Configuring Backups for Amazon EC2 Instances for Multiple AWS Accounts with STS Assume Role Authentication

You can use STS assume role with IAM policy authentication to back up Amazon EC2 instances from multiple AWS organizations that are in the same AWS region. First, configure the AWS shared services account in Commvault Cloud. Then, configure the AWS member accounts.

In this cross-account deployment configuration, the backup gateway resides in one AWS organization (the AWS shared services account) and the AWS data source resides in multiple organizations (AWS member accounts).

Configure the AWS Shared Services Account

Start the Configuration Wizard

From the Command Center navigation pane, go to Protect > Virtualization.

The Overview page appears.
In the upper-right area of the page, click Add hypervisor.

The Configure Hypervisor page appears.
Select Amazon Web Services.
Click Next.

The Amazon EC2 Backup Overview page appears.
Select Back up using gateways.
Click Next.

The Configure Permissions page of the configuration wizard appears.

Configure Permissions

For the AWS shared services account, complete the following steps:

From the Authentication method list, select IAM role.
Verify an existing CommvaultAdminRole IAM role or create a new CommvaultAdminRole IAM role in the AWS shared services account:
- If the CommvaultAdminRole IAM role was previously created for another AWS workload, do the following:
  1. Verify that the CommvaultAdminRole-STSAssumePolicy IAM policy for the AWS workload is attached to the CommvaultAdminRole IAM role.
  2. At the bottom of the page, select the confirmation check box.
  3. Click Next.
    
    The Region page of the configuration wizard appears.
- If the CommvaultAdminRole IAM role does not exist yet, create it in AWS.
  Steps to create CommvaultAdminRole IAM role
  1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS shared services account.
    
    Important
    
    If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.
  2. Log on to the AWS console.
    
    The Quick create stack page appears.
  3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.
  4. Click Create stack.
    
    Wait for the CloudFormation Stack to finish creating the CommvaultAdminRole IAM role. The CloudFormation Stack creates an IAM policy called CommvaultAdminRole-STSAssumePolicy for STS Assume Role authentication, and then attaches the policy to CommvaultAdminRole.
  5. Return to the Commvault Cloud configuration wizard.

For the AWS member account, complete the following steps:

From the Authentication method list, select STS assume role.
Verify an existing CommvaultRole IAM role or create a new CommvaultRole IAM role:
- If the CommvaultRole IAM role was previously created for another AWS workload, verify that the IAM policies for the AWS workload are still attached to the CommvaultRole IAM role.
- If the CommvaultRole IAM role does not exist yet, create it in AWS.
  Steps to create CommvaultRole IAM role
  1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS member account.
    
    Important
    
    If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.
  2. Log on to the AWS console.
    
    The Quick create stack page appears.
  3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.
  4. Click Create stack.
    
    Wait for the CloudFormation Stack to finish creating the CommvaultRole IAM Role. The CloudFormation Stack creates IAM policies for all supported AWS workloads, and then attaches the policies to CommvaultRole.
  5. Go to IAM, select the IAM Role, and then edit the Trust relationship.
  6. Add the ARN of the CommvaultAdminRole in the AWS shared services account.
```
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/Commvault/CommvaultAdminRole",
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]}
```
  7. Return to the Commvault Cloud configuration wizard.
  8. From the Authentication method list, select IAM role.
At the bottom of the page, select the confirmation check box.
Click Next.

The Region page of the configuration wizard appears.

Region

Select the region that the instances reside in.

MSP admins and MSP tenants must be in the same region.
Click Next.

The Backup Gateway page of the configuration wizard appears.

Backup Gateway

A backup gateway is required to back up instances without egress charges.

Considerations

Because this is a cross-account environment, if you create a new backup gateway, install it in an AWS shared services account.
If AWS EBS encryption is enabled for your region in your AWS account, the user who uses the backup gateway template must be a key user for the default encryption key. To see if EBS encryption is enabled, in your AWS account, go to EC2 > EC2 Dashboard > Settings > EBS encryption. To see a list of key users for the default encryption key, in your AWS account, go to Key Management Service > Customer managed keys. If you do not have the correct level of access to use the template, you can copy the Launch Cloud Formation Stack link and share it with someone who has the correct level of access, such as your security administrator.
Determine the region of your AWS S3 storage. The backup gateway must reside in the same region as the primary storage.

Procedure

Select an existing backup gateway or create a new backup gateway.
Steps to create a backup gateway
1. Click the add button .
  
  The Add a new backup gateway dialog box appears.
2. For Platform, select the OS for the access node.
3. Click Generate link.
  
  An AWS CloudFormation template is created based on the region and the operating system that you selected.
4. Click the Launch CloudFormation Template link to open the AWS console.
  
  Note
  
  If AWS EBS encryption is enabled for your region in your AWS account, to use the template, you must be a key user for the default encryption key. If you are not a key user for the default encryption key, copy the Launch Cloud Formation Template link and share it with someone who is a key user, such as your security administrator.
5. Log on to the AWS console.
  
  The Quick create stack page appears.
6. Under Parameters, specify the following information:
  1. For EC2 Instance Type, select the type of EC2 instance to use for the backup gateway.
  2. ForEC2 Key Pair, select a key pair to use to access the Commvault Cloud backup gateway.
  3. ForVPC ID, select an Amazon Virtual Private Cloud (VPC).
  4. ForSubnet ID, select a subnet.
  5. For VPC CIDR, select a VPC CIDR.
  Note
  
  Port 8403 opens on access nodes only when the request comes from the IP ranges that are listed in the VPC CIDR.
7. Click Create stack.
  
  Wait for the Commvault Cloud backup gateway to be created.
8. Return to the Commvault Cloud configuration wizard.
9. Refresh the list of backup gateways, and then select the backup gateway that you created.
Click Next.

The Cloud Storage page of the configuration wizard appears.

Cloud Storage

To review the supported combinations of primary and secondary storage, see Primary (Local) and Secondary (Cloud) Storage Options for Commvault Cloud.

Primary Copy

For the primary copy of the backup data, select an existing S3 storage bucket or create a new S3 storage bucket.
Steps to create an S3 storage bucket
1. Click the add button .
  
  The Add cloud storage dialog box appears.
2. In Name, enter a descriptive name for the cloud storage.
3. For Storage Class, select the storage class for the type of access that you want to have for the data.
4. For Service host, enter the name of the cloud server host.
5. For Authentication, select the type of authentication to use.
6. For Credentials, select existing credentials or create new credentials.
  
  To create new credentials, do the following:
  
  1. Click the add button .
  
  The Add credential dialog box appears.
  
  2. In Credential name, enter a descriptive name for the credentials.
  
  3. In Role ARN, enter the ARN of CommvaultRole in the AWS shared services account.
  
  4. In External ID, enter external ID of the IAM role trust policy.
  
  5. In Description, enter a description of the credentials.
  
  6. Click Save.
7. In Bucket, enter the Amazon S3 bucket name.
8. Click Save.
Click Next.

Secondary Copy

Decide whether to store a secondary copy of the backup data for long-term retention.
Steps to create a secondary copy
1. Move the Secondary copy toggle key to the right.
2. For Storage location, select an existing storage location or create a new storage location.
  
  To create a storage location, do the following:
  1. Click the add button .
    
    The Add cloud storage dialog box appears.
  2. For Type, select ${{ Air Gap Protect }} or Amazon S3.
  3. If you select Amazon S3, do the following:
    1. In Name, enter a descriptive name for the cloud storage.
    2. For Storage Class, select the storage class for the type of access that you want to have for the data.
    3. For Service host, enter the name of the cloud server host.
    4. For Authentication, select the type of authentication to use.
    5. For Credentials, select existing credentials or create new credentials.
      
      To create new credentials, do the following:
      
      1. Click the add button .
      
      The Add credential dialog box appears.
      
      2. In Credential name, enter a descriptive name for the credentials.
      
      3. In Role ARN, enter the ARN of CommvaultRole in the AWS shared services account.
      
      4. In External ID, enter external ID of the IAM role trust policy.
      
      5. In Description, enter a description of the credentials.
      
      6. Click Save.
  4. In Bucket, enter the Amazon S3 bucket name.
  5. Click Save.
Click Next.

The Plan page of the configuration wizard appears.

Plan

A backup plan specifies the storage to back up the data to and other settings such as recovery point objective (RPO) settings.

Select an existing backup plan or create a new backup plan.
Steps to create a backup plan
1. Click the add button .
  
  The Create backup plan dialog box appears.
2. In the Plan name box, enter a descriptive name for the backup plan.
3. For the backup plan settings, select pre-defined settings or create custom settings:
  - To select pre-defined settings, under Retention rules, select one of the following:
    - Select Standard retention to retain the incremental backups for 1 month.
    - Select Extended retention for optimized storage where the incremental backups of primary and secondary copies are retained for 1 month, and extended retention for monthly and yearly full backups.
      
      Note
      
      The Extended retention option is available only when the secondary copy backup is selected.
  - To create custom settings, select Custom plan, and then specify the following:
    - For Snapshot retention, specify the number of snapshots to retain.
    - For Retention, specify the amount of time to retain the backup jobs.
    - For Retention monthly full (Secondary copy), specify the amount of time to retain the monthly full backup on secondary copy.
    - For Retention yearly full (Secondary copy), specify the amount of time to retain the yearly full backup on secondary copy.
    - For Backups run every, specify how often to run backups.
4. Click Done.
Click Next.

The Cloud Account page of the configuration wizard appears.

Hypervisor

The hypervisor,which represents your AWS account, is used to access the instances for discovery, backups, and other operations.

Select Add a new hypervisor.
In Name, enter a descriptive name for the account.
Select existing credentials or create new credentials that have the ARN of CommvaultRole in the AWS shared services account.
Steps to create credentials
1. Click the add button .
  
  The Add credential dialog box appears.
2. In Credential name, enter a descriptive name for the credentials.
3. In Role ARN, enter the ARN of CommvaultRole in the AWS shared services account.
4. In External ID, enter external ID of the IAM role trust policy.
5. In Description, enter a description of the credentials.
6. Click Save.
Click Next.

The Add VM Group page of the configuration wizard appears.

Add VM Group

You must create a VM group to proceed with the configuration. However, since you are configuring the AWS shared services account, the content that you add to the VM group does not matter. Select a small instance that is OK to back up.

Summary

Review the summary.
Click Finish.

Configure the AWS Member Account

Start the Configuration Wizard

From the Command Center navigation pane, go to Protect > Virtualization.

The Virtual machines page appears.
In the upper-right area of the page, click Add hypervisor.

The Configure Hypervisor page appears.
Select Amazon Web Services.
Click Next.

The Amazon EC2 Backup Overview page appears.
Review the information.
Click Next.

The IAM Role page of the configuration wizard appears.

IAM Role

From the Authentication method list, select IAM Role.
Verify an existing CommvaultRole IAM role or create a new CommvaultRole IAM role in the AWS member account:
- If the CommvaultRole IAM role was previously created for another AWS workload, do the following:
  1. Verify that the IAM policies for the AWS workload is attached to the CommvaultRole IAM role.
  2. Verify that the trust relationship is set with the CommvaultAdminRole IAM Role in the AWS shared services account.
  3. At the bottom of the page, select the confirmation check box.
  4. Click Next.
    
    The Region page of the configuration wizard appears.
- If the CommvaultRole IAM role does not exist yet, create it in AWS.
  Steps to create CommvaultRole IAM role
  1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS member account.
    
    Important
    
    If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.
  2. Log on to the AWS console.
    
    The Quick create stack page appears.
  3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.
  4. Click Create stack.
    
    Wait for the CloudFormation Stack to finish creating the CommvaultRole IAM Role. The CloudFormation Stack creates IAM policies for all supported AWS workloads, and then attaches the policies to CommvaultRole.
  5. Go to IAM, select the IAM Role, and then edit the Trust relationship.
  6. Add the ARN of the CommvaultAdminRole in the AWS shared services account.
```
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/Commvault/CommvaultAdminRole",
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]}
```
  7. Return to the Commvault Cloud configuration wizard.
  8. From the Authentication method list, select STS assume role with IAM policy.
  9. At the bottom of the page, select the confirmation check box.
  10. Click Next.
    
    The Region page of the configuration wizard appears.

Region

Select the region that the instances reside in.

MSP admins and MSP tenants must be in the same region.
Click Next.

The Backup Gateway page of the configuration wizard appears.

Backup Gateway

Select the backup gateway that was created when the AWS shared services account was configured.
Click Next.

The Cloud Storage page of the configuration wizard appears.

Cloud Storage

Primary Copy

For the primary copy of the backup data, select the Amazon S3 storage bucket that was created when the AWS shared services account was configured.

The Plan page of the configuration wizard appears.

Plan

Select the backup plan that was created when the AWS shared services account was configured.
Click Next.

The Cloud Account page of the configuration wizard appears.

Hypervisor

Create a new hypervisor.
Steps to create a hypervisor
1. Select Add a new hypervisor.
2. In Name, enter a descriptive name for the hypervisor.
3. Select or create credentials that have the ARN of CommvaultRole in the AWS member account.
  
  To create credentials, do the following:
  1. Click the add button .
    
    The Add credential dialog box appears.
  2. In Credential name, enter a descriptive name for the credentials.
  3. In Role ARN, enter the ARN of CommvaultRole in the AWS member account.
  4. In Description, enter a description of the credentials.
  5. Click Save.
Click Next.

The Add VM Group page of the configuration wizard appears.

Add VM Group

A VM group is a set of VMs that you want to back up with the same settings.

You can add content to the VM group by using rules that auto-discover content, by selecting specific instances, and by other ways. When you first create the VM group, you can add a cluster that is relatively small, and then later you can update the VM group by adding more content.

In Name, enter a descriptive name for the VM group.
To create rules that auto-discover and select instances to back up, do the following:
1. Click Add, and then select Rules.
  
  The Add rule dialog box appears.
2. From the list, select the type of rule to create, and then specify the rule:
  - Browse: Select specific instances. (Selecting this option changes the Add rule dialog box to the Add content dialog box.)
  - Guest DNS hostname: Select instances based on a hostname or a domain. For example, to select hosts on the "mycompany.com" domain, enter Guest DNS hostname | Ends with | mycompany.com.
  - Guest OS: Select instances based on operating system. For example, to select instances that are not Windows, enter Guest OS | Does not contain | Windows.
  - Instance name or pattern: Select instances based on their names. For example, to select instances that have a name that includes "east", enter Instance name or pattern | Contains | east.
  - Power state: Select instances based on a power status of Running or Stopped.
  - Region: Select instances based on the region that they reside in.
  - Tag name: Select instances based on the names of tags that are assigned to them. Enter the tag name in the region\tag_name format. For example, to select instances in the eastern US region that are for a department, enter Tag name | Equals | us-east-1\department.
  - Tag value: Select instances based on the values of tags that are assigned to them. Enter the tag value in the region\tag_name\tag_value format. For example, to select instances in the eastern US region for the human resources department, enter Tag value | Equals | us-east-1\department\HR.
  - Zone: Select instances based on the zone that they reside in. For example, to select instances that reside in any eastern US zone, enter Zone | Contains | us-east. You can enter the zone value by typing or browsing to select.
3. Click Save.
To select instances in other ways, do the following:
1. Click Add, and then select Content.
  
  The Add content dialog box appears.
2. From the Browse and select VMs list, select one of the following:
  - By region: Select instances based on the region that they reside in.
  - By zone: Select instances based on the zone that they reside in.
  - By tags: Select instances based on tags that are assigned to them.
  - By instance type: Select instances based on their type, such as t2.micro or c5.large.
3. Select the instances to add to the VM group.
4. Click Save.
To see the instances that are selected for the VM group, click the Preview button.
Click Next.

The Summary page of the configuration wizard appears.

Summary

Review the summary.
Click Finish.