Run CloudFormation Template

To register AWS sources, first run Cohesity's CloudFormation Template (CFT).

Before you can register an AWS source, you'll need to configure your account's IAM role permissions for Cohesity DataProtect as a Service. To do so, you can execute Cohesity's CloudFormation Template (CFT), a JSON file you can download from Cohesity DataProtect as a Service as you register.

When you execute the CFT, it creates an AWS IAM role and the policies based on the AWS services (EC2 instances and/or RDS databases) you select during AWS source registration. By default, the CFT-created role will be able to access all IAM roles and KMS keys in your account, but you can optionally restrict the permissions to specific IAM roles and KMS resources in the Parameters section when executing the CFT.

Configure CFT Parameters

These CFT parameters allow you to restrict the permissions:

  • Restrict IAM Permissions: Use this field to restrict Cohesity’s access to just the EC2 instances that you intend to protect and recover.

  • Restrict KMS Permissions (Optional): Use this field to limit the backup of encrypted EC2 instances to just those that are encrypted using an AWS KMS key with the tag specified.

  • Restrict SSM permissions: Use this field to limit the available targets for file and folder recovery to only those EC2 instances with the specified tag.

The table below lists some of the permissions that Cohesity would use in your AWS account. The default scope is all resources, but you can use the parameters above to limit the scope of these permissions to specific resources.

Restricted IAM Permissions

Restricted KMS Permissions

Restricted SSM Permissions

iam:AddRoleToInstanceProfile

iam:AttachRolePolicy

iam:CreateInstanceProfile

iam:CreateRole

iam:GetInstanceProfile

iam:GetRole

iam:GetRolePolicy

iam:PassRole

iam:PutRolePolicy

kms:CreateGrant

kms:Decrypt

kms:Encrypt

kms:GenerateDataKey

kms:GenerateDataKeyWithoutPlaintext

kms:GetKeyPolicy

kms:ReEncryptFrom

kms:ReEncryptTo

ssm:SendCommand

Cohesity also uses the permissions for S3, EC2, RDS, and SSM services as listed in the table below and by default, the scope is limited to just the resources created by Cohesity.

Restricted EC2 Permissions

Restricted RDS Permissions

Restricted SSM Permissions

Restricted S3 Permissions

Restricted IAM Permissions

ec2:AssociateIamInstanceProfile

ec2:AttachVolume

ec2:DeleteSnapshot

ec2:DeleteVolume

ec2:DetachVolume

ec2:ModifyInstanceAttribute

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

rds:DeleteDBClusterSnapshot

rds:DeleteDBSnapshot

rds:ModifyDBClusterSnapshotAttribute

rds:ModifyDBSnapshotAttribute

 

ssm:SendCommand

s3:CreateBucket

s3:DeleteObject

s3:GetBucketAcl

s3:GetObject

s3:HeadObject

s3:PutBucketAcl

s3:PutBucketPublicAccessBlock

iam:PassRole

Run the CFT

To run the Cohesity CloudFormation Template:

  1. Log in to your AWS Management Console.

  2. Navigate to All services and select CloudFormation.

  3. Click Create stack > With new resources (standard) to create a stack using the downloaded CloudFormation Template.

  4. In the Prerequisite - Prepare template page, select Upload a template file.

  5. Click Choose File to browse and upload the downloaded JSON CloudFormation Template.

    You can download the CFT when you register your AWS account as a source with Cohesity DataProtect as a Service.

  6. Click Next.

  7. Provide a Stack name. The stack name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).

  8. (Optional) If you want to restrict the cross-account IAM role’s permissions to a set of resources, then use the following parameters to restrict the required permissions.

    • Restrict IAM permissions:

      In the List of allowed IAM Role ARNs, enter the IAM Role ARNs that are attached to the EC2 instances you intend to protect. The Role ARNs of the EC2 instances are required for EC2 recovery.

      You can enter more than one ARN in a comma-separated list. The Role ARN you enter must be in the following format:

      arn:partition:iam::account-id:role/role-name

      If your IAM role ARNs have some known prefixes then you can use the pattern instead of providing each ARN as below:

      arn:partition:iam::account-id:role/prefix-*
    • Restrict KMS permissions (Optional):

      Use this field to limit the backup of encrypted EC2 instances to just those that are encrypted using an AWS KMS key with a specified tag.

      In the Allowed KMS Tag field, enter the tag key-value pair attached to the KMS aliases for which you want to grant the access. The key-value pair should be in the key$value format. For example, team$research, where team is the key and research is the value attached to the KMS alias.

      You can provide only one key-value pair. Leaving this field blank will grant access to all the KMS aliases in your account.

    • Restrict SSM permissions: Use this field to limit the available targets for file and folder recovery to only those EC2 instances with the specified tag.

      In the Allowed SSM Tag field, enter the tag key-value pair attached to the targets (EC2 instances) for which you want to grant the access. The key-value pair should be in the key$value format. For example, team$research, where team is the key and research is the value attached to the EC2 instances. You can provide only one key-value pair.

  9. Click Next.

  10. Retain all the default stack configuration options and click Next.

  11. On the Review page, select the checkboxes that need to be acknowledged and click Create stack.

    In addition to the primary stack, the CFT execution will create two additional nested stacks with the following naming format:

    1. <stack_name>-Macro-<random_aws_suffix>

      This stack is responsible for creating the lambda function for the CFT.

    2. <stack_name>-CrossAccountRole-<random_aws_suffix>

      This stack is responsible for creating the Cohesity cross-account roles.

    For example, if you executed a CFT with stack name Test, this will create three stacks:

    1. Test

    2. 2. Test-Macro-<suffix>

    3. 3. Test-CrossAccountRole-<suffix>

Once the CFT has executed, you are ready to register your AWS sources with Cohesity DataProtect as a Service.

Update CohesityPolicy

Once the stack is created, optionally you can update the CohesityPolicy attached to the CrossAccountRole for the following purposes:

  • Add IAM Role ARNs for EC2 Instances:

    If you did not specify the IAM Role ARNs attached to the EC2 instances you intend to protect during stack creation, you can add them later as a statement to the CohesityPolicy attached to the CrossAccountRole.

    For example:

      {
        	"Action": [
        				"iam:PassRole"
        			],
        			"Resource": [
        		        "arn:aws:iam::498211347717:role/role-1",
        		        "arn:aws:iam::498211347717:role/role-2",
        		     		    ],
        			"Effect": "Allow"
        		}

    If your IAM role ARNs share a common prefix, you can simplify the policy statement by using a pattern instead of specifying each ARN individually.

    For example:

    "arn:aws:iam::498211347717:role/*"

  • Grant SendCommand Permission for File and Folder Recovery

    To perform file and folder recovery on the targets (EC2 instances), add a statement to the CohesityPolicy attached to the CrossAccountRole, granting the SendCommand permission for the target:

    For example:

    {
                  "Action" : [ 
                     "ssm: SendCommand
                    ], 
                    "Resource" : "arn:aws:ec2:*:<account-id>:instance/*" ,
    	    "Effect" : "Allow" 
            } 
    
  • Specify Tags to Limit Available EC2 Targets:

    During stack creation, if you did not specify the tags to limit the available EC2 targets for file and folder recovery, you can add them later as a statement to the CohesityPolicy attached to the CrossAccountRole.

    For example:

    {                
       "Condition" : { 
                        "StringLike: {
    	          "aws:ResourceTag/<Key> ": "<value>"
                    }
                         
      }, 
     "Action" : [ 
                     "ssm: SendCommand
                    ], 
                    "Resource" : "arn:aws:ec2:*:account-id:instance/*" ,
    	    "Effect" : "Allow" 
    },
    

Update the Existing CloudFormation Template

In some situations, you might need to restrict the cross-account IAM role’s permissions to a set of resources. For example, if you need to change the use cases in a registered AWS source (such as adding RDS or S3 backups), you’ll need to update the Cohesity permissions in your AWS account. To do so, you’ll need to update and run a new CFT.

To update and run the new CFT template:

  1. In DataProtect as a Service, update the CFT by editing the AWS source, changing your settings as necessary, clicking Next, and downloading updated CFT.

  2. Go to your AWS account, and from the Stack page (CloudFormation > Stacks), select the primary stack created.

  3. Select the Update tab.

  4. On the Update stack page, select Replace existing template and Upload a template file.

  5. Click Choose File to browse and upload the downloaded JSON CloudFormation Template.

  6. Click Next.

  7. (Optional) If you need to restrict the cross-account IAM role’s permissions to a set of resources, follow the guidelines in Step 8 in Run the CFT above.

  8. Click Next and select the checkboxes that need to be acknowledged, and then click Next.

  9. Review the stack details and then click Submit.

Your updated IAM role permissions are now associated with your AWS registration with Cohesity DataProtect as a Service.

View the Created IAM Role

To view the IAM role created by the CFT:

  1. From the Stack page (CloudFormation > Stacks), select the primary stack created.

  2. Click the Outputs tab.

    The value column will display the ARN in the following format, from which you can get the name of the role created:

    arn:partition:iam::account-id:role/role-name

Next > Return to registering your AWS account or, if you've already done so, start protecting the Amazon EC2 instances or RDS databases in your AWS account!