When adding an additional AWS account to CPM for backup or DR, there are two ways to grant CPM access to the account.
Authentication: Assume Role
or IAM User
"CPM Instance IAM role" can only access the account the CPM server is running in and cannot be used for adding an additional AWS account.
This article will explain how to configure each:
To use Assume Role you must create a role in the additional account allowing access from account running CPM.
Log into AWS using the account to be added. Then in IAM,
create a new IAM role.
Select "Another AWS account" when creating the role
as show in the below screenshot:
Create the role within the AWS account being added to CPM. Enter the Account ID of the first account.
Then enter the "Account ID" of the account the CPM server is using.
Adding an "External ID" can help with security
Do not select "Require MFA"
will then need to add an IAM policy with the minimum required permissions
to this new role, create a new policy if needed.
Then add any desired tags and choose the role name.
the role has been created, go to the CPM console and select "Add Account."
On the "Add New Account" dialog,
add the new AWS Account Number and the name of the role just created:
Only the "Account Number" and "Role to Assume" are required. An "External ID" is only required if the role has been configured with one.
If the permissions on both the created role and
the "Assuming Account" meet the CPM minimum required permissions
, the additional AWS account should be added successfully.
The new account can now be used.
Note, when this option is selected a pop-up advising use of "IAM Roles" will appear.
This is because IAM Role assumption is more secure than using the Secret Key for an IAM user.
Use an existing, or create a new IAM User in the additional AWS account. Make sure the IAM user has proper CPM minimum required permissions assigned.
Then take the Access Key ID and Secret Access Key
of the IAM user in the second account and copy those credentials into
the "Add New Account" dialog.
CPM will now access the added account by user.
If any issues are experienced while adding an account, check that all Users and Roles on both the source account and new account have the CPM minimum required permissions
If this is verified and issues adding an account persists, please contact support.