How to backup EC2 instance located in another account
Background:
You can backup ec2 instances that are located in a different account then the N2WS server,
This Guide shows the needed configuration for this
AWS Configuration
You need to create a role in the target account IAM that has the following:
1. Same minimal json policies as the N2WS server, for example:
1. Trust relation with the source account, for example:
This will create a trust between the source account and this roles, which will allow CPM to assume this role
CPM Configuration
1. login to server with root user and create a new account,
Fill the target account number, the target role to assume and the Assuming account (Root in this example, which has authntication type: "CPM Instance IAM Role" )
you can now create a policy using this new account and select EC2 instances from the other account.
Troubleshooting
1. getting this error when creating the account
Error: User: arn:aws:sts::12345678:assumed-role/N2WSRoleName/i-xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::87654321:role/Rolename.
Possible resolutions:
Aws is notifying you that the CPM role does not have permission/trust to assume the target role.
This might happen because of how the trust relationship is configured,
You need to validate that the trust relationship is properly configured and that the arn mentioned in the error message can assume the role
Thanks for reading this guide,
N2WS Support Team.
Related Articles
How to setup cross account/cross region recovery in CPM 2.x
Background This document assumes that the main server running Cloud Protection Manager (CPM) is setup according to the minimum-Security requirements document at this link. ...EFS - cross account tag scan may fail with Error: Invalid IAM role ARN
When adding EFS to a policy via a tag, it may fail with one of the following errors: (tag for example: efstesting+vault=n2ws+exp_opt=D+exp_opt_val=30+role_arn=arn:aws:iam::12345678:role/CPM) Critical Error - Can't update EFS to backup targets. Error: ...Message "Warning - Cross Account AMI backup is not supported" may appear in Backup Logs
The following message may appear in Backup Logs when policy has cross-account DR enabled, usually when Windows instances are protected in this policy: Warning - Cross Account AMI backup is not supported This is a result of an AWS limitation: "You ...A wrong account may be listed in the Snapshot View Report for cross account replicated snapshots
If CPM prints the backup account's name for all the snapshots in the snapshot view report, although some snapshots were replicated to another account, please upgrade to the latest 2.x.x version. Reference defect number – N2WS-3659, fixed in v2.4.0 ...How to add an additional AWS account to CPM for Backup or DR
When adding an additional AWS account to CPM for Backup or DR, there are two ways to grant CPM access to the account: Authentication: Assume Role or IAM User "CPM Instance IAM role" can only access the account the CPM server is running in and cannot ...