommvaultAdminRole in the AWS admin account.
```
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/Commvault/CommvaultAdminRole",
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]}
```
  7. Return to the Commvault Cloud configuration wizard.
  8. From the Authentication method list, select STS assume role with IAM policy.
  9. At the bottom of the page, select the confirmation check box.
  10. Click NEXT.
    
    The Region page of the configuration wizard appears.

Region

Select the region that the databases reside in.

MSP admins and MSP tenants must be in the same region.
Click NEXT.

The Backup Gateway page of the configuration wizard appears.

Backup Gateway

Select the backup gateway that was created when the AWS admin account was configured.
Click NEXT.

The Cloud Storage page of the configuration wizard appears.

Cloud Storage

Select the Amazon S3 storage bucket that was created when the AWS admin account was configured.
Click NEXT.

The Plan page of the configuration wizard appears.

Plan

Select the backup plan that was created when the AWS admin account was configured.
Click NEXT.

The Cloud Account page of the configuration wizard appears.

Cloud Account

Select an existing cloud account or create a new cloud account.
Steps to create a cloud account
1. Click the add button .
  
  The Add cloud account dialog box appears.
2. In the Name box, enter a descriptive name for the account.
3. Select or create credentials that have the ARN of CommvaultRole in the AWS tenant account and click SAVE.
  
  To create credentials, do the following:
  1. Click the add button .
    
    The Add credential dialog box appears.
  2. The Account type, Vendor type, Authentication type, and Credential Vault are selected by default.
  3. In the Credential name box, enter a descriptive name for the credentials.
  4. In the Role ARN box, enter the ARN of CommvaultRole in the tenant AWS account.
  5. In the External ID box, enter the external ID if it is set at the IAM role trust policy.
  6. In the Description box, enter a description of the credentials.
  7. Click SAVE.
Click NEXT.

The Instance Details page of the configuration wizard appears.

Instance Details

In the Instances box, update the instance name as required.
In the Staging bucket path box, enter the path to stage the data temporarily. Alternatively, click Browse to locate the path.

Note

Staging path should be of the same region as the S3 path.
Click NEXT.

The Backup Content page of the configuration wizard appears.

Backup Content

Review the list of instances that will be protected.
Click NEXT.

The Summary page of the configuration wizard appears.

Summary

Review the summary.
Click FINISH.