How to setup cross account/cross region recovery in CPM 2.x

How to setup cross account/cross region recovery in CPM 2.x


This document assumes that the main server running Cloud Protection Manager (CPM) is setup according to the minimum-Security requirements document at this link.

You will need the json policy file to help create the role on the other AWS Account and you need the file attachment entitled “
which can also be downloaded and extracted then copy the file contents entitled “cpm_minimal_All_permissions” which you will utilize in step 10 of this document.

This process is as follows:

    1.  Locate the AWS Account ID number for the user you want to restore the instance from.

This is done by logging into the AWS console and selecting Account and
selecting “My Account “

Note: An AWS Account number is a 12-digit number.

2. Save this AWS Account ID and proceed to the AWS Account that you want

to recover instances to .

3. Open the AWS Console and select “Services” at the top of the console under
Security, Identity & Compliance, choose  IAM.

4.  In the left-hand pane select “Roles”, Then Create Role

5.  This open the select Trusted Entity Screen and you will select “Another AWS Account”
This is where you will add the AWS Account number you located in step 1

6.   After you enter the Account Id Number select “Permissions “which opens the permissions page.

7. Click on “Create Policy”

8. Please select json tab

9. Remove all entries on json tab  

10. Copy and paste the contents of the “cpm_minimal_All_permissions” json file
into this section.

11.  Click Review policy in lower right-hand corner of screen.

12.  Add a Name for the Policy and a description should you need it.

13.  Repeat steps 8-12 to create a second policy, you need to copy and paste the
following into the json tab.


    "Version": "2012-10-17",

    "Statement": [


            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [




            "Resource": "*"




14.    You must now Attach the second policy as follows, Select Roles and then locate
the role we created. Now Click on “Attach policy” button.

15.      Locate the second policy we created and select

16. Click on attach policy

17. Verify that you now have two policies attached to this role by clicking on it

18.   You should see both policies attached to the role.

19.   You are now ready to test an instance recovery using Cloud Protection Manager.
Login into CPM Manager select the Backup Monitor Tab

20. Locate your Backup Image you want to recover to the other account and click on “Recover”

21.   This opens the recovery Panel

22.   You will need to edit the following fields
 Restore to Account          Restore to Region

23.   Click on Instance button
Under the Basic Options select Launch from: and choose “Image”.

24.   Expand the advanced options

25.   The following fields should be edited

Placement: Change from “By Availability Zone” to “By VPC”

Security Groups:      Select Default

Instance Profile: ARN:  REMOVE the ARN number so its blank

26.   Select “recover Instance” button on right hand side of the recovery Panel.

27. Confirm you want to perform the Recovery Operation by clicking OK
You will see a message that Recovery Operation was Successful

You may also open the Recovery Monitor screen and click on the Open Button under the log
column heading to see what transpired during recovery operation.

Additional Resources: 

Setting up Cross Account Roles:

CPM Documentation: