N2W Software

            Adding an additional AWS account to CPM for backup or DR

            When adding an additional AWS account to CPM for backup or DR, there are two ways to grant CPM access to the account.

            Authentication: Assume Role or IAM User


            "CPM Instance IAM role" can only access the account the CPM server is running in and cannot be used for adding an additional AWS account.


            This article will explain how to configure each:



            Assume Role:

            To use Assume Role you must create a role in the additional account allowing access from account running CPM.

            Log into AWS using the account to be added. Then in IAM, create a new IAM role.

            Select "Another AWS account" when creating the role as show in the below screenshot:


            Create the role within the AWS account being added to CPM. Enter the Account ID of the first account.

            Then enter the "Account ID" of the account the CPM server is using.
                  Adding an "External ID" can help with security
                  Do not select "Require MFA"

            You will then need to add an IAM policy with the minimum required permissions to this new role, create a new policy if needed.


            Then add any desired tags and choose the role name.

            Once the role has been created, go to the CPM console and select "Add Account."

            On the "Add New Account" dialog, add the new AWS Account Number and the name of the role just created:


            Only the "Account Number" and "Role to Assume" are required. An "External ID" is only required if the role has been configured with one.

            If the permissions on both the created role and the "Assuming Account" meet the CPM minimum required permissions, the additional AWS account should be added successfully.

            The new account can now be used.



            IAM User

            Note, when this option is selected a pop-up advising use of "IAM Roles" will appear.
            This is because IAM Role assumption is more secure than using the Secret Key for an IAM user.

            Use an existing, or create a new IAM User in the additional AWS account. Make sure the IAM user has proper CPM minimum required permissions assigned.

            Then take the Access Key ID and Secret Access Key of the IAM user in the second account and copy those credentials into the "Add New Account" dialog.

            CPM will now access the added account by user.



            If any issues are experienced while adding an account, check that all Users and Roles on both the source account and new account have the CPM minimum required permissions.

            If this is verified and issues adding an account persists, please contact support.
            Helpful?  
            Help us to make this article better
            0 0