AWS Ports and Account Requirements and Considerations

Before you protect your Amazon services using Cohesity DataProtect as a Service, ensure you have met the prerequisites and reviewed the considerations.

For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.

Check Firewall Ports

Ensure that the ports listed in the Amazon Web Services (AWS) section in the Firewall Ports for User-Deployed SaaS Connectors topic are open to allow communication between the Cohesity SaaS Connector(s) and AWS environment.

Supported AWS S3 Storage Class

Cohesity supports the data protection of the following S3 storage class:

Amazon S3 Standard
Amazon S3 Intelligent-Tiering
Amazon S3 Standard-IA
Amazon S3 One Zone-IA

Account Requirements

To register your AWS account, run the CloudFormation Template (CFT) and add permissions to the IAM user.

The tables below list the permissions used by Cohesity in your AWS account. You do not need to add these permissions manually (except the IAM User Permissions to Execute CFT), as they are automatically added when you run the CFT provided by Cohesity during your AWS account registration with the Cohesity DataProtect as a Service and SiteContinuity services.

IAM User Permissions to Execute CFT

To register an AWS account with the Cohesity DataProtect as a Service, you need to run the CloudFormation Template on the AWS console. Ensure the IAM user you use has the following permissions to run the CloudFormation Template and to create and view the stack:

Ensure to add these permissions manually.

cloudformation:CreateChangeSet
cloudformation:CreateStack
cloudformation:CreateUploadBucket
cloudformation:DeleteStack
cloudformation:DescribeStackEvents
cloudformation:DescribeStackResources
cloudformation:DescribeStacks
cloudformation:GetTemplate
cloudformation:GetTemplateSummary
cloudformation:ListStackResources
cloudformation:ListStacks
cloudformation:UpdateStack
iam:AddRoleToInstanceProfile
iam:AttachRolePolicy
iam:CreateInstanceProfile
iam:CreateRole
iam:DeleteInstanceProfile
iam:DeleteRole
iam:DeleteRolePolicy
iam:DetachRolePolicy
iam:GetInstanceProfile
iam:GetRole
iam:GetRolePolicy
iam:PassRole
iam:PutRolePolicy
iam:RemoveRoleFromInstanceProfile
iam:TagRole
lambda:AddPermission
lambda:CreateFunction
lambda:DeleteFunction
lambda:InvokeFunction
lambda:RemovePermission
s3:CreateBucket
s3:GetObject
s3:ListBucket
s3:PutObject
s3: PutBucketPublicAccessBlock

Permissions for Amazon EC2 Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource	Permissions	Reason
ebs	ebs:CompleteSnapshot ebs:GetSnapshotBlock ebs:ListChangedBlocks ebs:ListSnapshotBlocks ebs:PutSnapshotBlock ebs:StartSnapshot	These permissions are required for EBS direct APIs to read & write data from/to EBS snapshots.
ec2	ec2:AssociateIamInstanceProfile ec2:AttachVolume ec2:CopySnapshot ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteSnapshot ec2:DeleteVolume ec2:DeregisterImage ec2:DescribeAccountAttributes ec2:DescribeAddresses ec2:DescribeAvailabilityZones ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeReservedInstances ec2:DescribeReservedInstancesOfferings ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumeAttribute ec2:DescribeVolumes ec2:DescribeVpcEndpointServiceConfigurations ec2:DescribeVpcs ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:RegisterImage ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances	These permissions are required to register the AWS account on Cohesity BaaS with the IAM role which got created by the Cloud Formation template. Once the source is registered on BaaS, describe permissions are needed so Cohesity can identify resources present in the account, which will be used for backups as well as at the time of recovery we use this information to provide a list of options(VPC, subnet, KeyPair, etc) to choose from. For Cohesity snapshots we create SaaS Connector instances for doing backup and recovery of AWS EC2 instances. Cohesity creates snapshots of the EC2 volumes while backing up and storing the different instance attributes and tags. While recovering the AWS EC2 instance, Cohesity creates volumes of original disk size. It also attaches the original tags and corresponding network and security groups as part of the recovery, along with IAM Instance Profile if it exists. Cohesity requires the delete snapshots permissions to delete the expired/old snapshots it creates during the backup. Cohesity requires the delete volume and instance termination permissions to tear down the SaaS Connectors.
iam	iam:PassRole iam:SimulatePrincipalPolicy iam:GetInstanceProfile iam:AmazonSSMManagedInstanceCore	PassRole permission is needed so that we can attach the created role to SaaS Connectors, as well as the original roles on the recovered EC2 instances. SimulatePricipalPolicy is needed so we can ensure required actions are allowed on the IAM role we created as part of the Cloud Formation template. GetInstanceProfile is needed to check if the required Instance profile is present at the time of recovery in the target location. AmazonSSMManagedInstanceCore is needed to access the AWS Systems Manager Agent (SSM) on the target VM.
kms*	kms:CreateGrant kms:Decrypt kms:DescribeKey kms:Encrypt kms:GenerateDataKey kms:GenerateDataKeyWithoutPlaintext kms:GetKeyPolicy kms:ListAliases kms:ListKeys kms:ReEncryptFrom kms:ReEncryptTo	KMS permissions are needed to read data of encrypted volumes at the time of backup, as well as write encrypted data to the recovered EBS volumes. Describe permissions are needed so we can list & identifies keys associated with EBS volumes.
ssm	ssm:GetCommandInvocation ssm:SendCommand	SSM permissions are needed at the time of claiming (adding) SaaS Connections to Cohesity BaaS.

*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.

Permissions for Amazon RDS Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource	Permissions	Reason
ec2	ec2:DescribeAvailabilityZones ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeReservedInstancesOfferings ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeVpcs	Required for AWS source registration, and discover the resources present in the account, which will be used for backups. Also needed for recovery to provide list of options to choose from.
ec2	ec2:CreateVolume ec2:CreateTags ec2:DescribeTag ec2:DescribeVolumeAttribut ec2:DescribeVolumes ec2:DescribeInstances ec2:AttachVolume ec2:DeleteVolume ec2:DetachVolume ec2:ModifyVolume	Required for attaching and detaching volumes of RDS database to SaaS Connectors during the RDS ingest backup.
iam	iam:SimulatePrincipalPolicy	SimulatePricipalPolicy is needed to ensure that the required actions are allowed on the IAM role we created as part of the Cloud Formation template.
kms*	kms:CreateGrant kms:DescribeKey kms:ListAliases	KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances.
rds	rds:AddTagsToResource rds:CopyDBClusterSnapshot rds:CopyDBSnapshot rds:CreateDBClusterSnapshot rds:CreateDBInstance rds:CreateDBSnapshot rds:DeleteDBClusterSnapshot rds:DeleteDBSnapshot rds:DescribeDBClusterSnapshots rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeDBParameterGroups rds:DescribeDBSnapshots rds:DescribeDBSubnetGroups rds:DescribeOptionGroups rds:ModifyDBClusterSnapshotAttribute rds:ModifyDBSnapshotAttribute rds:RestoreDBClusterFromSnapshot rds:RestoreDBClusterToPointInTime rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBInstanceToPointInTime	These permissions are required to register the AWS account on Cohesity BaaS with the IAM role which got created by the Cloud Formation template. Once the source is registered on BaaS, describe permissions are needed so Cohesity can identify resources present in the account, which will be used for backups as well as at the time of recovery we use this information to provide a list of options to choose from. Cohesity creates snapshots of the RDS & Aurora instances while backing up and storing the different database instance attributes and tags. While recovering the database instance, Cohesity creates DB instance/cluster, it also attaches the original tags. Cohesity requires the delete snapshots permissions to delete the expired/old snapshots it creates during the backup. We need to modify snapshot attributes permission so that we can share the snapshot across accounts if cross-account recovery is attempted. RestoreDBInstanceToPointInTime and RestoreDBClusterToPointInTime is needed to do the point in time recoveries.

*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.

Permissions for Amazon S3 Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource	Permissions	Reason
S3	s3:GetBucketLocation s3:GetBucketNotification s3:GetBucketOwnershipControls s3:GetBucketTagging s3:GetBucketVersioning s3:GetInventoryConfiguration s3:GetObject s3:GetObjectAcl s3:GetObjectTagging s3:GetObjectVersion s3:GetObjectVersionAcl s3:GetObjectVersionTagging s3:ListAllMyBuckets s3:ListBucket s3:PutBucketNotification s3:PutInventoryConfiguration s3:PutObject s3:PutObjectAcl s3:PutObjectTagging s3:PutObjectVersionAcl	These permissions are required for the backup and recovery of S3 objects.
iam	iam:SimulatePrincipalPolicy	SimulatePricipalPolicy is needed to ensure that the required actions are allowed on the IAM role we created as part of the Cloud Formation template.
kms*	kms:CreateGrant kms:DescribeKey kms:ListAliases kms:GenerateDataKey	KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances.
Events	events:DeleteRule events:PutTargets events:RemoveTargets	These permissions are required for capturing the incremental changes on the S3 buckets.
Glue	glue:DeleteJob glue:GetJobRun glue:StartJobRun glue:UpdateJob	These permissions are required for sorting the inventory report. The sorted inventory report is then used to back up the S3 objects to the Cohesity DataProtect as a Service.
SQS	sqs:CreateQueue sqs:TagQueue sqs:DeleteMessage sqs:DeleteQueue sqs:GetQueueUrl sqs:PurgeQueue sqs:ReceiveMessage sqs:SetQueueAttributes	These permissions are required for capturing the incremental changes on the S3 buckets.

Permission for AWS S3 Inventory Report

To write objects to the Amazon S3 bucket, you must add the S3:PutObject permission to the S3 bucket policy attached to the AWS S3 bucket where you want to create the inventory report.

The following is an example of an S3 bucket policy that allows s3.amazonaws.com to write (Put) objects in the S3 bucket:

{
	"Version": "2012-10-17",
	"Id": "S3-Console-Auto-Gen-Policy-1698064515475",
	"Statement": [
    	    {
        	"Sid": "InventoryAndAnalyticsExamplePolicy",
        	"Effect": "Allow",
        	"Principal": {
            	"Service": "s3.amazonaws.com"
        	},
        	"Action": [
            	"s3:PutObject"
        	],
        	"Resource": "arn:aws:s3:::inventory-report-bucket/*",
        	"Condition": {
            	"StringEquals": {
                	"aws:SourceAccount": "<account id>",
                	"s3:x-amz-acl": "bucket-owner-full-control"
            	},
                   	}
    	    }
	]
}

In the above example, <account id> is the AWS account ID of the Amazon S3 bucket you want to protect.

Permissions for Cohesity SiteContinuity (Disaster Recovery)

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource	Permissions	Reason
ebs	ebs:CompleteSnapshot ebs:GetSnapshotBlock ebs:ListChangedBlocks ebs:ListSnapshotBlocks ebs:PutSnapshotBlock ebs:StartSnapshot	These permissions are required for EBS direct APIs to read & write data from/to EBS snapshots. Reading EBS data is done during failback preparation, and writing to EBS is done at failover.
ec2	ec2:AssociateIamInstanceProfile ec2:AttachVolume ec2:CancelExportTask ec2:CancelImportTask ec2:CopySnapshot ec2:CreateImage ec2:CreateInstanceExportTask ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteSnapshot ec2:DeleteTags ec2:DeleteVolume ec2:DeregisterImage ec2:DescribeAccountAttributes ec2:DescribeAddresses ec2:DescribeAvailabilityZones ec2:DescribeExportTasks ec2:DescribeImages ec2:DescribeImportImageTasks ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeReservedInstancesOfferings ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumeAttribute ec2:DescribeVolumes ec2:DescribeVpcs ec2:DetachVolume ec2:ImportImage ec2:ModifyInstanceAttribute ec2:ModifyNetworkInterfaceAttribute ec2:ModifySnapshotAttribute ec2:RegisterImage ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances	These permissions are required to register the AWS account on Cohesity Helios with the IAM role created by the Cloud Formation template. Once the source is registered, describe permissions are needed so Cohesity can identify resources present in the account like EC2 instance, VPC, subnet, etc. These describe permissions are also used at the time of failover and failback. The import/export permissions are required because we use AWS Import/Export as our fallback mechanism if Cohesity Import/Export does not work. Cohesity requires all the instance-related permissions to run instances and terminate them if some error occurs. Delete permissions are required so that Cohesity can delete the temporary resources like volumes or snapshots it has created in the process of failover or failback so that we do not leave any garbage behind.
iam	iam:AddRoleToInstanceProfile iam:AttachRolePolicy iam:CreateInstanceProfile iam:CreateRole iam:GetInstanceProfile iam:GetRole iam:GetRolePolicy iam:PassRole iam:PutRolePolicy iam:SimulatePrincipalPolicy	These IAM permissions are needed because we have to SSM into the converter instance, and for that to work, an instance profile should be attached to the converter instance. So to create that instance profile for the role, these permissions are needed.
kms	kms:ListAliases	KMS permission is needed to list the aliases attached to an EC2 instance at the time of source register.
s3	s3:CreateBucket s3:DeleteObject s3:GetBucketAcl s3:GetObject s3:HeadObject s3:PutBucketAcl s3:PutBucketPublicAccessBlock	These S3 permissions are needed in case of the vmimport role we use in case of failover.
ssm	ssm:GetCommandInvocation ssm:ListCommandInvocations ssm:SendCommand	SSM permissions are needed at the time of failover, where we launch the SaaS Connector and temporary converter instance for creating EC2 instances.

Create a Lifecycle Rule on Amazon S3

To delete the older inventory reports from the Amazon S3 bucket, you must create a lifecycle rule on the Amazon S3 bucket. You can delete all the inventory reports older than 30 days. For information on creating a lifecycle rule, see Amazon documentation.

Permission for AWS Key Management Service (KMS)

If the S3 bucket you want to protect is encrypted with Server-side encryption with AWS Key Management Service keys (SSE-KMS) or Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS), then for Cohesity to access the S3 bucket, you must perform one of the following actions:

Add the IAM role created by the Cloud Formation template to the AWS KMS user.

Add the following permission to the Key policy attached to the AWS KMS:

kms:Encrypt
kms:Decrypt
kms:ReEncrypt*
kms:GenerateDataKey*
kms:DescribeKey

For example:

{
    "Version": "2012-10-17",
    "Id": "AccessKeyId",
    "Statement": [
        {
            "Sid": "Allow use of the key to cohesity role",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS-ACCOUNT>:role/<ROLE-NAME>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

Considerations

Considerations for Amazon EC2 Cohesity Snapshots

When using Cohesity snapshots to back up & recover EC2 instances within the same AWS region, if your AWS SaaS Connectors are deployed in a:
- Public subnet, configure the Internet Gateway and S3 Gateway VPC endpoint.
- Private subnet, configure the EBS VPC Interface Endpoint and S3 Gateway VPC endpoints.
When using Cohesity snapshots to back up & recover EC2 across different AWS regions, if your SaaS Connectors are deployed in a:
- Public subnet, configure the Internet Gateway and S3 Gateway VPC endpoint.
- Private subnet, configure the EBS VPC Interface Endpoint and the S3 Interface VPC endpoints.
Cross-region data transfer charges apply if Cohesity snapshots are ingested to or recovered from a different AWS region. Using a public subnet for your SaaS Connectors provides cost efficiency compared to a private subnet.
To prepare your AWS account for Cohesity SaaS Connector deployment in a Public or Private subnet, see AWS SaaS Connector Deployment.
Backing up NFS mount points mounted on EC2 instance is not supported.
Cohesity does not support the backup and recovery of AWS EC2 instances with UEFI Preferred boot mode.

Considerations for Amazon RDS

AWS Aurora cluster is recovered with at most one reader.
Cohesity does not support the auto-protect of RDS instances with different database types. Auto-protect of an RDS instance is supported only if the databases on the RDS instance are of the same type.
Cohesity does not support cross region-cross account recovery of Amazon RDS instance encrypted with default KMS key.
Cohesity does not support point-in-time recovery (PITR) of RDS instances or databases.
If you are recovering encrypted RDS instance(s) to Same AWS Account-Different AWS Region, you must create a KMS encryption key in the target AWS account & region with the same alias name as the KMS encryption key used to encrypt the source RDS instance(s).
If you are performing cross region - cross account recovery of an Amazon RDS instance encrypted with a customer-managed key, then ensure:
- The source account's KMS key alias is available in both the source and destination regions of the destination account.
  
  For example, if A1 is the source account and R1 is the source region of the RDS instance you want to recover, and A2 is the destination account with R2 as the destination region, make sure that the key alias from A1 is available in both R1 and R2 of A2.
- The source account’s KMS key alias can be accessed by the destination account. For this, you must grant the necessary permissions to the KMS key alias.
  
  The option group from the source account is available in both the source and destination regions of the destination account.
  
  For example, if A1 is the source account and R1 is the source region of the RDS instance, and A2 is the destination account with R2 as the destination region, ensure the option group from A1 is available in both R1 and R2 of the A2.

Considerations for Amazon S3

Cohesity does not support:
- Browse and recover an object in an Amazon S3 bucket. However, you can recover multiple objects by specifying the object prefix in the recovery task under the S3 Prefixes to Recover option.
- The backup of older versions of the AWS S3 versioned bucket. Only the latest version of the versioned Amazon S3 bucket is backed up.
- The backup and recovery of Amazon S3 buckets that are not in the same cloud region where your data is backed up (Cohesity-managed SaaS platform).
The Amazon S3 buckets where you want to create the inventory report and the Amazon S3 bucket you want to protect must be in the same region.
If the SQS is deleted between backups, all the changes between these backups will be skipped in the next incremental backups.
Cohesity DataProtect as a Service will skip the backup of Amazon S3 objects that are present in the following access tiers of the Amazon S3 Intelligent Tiering during the protection:
- Archive Access Tier
- Deep Archive Access Tier
You do not need to deploy a SaaS connection to protect Amazon S3 buckets.
Cohesity does not support restoring only metadata. The metadata of Amazon S3 objects will be restored only if the object itself is also restored.
Cohesity does not remove older objects from the S3 bucket where the inventory report is created. Therefore, you must create a lifecycle rule to remove these objects from the S3 bucket to avoid storage issues.

AWS Ports and Account Requirements and Considerations

Check Firewall Ports

Supported AWS S3 Storage Class

Account Requirements

IAM User Permissions to Execute CFT

Permissions for Amazon EC2 Data Protection

Permissions for Amazon RDS Data Protection

Permissions for Amazon S3 Data Protection

Permission for AWS S3 Inventory Report

Permissions for Cohesity SiteContinuity (Disaster Recovery)

Create a Lifecycle Rule on Amazon S3

Permission for AWS Key Management Service (KMS)

Considerations

Considerations for Amazon EC2 Cohesity Snapshots

Considerations for Amazon RDS

Considerations for Amazon S3

Are you satisfied with the Cohesity documentation?

Thank you for helping us improve our documentation!

Great!

Company

Resources

Community