Amazon Elastic Compute Cloud Requirements and Considerations

Before you protect your Amazon services using Cohesity DataProtect as a Service, ensure you have met the prerequisites and reviewed the considerations.

For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.

Check Firewall Ports

Ensure that the ports listed in the Amazon Web Services (AWS) section in the Firewall Ports topic are open to allow communication between the Cohesity SaaS Connector(s) and AWS environment.

Account Requirements

To register your AWS account, run the CloudFormation Template (CFT) and add permissions to the IAM user.

The tables below list the permissions used by Cohesity in your AWS account. You do not need to add these permissions manually (except the IAM User Permissions to Execute CFT), as they are automatically added when you run the CFT provided by Cohesity during your AWS account registration with the Cohesity DataProtect as a Service and SiteContinuity services.

IAM User Permissions to Execute CFT

To register an AWS account with the Cohesity DataProtect as a Service, you need to run the CloudFormation Template on the AWS console. Ensure the IAM user you use has the following permissions to run the CloudFormation Template and to create and view the stack:

Ensure to add these permissions manually.

• cloudformation:CreateChangeSet

• cloudformation:CreateStack

• cloudformation:CreateUploadBucket

• cloudformation:DeleteStack

• cloudformation:DescribeStackEvents

• cloudformation:DescribeStackResources

• cloudformation:DescribeStacks

• cloudformation:GetTemplate

• cloudformation:GetTemplateSummary

• cloudformation:ListStackResources

• cloudformation:ListStacks

• cloudformation:UpdateStack

• iam:AddRoleToInstanceProfile

• iam:AttachRolePolicy

• iam:CreateInstanceProfile

• iam:CreateRole

• iam:DeleteInstanceProfile

• iam:DeleteRole

• iam:DeleteRolePolicy

• iam:DetachRolePolicy

• iam:GetInstanceProfile

• iam:GetRole

• iam:GetRolePolicy

• iam:PassRole

• iam:PutRolePolicy

• iam:RemoveRoleFromInstanceProfile

• iam:TagRole

• lambda:AddPermission

• lambda:CreateFunction

• lambda:DeleteFunction

• lambda:InvokeFunction

• lambda:RemovePermission

• s3:CreateBucket

• s3:GetObject

• s3:ListBucket

• s3:PutObject

• s3: PutBucketPublicAccessBlock

Permissions for Elastic Compute Cloud (EC2) Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource	Permissions	Reason
ebs	ebs:CompleteSnapshot ebs:GetSnapshotBlock ebs:ListChangedBlocks ebs:ListSnapshotBlocks ebs:PutSnapshotBlock ebs:StartSnapshot	These permissions are required for EBS direct APIs to read & write data from/to EBS snapshots.
ec2	ec2:AssociateIamInstanceProfile ec2:AttachVolume ec2:CopySnapshot ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteSnapshot ec2:DeleteVolume ec2:DeregisterImage ec2:DescribeAccountAttributes ec2:DescribeAddresses ec2:DescribeAvailabilityZones ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeReservedInstances ec2:DescribeReservedInstancesOfferings ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumeAttribute ec2:DescribeVolumes ec2:DescribeVpcEndpointServiceConfigurations ec2:DescribeVpcs ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:RegisterImage ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances	These permissions are required to register the AWS account on Cohesity BaaS with the IAM role which got created by the Cloud Formation template. Once the source is registered on BaaS, describe permissions are needed so Cohesity can identify resources present in the account, which will be used for backups as well as at the time of recovery we use this information to provide a list of options(VPC, subnet, KeyPair, etc) to choose from. For Cohesity snapshots we create SaaS Connector instances for doing backup and recovery of Amazon EC2 instances. Cohesity creates snapshots of the EC2 volumes while backing up and storing the different instance attributes and tags. While recovering the Amazon EC2 instance, Cohesity creates volumes of original disk size. It also attaches the original tags and corresponding network and security groups as part of the recovery, along with IAM Instance Profile if it exists. Cohesity requires the delete snapshots permissions to delete the expired/old snapshots it creates during the backup. Cohesity requires the delete volume and instance termination permissions to tear down the SaaS Connectors.
iam	iam:PassRole iam:SimulatePrincipalPolicy iam:GetInstanceProfile iam:AmazonSSMManagedInstanceCore	PassRole permission is needed so that we can attach the created role to SaaS Connectors, as well as the original roles on the recovered EC2 instances. SimulatePricipalPolicy is needed so we can ensure required actions are allowed on the IAM role we created as part of the Cloud Formation template. GetInstanceProfile is needed to check if the required Instance profile is present at the time of recovery in the target location. AmazonSSMManagedInstanceCore is needed to access the AWS Systems Manager Agent (SSM) on the target VM.
kms*	kms:CreateGrant kms:Decrypt kms:DescribeKey kms:Encrypt kms:GenerateDataKey kms:GenerateDataKeyWithoutPlaintext kms:GetKeyPolicy kms:ListAliases kms:ListKeys kms:ReEncryptFrom kms:ReEncryptTo	KMS permissions are needed to read data of encrypted volumes at the time of backup, as well as write encrypted data to the recovered EBS volumes. Describe permissions are needed so we can list & identifies keys associated with EBS volumes.
ssm	ssm:GetCommandInvocation ssm:SendCommand	SSM permissions are needed at the time of claiming (adding) SaaS Connections to Cohesity BaaS.

*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.

Considerations

• Cohesity DataProtect as a Service supports the protection of Amazon EC2 instances with the following EBS volume types:

  • General Purpose SSD (gp2, gp3)

  • Provisioned IOPS SSD (io1)

• Backing up NFS mount points mounted on Amazon EC2 instance is not supported.

• When recovering an Amazon EC2 instance running Microsoft Windows OS with UEFI Preferred boot mode, the process will utilize a base AMI based on the 'Current Instance Boot Mode' of the source Amazon EC2. For example, if the source Amazon EC2 was configured as UEFI-preferred, the recovery will automatically use an AMI that supports UEFI boot mode.

• Considerations Specific to Amazon EC2 Cohesity Snapshots:

  • When using Cohesity snapshots to back up & recover Amazon EC2 instances within the same AWS region, if your AWS SaaS Connectors are deployed in a:

    • Public subnet, configure the Internet Gateway and S3 Gateway VPC endpoint.

    • Private subnet, configure the EBS VPC Interface Endpoint and S3 Gateway VPC endpoints.

    Cross-region data transfer charges apply if Cohesity snapshots are ingested to or recovered from a different AWS region. Using a public subnet for your SaaS Connectors provides cost efficiency compared to a private subnet.

  • To prepare your AWS account for Cohesity SaaS Connector deployment in a Public or Private subnet, see AWS SaaS Connector Deployment.