AWS Ports and Account Requirements and Considerations

Before you protect your Amazon services using Cohesity DataProtect as a Service, ensure you have met the prerequisites and reviewed the considerations.

For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.

Check Firewall Ports

Ensure that the ports listed in the Amazon Web Services (AWS) section in the Firewall Ports for User-Deployed SaaS Connectors topic are open to allow communication between the Cohesity SaaS Connector(s) and AWS environment.

Supported AWS S3 Storage Class

Cohesity supports the data protection of the following S3 storage class:

  • Amazon S3 Standard

  • Amazon S3 Intelligent-Tiering

  • Amazon S3 Standard-IA

  • Amazon S3 One Zone-IA

Account Requirements

To register your AWS account, run the CloudFormation Template (CFT) and add permissions to the IAM user.

The tables below list the permissions used by Cohesity in your AWS account. You do not need to add these permissions manually (except the IAM User Permissions to Execute CFT), as they are automatically added when you run the CFT provided by Cohesity during your AWS account registration with the Cohesity DataProtect as a Service and SiteContinuity services.

IAM User Permissions to Execute CFT

To register an AWS account with the Cohesity DataProtect as a Service, you need to run the CloudFormation Template on the AWS console. Ensure the IAM user you use has the following permissions to run the CloudFormation Template and to create and view the stack:

Ensure to add these permissions manually.

  • cloudformation:CreateChangeSet

  • cloudformation:CreateStack

  • cloudformation:CreateUploadBucket

  • cloudformation:DeleteStack

  • cloudformation:DescribeStackEvents

  • cloudformation:DescribeStackResources

  • cloudformation:DescribeStacks

  • cloudformation:GetTemplate

  • cloudformation:GetTemplateSummary

  • cloudformation:ListStackResources

  • cloudformation:ListStacks

  • cloudformation:UpdateStack

  • iam:AddRoleToInstanceProfile

  • iam:AttachRolePolicy

  • iam:CreateInstanceProfile

  • iam:CreateRole

  • iam:DeleteInstanceProfile

  • iam:DeleteRole

  • iam:DeleteRolePolicy

  • iam:DetachRolePolicy

  • iam:GetInstanceProfile

  • iam:GetRole

  • iam:GetRolePolicy

  • iam:PassRole

  • iam:PutRolePolicy

  • iam:RemoveRoleFromInstanceProfile

  • iam:TagRole

  • lambda:AddPermission

  • lambda:CreateFunction

  • lambda:DeleteFunction

  • lambda:InvokeFunction

  • lambda:RemovePermission

  • s3:CreateBucket

  • s3:GetObject

  • s3:ListBucket

  • s3:PutObject

  • s3: PutBucketPublicAccessBlock

Permissions for Amazon EC2 Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource

Permissions

Reason

ebs

ebs:CompleteSnapshot

ebs:GetSnapshotBlock

ebs:ListChangedBlocks

ebs:ListSnapshotBlocks

ebs:PutSnapshotBlock

ebs:StartSnapshot

These permissions are required for EBS direct APIs to read & write data from/to EBS snapshots.

ec2

ec2:AssociateIamInstanceProfile

ec2:AttachVolume

ec2:CopySnapshot

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteSnapshot

ec2:DeleteVolume

ec2:DeregisterImage

ec2:DescribeAccountAttributes

ec2:DescribeAddresses

ec2:DescribeAvailabilityZones

ec2:DescribeInstanceStatus

ec2:DescribeInstanceTypes

ec2:DescribeInstances

ec2:DescribeKeyPairs

ec2:DescribeRegions

ec2:DescribeReservedInstances

ec2:DescribeReservedInstancesOfferings

ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVpcEndpointServiceConfigurations

ec2:DescribeVpcs

ec2:DetachVolume

ec2:ModifyInstanceAttribute

ec2:RegisterImage

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

These permissions are required to register the AWS account on Cohesity BaaS with the IAM role which got created by the Cloud Formation template. Once the source is registered on BaaS, describe permissions are needed so Cohesity can identify resources present in the account, which will be used for backups as well as at the time of recovery we use this information to provide a list of options(VPC, subnet, KeyPair, etc) to choose from.

For Cohesity snapshots we create SaaS Connector instances for doing backup and recovery of AWS EC2 instances. Cohesity creates snapshots of the EC2 volumes while backing up and storing the different instance attributes and tags. While recovering the AWS EC2 instance, Cohesity creates volumes of original disk size. It also attaches the original tags and corresponding network and security groups as part of the recovery, along with IAM Instance Profile if it exists. Cohesity requires the delete snapshots permissions to delete the expired/old snapshots it creates during the backup. Cohesity requires the delete volume and instance termination permissions to tear down the SaaS Connectors.

iam

iam:PassRole

iam:SimulatePrincipalPolicy

iam:GetInstanceProfile

iam:AmazonSSMManagedInstanceCore

PassRole permission is needed so that we can attach the created role to SaaS Connectors, as well as the original roles on the recovered EC2 instances. SimulatePricipalPolicy is needed so we can ensure required actions are allowed on the IAM role we created as part of the Cloud Formation template. GetInstanceProfile is needed to check if the required Instance profile is present at the time of recovery in the target location. AmazonSSMManagedInstanceCore is needed to access the AWS Systems Manager Agent (SSM) on the target VM.

kms*

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:Encrypt

kms:GenerateDataKey

kms:GenerateDataKeyWithoutPlaintext

kms:GetKeyPolicy

kms:ListAliases

kms:ListKeys

kms:ReEncryptFrom

kms:ReEncryptTo

KMS permissions are needed to read data of encrypted volumes at the time of backup, as well as write encrypted data to the recovered EBS volumes. Describe permissions are needed so we can list & identifies keys associated with EBS volumes.

ssm

ssm:GetCommandInvocation

ssm:SendCommand

SSM permissions are needed at the time of claiming (adding) SaaS Connections to Cohesity BaaS.

*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.

Permissions for Amazon RDS Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource

Permissions

Reason

ec2

ec2:DescribeAvailabilityZones

ec2:DescribeInstances

ec2:DescribeKeyPairs

ec2:DescribeRegions

ec2:DescribeReservedInstancesOfferings

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVolumes

ec2:DescribeVpcs

Required for AWS source registration, and discover the resources present in the account, which will be used for backups. Also needed for recovery to provide list of options to choose from.

ec2:CreateVolume

ec2:CreateTags

ec2:DescribeTag

ec2:DescribeVolumeAttribut

ec2:DescribeVolumes

ec2:DescribeInstances

ec2:AttachVolume

ec2:DeleteVolume

ec2:DetachVolume

ec2:ModifyVolume

Required for attaching and detaching volumes of RDS database to SaaS Connectors during the RDS ingest backup.

iam

iam:SimulatePrincipalPolicy

SimulatePricipalPolicy is needed to ensure that the required actions are allowed on the IAM role we created as part of the Cloud Formation template.

kms*

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances.

rds

rds:AddTagsToResource

rds:CopyDBClusterSnapshot

rds:CopyDBSnapshot

rds:CreateDBClusterSnapshot

rds:CreateDBInstance

rds:CreateDBSnapshot

rds:DeleteDBClusterSnapshot

rds:DeleteDBSnapshot

rds:DescribeDBClusterSnapshots

rds:DescribeDBClusters

rds:DescribeDBInstances

rds:DescribeDBParameterGroups

rds:DescribeDBSnapshots

rds:DescribeDBSubnetGroups

rds:DescribeOptionGroups

rds:ModifyDBClusterSnapshotAttribute

rds:ModifyDBSnapshotAttribute

rds:RestoreDBClusterFromSnapshot

rds:RestoreDBClusterToPointInTime

rds:RestoreDBInstanceFromDBSnapshot

rds:RestoreDBInstanceToPointInTime

These permissions are required to register the AWS account on Cohesity BaaS with the IAM role which got created by the Cloud Formation template. Once the source is registered on BaaS, describe permissions are needed so Cohesity can identify resources present in the account, which will be used for backups as well as at the time of recovery we use this information to provide a list of options to choose from.

Cohesity creates snapshots of the RDS & Aurora instances while backing up and storing the different database instance attributes and tags. While recovering the database instance, Cohesity creates DB instance/cluster, it also attaches the original tags. Cohesity requires the delete snapshots permissions to delete the expired/old snapshots it creates during the backup. We need to modify snapshot attributes permission so that we can share the snapshot across accounts if cross-account recovery is attempted.

RestoreDBInstanceToPointInTime and RestoreDBClusterToPointInTime is needed to do the point in time recoveries.

*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.

Permissions for Amazon S3 Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource

Permissions

Reason

S3

s3:GetBucketLocation

s3:GetBucketNotification

s3:GetBucketOwnershipControls

s3:GetBucketTagging

s3:GetBucketVersioning

s3:GetInventoryConfiguration

s3:GetObject

s3:GetObjectAcl

s3:GetObjectTagging

s3:GetObjectVersion

s3:GetObjectVersionAcl

s3:GetObjectVersionTagging

s3:ListAllMyBuckets

s3:ListBucket

s3:PutBucketNotification

s3:PutInventoryConfiguration

s3:PutObject

s3:PutObjectAcl

s3:PutObjectTagging

s3:PutObjectVersionAcl

These permissions are required for the backup and recovery of S3 objects.

iam

iam:SimulatePrincipalPolicy

SimulatePricipalPolicy is needed to ensure that the required actions are allowed on the IAM role we created as part of the Cloud Formation template.

kms*

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:GenerateDataKey

KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances.
Events events:DeleteRule events:PutTargets events:RemoveTargets These permissions are required for capturing the incremental changes on the S3 buckets.
Glue

glue:DeleteJob
glue:GetJobRun
glue:StartJobRun
glue:UpdateJob

These permissions are required for sorting the inventory report. The sorted inventory report is then used to back up the S3 objects to the Cohesity DataProtect as a Service.
SQS sqs:CreateQueue
sqs:TagQueue
sqs:DeleteMessage sqs:DeleteQueue
sqs:GetQueueUrl
sqs:PurgeQueue sqs:ReceiveMessage sqs:SetQueueAttributes
These permissions are required for capturing the incremental changes on the S3 buckets.

Permission for AWS S3 Inventory Report

To write objects to the Amazon S3 bucket, you must add the S3:PutObject permission to the S3 bucket policy attached to the AWS S3 bucket where you want to create the inventory report.

The following is an example of an S3 bucket policy that allows s3.amazonaws.com to write (Put) objects in the S3 bucket:

{
	"Version": "2012-10-17",
	"Id": "S3-Console-Auto-Gen-Policy-1698064515475",
	"Statement": [
    	    {
        	"Sid": "InventoryAndAnalyticsExamplePolicy",
        	"Effect": "Allow",
        	"Principal": {
            	"Service": "s3.amazonaws.com"
        	},
        	"Action": [
            	"s3:PutObject"
        	],
        	"Resource": "arn:aws:s3:::inventory-report-bucket/*",
        	"Condition": {
            	"StringEquals": {
                	"aws:SourceAccount": "<account id>",
                	"s3:x-amz-acl": "bucket-owner-full-control"
            	},
                   	}
    	    }
	]
}

In the above example, <account id> is the AWS account ID of the Amazon S3 bucket you want to protect.

Permissions for Cohesity SiteContinuity (Disaster Recovery)

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource

Permissions

Reason

ebs

ebs:CompleteSnapshot

ebs:GetSnapshotBlock

ebs:ListChangedBlocks

ebs:ListSnapshotBlocks

ebs:PutSnapshotBlock

ebs:StartSnapshot

These permissions are required for EBS direct APIs to read & write data from/to EBS snapshots. Reading EBS data is done during failback preparation, and writing to EBS is done at failover.

ec2

ec2:AssociateIamInstanceProfile

ec2:AttachVolume

ec2:CancelExportTask

ec2:CancelImportTask

ec2:CopySnapshot

ec2:CreateImage

ec2:CreateInstanceExportTask

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteSnapshot

ec2:DeleteTags

ec2:DeleteVolume

ec2:DeregisterImage

ec2:DescribeAccountAttributes

ec2:DescribeAddresses

ec2:DescribeAvailabilityZones

ec2:DescribeExportTasks

ec2:DescribeImages

ec2:DescribeImportImageTasks

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstances

ec2:DescribeKeyPairs

ec2:DescribeRegions

ec2:DescribeReservedInstancesOfferings

ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVpcs

ec2:DetachVolume

ec2:ImportImage

ec2:ModifyInstanceAttribute

ec2:ModifyNetworkInterfaceAttribute

ec2:ModifySnapshotAttribute

ec2:RegisterImage

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

These permissions are required to register the AWS account on Cohesity Helios with the IAM role created by the Cloud Formation template. Once the source is registered, describe permissions are needed so Cohesity can identify resources present in the account like EC2 instance, VPC, subnet, etc. These describe permissions are also used at the time of failover and failback.

The import/export permissions are required because we use AWS Import/Export as our fallback mechanism if Cohesity Import/Export does not work. Cohesity requires all the instance-related permissions to run instances and terminate them if some error occurs.

Delete permissions are required so that Cohesity can delete the temporary resources like volumes or snapshots it has created in the process of failover or failback so that we do not leave any garbage behind.

iam

iam:AddRoleToInstanceProfile

iam:AttachRolePolicy

iam:CreateInstanceProfile

iam:CreateRole

iam:GetInstanceProfile

iam:GetRole

iam:GetRolePolicy

iam:PassRole

iam:PutRolePolicy

iam:SimulatePrincipalPolicy

These IAM permissions are needed because we have to SSM into the converter instance, and for that to work, an instance profile should be attached to the converter instance. So to create that instance profile for the role, these permissions are needed.

kms

kms:ListAliases

KMS permission is needed to list the aliases attached to an EC2 instance at the time of source register.

s3

s3:CreateBucket

s3:DeleteObject

s3:GetBucketAcl

s3:GetObject

s3:HeadObject

s3:PutBucketAcl

s3:PutBucketPublicAccessBlock

These S3 permissions are needed in case of the vmimport role we use in case of failover.

ssm

ssm:GetCommandInvocation

ssm:ListCommandInvocations

ssm:SendCommand

SSM permissions are needed at the time of failover, where we launch the SaaS Connector and temporary converter instance for creating EC2 instances.

Create a Lifecycle Rule on Amazon S3

To delete the older inventory reports from the Amazon S3 bucket, you must create a lifecycle rule on the Amazon S3 bucket. You can delete all the inventory reports older than 30 days. For information on creating a lifecycle rule, see Amazon documentation.

Permission for AWS Key Management Service (KMS)

If the S3 bucket you want to protect is encrypted with Server-side encryption with AWS Key Management Service keys (SSE-KMS) or Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS), then for Cohesity to access the S3 bucket, you must perform one of the following actions:

  • Add the IAM role created by the Cloud Formation template to the AWS KMS user.

  • Add the following permission to the Key policy attached to the AWS KMS:

    • kms:Encrypt

    • kms:Decrypt

    • kms:ReEncrypt*

    • kms:GenerateDataKey*

    • kms:DescribeKey

    For example:

    {
        "Version": "2012-10-17",
        "Id": "AccessKeyId",
        "Statement": [
            {
                "Sid": "Allow use of the key to cohesity role",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<AWS-ACCOUNT>:role/<ROLE-NAME>"
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            }
        ]
    }
    

Considerations

Considerations for Amazon EC2 Cohesity Snapshots

Considerations for Amazon RDS

  • AWS Aurora cluster is recovered with at most one reader.

  • Cohesity does not support the auto-protect of RDS instances with different database types. Auto-protect of an RDS instance is supported only if the databases on the RDS instance are of the same type.

  • Cohesity does not support cross region-cross account recovery of Amazon RDS instance encrypted with default KMS key.

  • Cohesity does not support point-in-time recovery (PITR) of RDS instances or databases.

  • If you are recovering encrypted RDS instance(s) to Same AWS Account-Different AWS Region, you must create a KMS encryption key in the target AWS account & region with the same alias name as the KMS encryption key used to encrypt the source RDS instance(s).

  • If you are performing cross region - cross account recovery of an Amazon RDS instance encrypted with a customer-managed key, then ensure:

    • The source account's KMS key alias is available in both the source and destination regions of the destination account.

      For example, if A1 is the source account and R1 is the source region of the RDS instance you want to recover, and A2 is the destination account with R2 as the destination region, make sure that the key alias from A1 is available in both R1 and R2 of A2.

    • The source account’s KMS key alias can be accessed by the destination account. For this, you must grant the necessary permissions to the KMS key alias.

      The option group from the source account is available in both the source and destination regions of the destination account.

      For example, if A1 is the source account and R1 is the source region of the RDS instance, and A2 is the destination account with R2 as the destination region, ensure the option group from A1 is available in both R1 and R2 of the A2.

Considerations for Amazon S3

  • Cohesity does not support:

    • Browse and recover an object in an Amazon S3 bucket. However, you can recover multiple objects by specifying the object prefix in the recovery task under the S3 Prefixes to Recover option.

    • The backup of older versions of the AWS S3 versioned bucket. Only the latest version of the versioned Amazon S3 bucket is backed up.

    • The backup and recovery of Amazon S3 buckets that are not in the same cloud region where your data is backed up (Cohesity-managed SaaS platform).

  • The Amazon S3 buckets where you want to create the inventory report and the Amazon S3 bucket you want to protect must be in the same region.

  • If the SQS is deleted between backups, all the changes between these backups will be skipped in the next incremental backups.

  • Cohesity DataProtect as a Service will skip the backup of Amazon S3 objects that are present in the following access tiers of the Amazon S3 Intelligent Tiering during the protection:

    • Archive Access Tier

    • Deep Archive Access Tier

  • You do not need to deploy a SaaS connection to protect Amazon S3 buckets.

  • Cohesity does not support restoring only metadata. The metadata of Amazon S3 objects will be restored only if the object itself is also restored.

  • Cohesity does not remove older objects from the S3 bucket where the inventory report is created. Therefore, you must create a lifecycle rule to remove these objects from the S3 bucket to avoid storage issues.