AWS Ports and Account Requirements and Considerations
Before you protect your Amazon services using Cohesity DataProtect as a Service, ensure you have met the prerequisites and reviewed the considerations.
For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.
Check Firewall Ports
Ensure that the ports listed in the Amazon Web Services (AWS) section in the Firewall Ports for User-Deployed SaaS Connectors topic are open to allow communication between the Cohesity SaaS Connector(s) and AWS environment.
Supported AWS S3 Storage Class
Cohesity supports the data protection of the following S3 storage class:
-
Amazon S3 Standard
-
Amazon S3 Intelligent-Tiering
-
Amazon S3 Standard-IA
-
Amazon S3 One Zone-IA
Account Requirements
To register your AWS account, run the CloudFormation Template (CFT) and add permissions to the IAM user.
The tables below list the permissions used by Cohesity in your AWS account. You do not need to add these permissions manually (except the IAM User Permissions to Execute CFT), as they are automatically added when you run the CFT provided by Cohesity during your AWS account registration with the Cohesity DataProtect as a Service and SiteContinuity services.
IAM User Permissions to Execute CFT
To register an AWS account with the Cohesity DataProtect as a Service, you need to run the CloudFormation Template on the AWS console. Ensure the IAM user you use has the following permissions to run the CloudFormation Template and to create and view the stack:
Ensure to add these permissions manually.
-
cloudformation:CreateChangeSet
-
cloudformation:CreateStack
-
cloudformation:CreateUploadBucket
-
cloudformation:DeleteStack
-
cloudformation:DescribeStackEvents
-
cloudformation:DescribeStackResources
-
cloudformation:DescribeStacks
-
cloudformation:GetTemplate
-
cloudformation:GetTemplateSummary
-
cloudformation:ListStackResources
-
cloudformation:ListStacks
-
cloudformation:UpdateStack
-
iam:AddRoleToInstanceProfile
-
iam:AttachRolePolicy
-
iam:CreateInstanceProfile
-
iam:CreateRole
-
iam:DeleteInstanceProfile
-
iam:DeleteRole
-
iam:DeleteRolePolicy
-
iam:DetachRolePolicy
-
iam:GetInstanceProfile
-
iam:GetRole
-
iam:GetRolePolicy
-
iam:PassRole
-
iam:PutRolePolicy
-
iam:RemoveRoleFromInstanceProfile
-
iam:TagRole
-
lambda:AddPermission
-
lambda:CreateFunction
-
lambda:DeleteFunction
-
lambda:InvokeFunction
-
lambda:RemovePermission
-
s3:CreateBucket
-
s3:GetObject
-
s3:ListBucket
-
s3:PutObject
-
s3: PutBucketPublicAccessBlock
Permissions for Amazon EC2 Data Protection
You do not need to add these permissions manually, as they are automatically added when you run the CFT.
Resource |
Permissions |
Reason |
---|---|---|
ebs |
ebs:CompleteSnapshot ebs:GetSnapshotBlock ebs:ListChangedBlocks ebs:ListSnapshotBlocks ebs:PutSnapshotBlock ebs:StartSnapshot |
These permissions are required for EBS direct APIs to read & write data from/to EBS snapshots. |
ec2 |
ec2:AssociateIamInstanceProfile ec2:AttachVolume ec2:CopySnapshot ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteSnapshot ec2:DeleteVolume ec2:DeregisterImage ec2:DescribeAccountAttributes ec2:DescribeAddresses ec2:DescribeAvailabilityZones ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeReservedInstances ec2:DescribeReservedInstancesOfferings ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumeAttribute ec2:DescribeVolumes ec2:DescribeVpcEndpointServiceConfigurations ec2:DescribeVpcs ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:RegisterImage ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances |
These permissions are required to register the AWS account on Cohesity BaaS with the IAM role which got created by the Cloud Formation template. Once the source is registered on BaaS, describe permissions are needed so Cohesity can identify resources present in the account, which will be used for backups as well as at the time of recovery we use this information to provide a list of options(VPC, subnet, KeyPair, etc) to choose from. For Cohesity snapshots we create SaaS Connector instances for doing backup and recovery of AWS EC2 instances. Cohesity creates snapshots of the EC2 volumes while backing up and storing the different instance attributes and tags. While recovering the AWS EC2 instance, Cohesity creates volumes of original disk size. It also attaches the original tags and corresponding network and security groups as part of the recovery, along with IAM Instance Profile if it exists. Cohesity requires the delete snapshots permissions to delete the expired/old snapshots it creates during the backup. Cohesity requires the delete volume and instance termination permissions to tear down the SaaS Connectors. |
iam |
iam:PassRole iam:SimulatePrincipalPolicy iam:GetInstanceProfile iam:AmazonSSMManagedInstanceCore |
PassRole permission is needed so that we can attach the created role to SaaS Connectors, as well as the original roles on the recovered EC2 instances. SimulatePricipalPolicy is needed so we can ensure required actions are allowed on the IAM role we created as part of the Cloud Formation template. GetInstanceProfile is needed to check if the required Instance profile is present at the time of recovery in the target location. AmazonSSMManagedInstanceCore is needed to access the AWS Systems Manager Agent (SSM) on the target VM. |
kms* |
kms:CreateGrant kms:Decrypt kms:DescribeKey kms:Encrypt kms:GenerateDataKey kms:GenerateDataKeyWithoutPlaintext kms:GetKeyPolicy kms:ListAliases kms:ListKeys kms:ReEncryptFrom kms:ReEncryptTo |
KMS permissions are needed to read data of encrypted volumes at the time of backup, as well as write encrypted data to the recovered EBS volumes. Describe permissions are needed so we can list & identifies keys associated with EBS volumes. |
ssm |
ssm:GetCommandInvocation ssm:SendCommand |
SSM permissions are needed at the time of claiming (adding) SaaS Connections to Cohesity BaaS. |
*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.
Permissions for Amazon RDS Data Protection
You do not need to add these permissions manually, as they are automatically added when you run the CFT.
Resource |
Permissions |
Reason |
---|---|---|
ec2 |
ec2:DescribeAvailabilityZones ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeReservedInstancesOfferings ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeVpcs |
Required for AWS source registration, and discover the resources present in the account, which will be used for backups. Also needed for recovery to provide list of options to choose from. |
ec2:CreateVolume ec2:CreateTags ec2:DescribeTag ec2:DescribeVolumeAttribut ec2:DescribeVolumes ec2:DescribeInstances ec2:AttachVolume ec2:DeleteVolume ec2:DetachVolume ec2:ModifyVolume |
Required for attaching and detaching volumes of RDS database to SaaS Connectors during the RDS ingest backup. | |
iam |
iam:SimulatePrincipalPolicy |
SimulatePricipalPolicy is needed to ensure that the required actions are allowed on the IAM role we created as part of the Cloud Formation template. |
kms* |
kms:CreateGrant kms:DescribeKey kms:ListAliases |
KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances. |
rds |
rds:AddTagsToResource rds:CopyDBClusterSnapshot rds:CopyDBSnapshot rds:CreateDBClusterSnapshot rds:CreateDBInstance rds:CreateDBSnapshot rds:DeleteDBClusterSnapshot rds:DeleteDBSnapshot rds:DescribeDBClusterSnapshots rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeDBParameterGroups rds:DescribeDBSnapshots rds:DescribeDBSubnetGroups rds:DescribeOptionGroups rds:ModifyDBClusterSnapshotAttribute rds:ModifyDBSnapshotAttribute rds:RestoreDBClusterFromSnapshot rds:RestoreDBClusterToPointInTime rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBInstanceToPointInTime |
These permissions are required to register the AWS account on Cohesity BaaS with the IAM role which got created by the Cloud Formation template. Once the source is registered on BaaS, describe permissions are needed so Cohesity can identify resources present in the account, which will be used for backups as well as at the time of recovery we use this information to provide a list of options to choose from. Cohesity creates snapshots of the RDS & Aurora instances while backing up and storing the different database instance attributes and tags. While recovering the database instance, Cohesity creates DB instance/cluster, it also attaches the original tags. Cohesity requires the delete snapshots permissions to delete the expired/old snapshots it creates during the backup. We need to modify snapshot attributes permission so that we can share the snapshot across accounts if cross-account recovery is attempted. RestoreDBInstanceToPointInTime and RestoreDBClusterToPointInTime is needed to do the point in time recoveries. |
*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.
Permissions for Amazon S3 Data Protection
You do not need to add these permissions manually, as they are automatically added when you run the CFT.
Resource |
Permissions |
Reason |
---|---|---|
S3 |
s3:GetBucketLocation s3:GetBucketNotification s3:GetBucketOwnershipControls s3:GetBucketTagging s3:GetBucketVersioning s3:GetInventoryConfiguration s3:GetObject s3:GetObjectAcl s3:GetObjectTagging s3:GetObjectVersion s3:GetObjectVersionAcl s3:GetObjectVersionTagging s3:ListAllMyBuckets s3:ListBucket s3:PutBucketNotification s3:PutInventoryConfiguration s3:PutObject s3:PutObjectAcl s3:PutObjectTagging s3:PutObjectVersionAcl |
These permissions are required for the backup and recovery of S3 objects. |
iam |
iam:SimulatePrincipalPolicy |
SimulatePricipalPolicy is needed to ensure that the required actions are allowed on the IAM role we created as part of the Cloud Formation template. |
kms* |
kms:CreateGrant kms:DescribeKey kms:ListAliases kms:GenerateDataKey |
KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances. |
Events | events:DeleteRule events:PutTargets events:RemoveTargets | These permissions are required for capturing the incremental changes on the S3 buckets. |
Glue |
glue:DeleteJob
|
These permissions are required for sorting the inventory report. The sorted inventory report is then used to back up the S3 objects to the Cohesity DataProtect as a Service. |
SQS | sqs:CreateQueue
sqs:TagQueue sqs:DeleteMessage sqs:DeleteQueue sqs:GetQueueUrl sqs:PurgeQueue sqs:ReceiveMessage sqs:SetQueueAttributes |
These permissions are required for capturing the incremental changes on the S3 buckets. |
Permission for AWS S3 Inventory Report
To write objects to the Amazon S3 bucket, you must add the S3:PutObject
permission to the S3 bucket policy attached to the AWS S3 bucket where you want to create the inventory report.
The following is an example of an S3 bucket policy that allows s3.amazonaws.com to write (Put) objects in the S3 bucket:
{ "Version": "2012-10-17", "Id": "S3-Console-Auto-Gen-Policy-1698064515475", "Statement": [ { "Sid": "InventoryAndAnalyticsExamplePolicy", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::inventory-report-bucket/*", "Condition": { "StringEquals": { "aws:SourceAccount": "<account id>", "s3:x-amz-acl": "bucket-owner-full-control" }, } } ] }
In the above example, <account id>
is the AWS account ID of the Amazon S3 bucket you want to protect.
Permissions for Cohesity SiteContinuity (Disaster Recovery)
You do not need to add these permissions manually, as they are automatically added when you run the CFT.
Resource |
Permissions |
Reason |
---|---|---|
ebs |
ebs:CompleteSnapshot ebs:GetSnapshotBlock ebs:ListChangedBlocks ebs:ListSnapshotBlocks ebs:PutSnapshotBlock ebs:StartSnapshot |
These permissions are required for EBS direct APIs to read & write data from/to EBS snapshots. Reading EBS data is done during failback preparation, and writing to EBS is done at failover. |
ec2 |
ec2:AssociateIamInstanceProfile ec2:AttachVolume ec2:CancelExportTask ec2:CancelImportTask ec2:CopySnapshot ec2:CreateImage ec2:CreateInstanceExportTask ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteSnapshot ec2:DeleteTags ec2:DeleteVolume ec2:DeregisterImage ec2:DescribeAccountAttributes ec2:DescribeAddresses ec2:DescribeAvailabilityZones ec2:DescribeExportTasks ec2:DescribeImages ec2:DescribeImportImageTasks ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeReservedInstancesOfferings ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVolumeAttribute ec2:DescribeVolumes ec2:DescribeVpcs ec2:DetachVolume ec2:ImportImage ec2:ModifyInstanceAttribute ec2:ModifyNetworkInterfaceAttribute ec2:ModifySnapshotAttribute ec2:RegisterImage ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances |
These permissions are required to register the AWS account on Cohesity Helios with the IAM role created by the Cloud Formation template. Once the source is registered, describe permissions are needed so Cohesity can identify resources present in the account like EC2 instance, VPC, subnet, etc. These describe permissions are also used at the time of failover and failback. The import/export permissions are required because we use AWS Import/Export as our fallback mechanism if Cohesity Import/Export does not work. Cohesity requires all the instance-related permissions to run instances and terminate them if some error occurs. Delete permissions are required so that Cohesity can delete the temporary resources like volumes or snapshots it has created in the process of failover or failback so that we do not leave any garbage behind. |
iam |
iam:AddRoleToInstanceProfile iam:AttachRolePolicy iam:CreateInstanceProfile iam:CreateRole iam:GetInstanceProfile iam:GetRole iam:GetRolePolicy iam:PassRole iam:PutRolePolicy iam:SimulatePrincipalPolicy |
These IAM permissions are needed because we have to SSM into the converter instance, and for that to work, an instance profile should be attached to the converter instance. So to create that instance profile for the role, these permissions are needed. |
kms |
kms:ListAliases |
KMS permission is needed to list the aliases attached to an EC2 instance at the time of source register. |
s3 |
s3:CreateBucket s3:DeleteObject s3:GetBucketAcl s3:GetObject s3:HeadObject s3:PutBucketAcl s3:PutBucketPublicAccessBlock |
These S3 permissions are needed in case of the vmimport role we use in case of failover. |
ssm |
ssm:GetCommandInvocation ssm:ListCommandInvocations ssm:SendCommand |
SSM permissions are needed at the time of failover, where we launch the SaaS Connector and temporary converter instance for creating EC2 instances. |
Create a Lifecycle Rule on Amazon S3
To delete the older inventory reports from the Amazon S3 bucket, you must create a lifecycle rule on the Amazon S3 bucket. You can delete all the inventory reports older than 30 days. For information on creating a lifecycle rule, see Amazon documentation.
Permission for AWS Key Management Service (KMS)
If the S3 bucket you want to protect is encrypted with Server-side encryption with AWS Key Management Service keys (SSE-KMS) or Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS), then for Cohesity to access the S3 bucket, you must perform one of the following actions:
-
Add the IAM role created by the Cloud Formation template to the AWS KMS user.
-
Add the following permission to the Key policy attached to the AWS KMS:
-
kms:Encrypt
-
kms:Decrypt
-
kms:ReEncrypt*
-
kms:GenerateDataKey*
-
kms:DescribeKey
For example:
{ "Version": "2012-10-17", "Id": "AccessKeyId", "Statement": [ { "Sid": "Allow use of the key to cohesity role", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWS-ACCOUNT>:role/<ROLE-NAME>" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] }
-
Considerations
Considerations for Amazon EC2 Cohesity Snapshots
-
When using Cohesity snapshots to back up & recover EC2 instances within the same AWS region, if your AWS SaaS Connectors are deployed in a:
-
Public subnet, configure the Internet Gateway and S3 Gateway VPC endpoint.
-
Private subnet, configure the EBS VPC Interface Endpoint and S3 Gateway VPC endpoints.
-
-
When using Cohesity snapshots to back up & recover EC2 across different AWS regions, if your SaaS Connectors are deployed in a:
-
Public subnet, configure the Internet Gateway and S3 Gateway VPC endpoint.
-
Private subnet, configure the EBS VPC Interface Endpoint and the S3 Interface VPC endpoints.
Cross-region data transfer charges apply if Cohesity snapshots are ingested to or recovered from a different AWS region. Using a public subnet for your SaaS Connectors provides cost efficiency compared to a private subnet.
-
-
To prepare your AWS account for Cohesity SaaS Connector deployment in a Public or Private subnet, see AWS SaaS Connector Deployment.
-
Backing up NFS mount points mounted on EC2 instance is not supported.
-
Cohesity does not support the backup and recovery of AWS EC2 instances with UEFI Preferred boot mode.
Considerations for Amazon RDS
-
AWS Aurora cluster is recovered with at most one reader.
-
Cohesity does not support the auto-protect of RDS instances with different database types. Auto-protect of an RDS instance is supported only if the databases on the RDS instance are of the same type.
-
Cohesity does not support cross region-cross account recovery of Amazon RDS instance encrypted with default KMS key.
-
Cohesity does not support point-in-time recovery (PITR) of RDS instances or databases.
-
If you are recovering encrypted RDS instance(s) to Same AWS Account-Different AWS Region, you must create a KMS encryption key in the target AWS account & region with the same alias name as the KMS encryption key used to encrypt the source RDS instance(s).
-
If you are performing cross region - cross account recovery of an Amazon RDS instance encrypted with a customer-managed key, then ensure:
-
The source account's KMS key alias is available in both the source and destination regions of the destination account.
For example, if A1 is the source account and R1 is the source region of the RDS instance you want to recover, and A2 is the destination account with R2 as the destination region, make sure that the key alias from A1 is available in both R1 and R2 of A2.
-
The source account’s KMS key alias can be accessed by the destination account. For this, you must grant the necessary permissions to the KMS key alias.
The option group from the source account is available in both the source and destination regions of the destination account.
For example, if A1 is the source account and R1 is the source region of the RDS instance, and A2 is the destination account with R2 as the destination region, ensure the option group from A1 is available in both R1 and R2 of the A2.
-
Considerations for Amazon S3
-
Cohesity does not support:
-
Browse and recover an object in an Amazon S3 bucket. However, you can recover multiple objects by specifying the object prefix in the recovery task under the S3 Prefixes to Recover option.
-
The backup of older versions of the AWS S3 versioned bucket. Only the latest version of the versioned Amazon S3 bucket is backed up.
-
The backup and recovery of Amazon S3 buckets that are not in the same cloud region where your data is backed up (Cohesity-managed SaaS platform).
-
-
The Amazon S3 buckets where you want to create the inventory report and the Amazon S3 bucket you want to protect must be in the same region.
-
If the SQS is deleted between backups, all the changes between these backups will be skipped in the next incremental backups.
-
Cohesity DataProtect as a Service will skip the backup of Amazon S3 objects that are present in the following access tiers of the Amazon S3 Intelligent Tiering during the protection:
-
Archive Access Tier
-
Deep Archive Access Tier
-
-
You do not need to deploy a SaaS connection to protect Amazon S3 buckets.
-
Cohesity does not support restoring only metadata. The metadata of Amazon S3 objects will be restored only if the object itself is also restored.
-
Cohesity does not remove older objects from the S3 bucket where the inventory report is created. Therefore, you must create a lifecycle rule to remove these objects from the S3 bucket to avoid storage issues.