Run CloudFormation Template
To register AWS sources, first run Cohesity's CloudFormation Template (CFT).
Before you can register an AWS source, you'll need to configure your account's IAM role permissions for Cohesity DataProtect as a Service. To do so, you can execute Cohesity's CloudFormation Template (CFT), a JSON file you can download from
When you execute the CFT, it creates an AWS IAM role and the policies based on the AWS services (EC2 instances and/or RDS databases) you select during AWS source registration. By default, the CFT-created role will be able to access all IAM roles and KMS keys in your account, but you can optionally restrict the permissions to specific IAM roles and KMS resources in the Parameters section when executing the CFT.
Configure CFT Parameters
These CFT parameters allow you to restrict the permissions:
-
Restrict IAM Permissions: Use this field to restrict Cohesity’s access to just the EC2 instances that you intend to protect and recover.
-
Restrict KMS Permissions (Optional): Use this field to limit the backup of encrypted EC2 instances to just those that are encrypted using an AWS KMS key with the tag specified.
-
Restrict SSM permissions: Use this field to limit the available targets for file and folder recovery to only those EC2 instances with the specified tag.
The table below lists some of the permissions that Cohesity would use in your AWS account. The default scope is all resources, but you can use the parameters above to limit the scope of these permissions to specific resources.
Restricted IAM Permissions |
Restricted KMS Permissions |
Restricted SSM Permissions |
---|---|---|
iam:AddRoleToInstanceProfile iam:AttachRolePolicy iam:CreateInstanceProfile iam:CreateRole iam:GetInstanceProfile iam:GetRole iam:GetRolePolicy iam:PassRole iam:PutRolePolicy |
kms:CreateGrant kms:Decrypt kms:Encrypt kms:GenerateDataKey kms:GenerateDataKeyWithoutPlaintext kms:GetKeyPolicy kms:ReEncryptFrom kms:ReEncryptTo |
ssm:SendCommand |
Cohesity also uses the permissions for S3, EC2, RDS, and SSM services as listed in the table below and by default, the scope is limited to just the resources created by Cohesity.
Restricted EC2 Permissions |
Restricted RDS Permissions |
Restricted SSM Permissions |
Restricted S3 Permissions |
Restricted IAM Permissions |
---|---|---|---|---|
ec2:AssociateIamInstanceProfile ec2:AttachVolume ec2:DeleteSnapshot ec2:DeleteVolume ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:StartInstances ec2:StopInstances ec2:TerminateInstances |
rds:DeleteDBClusterSnapshot rds:DeleteDBSnapshot rds:ModifyDBClusterSnapshotAttribute rds:ModifyDBSnapshotAttribute
|
ssm:SendCommand |
s3:CreateBucket s3:DeleteObject s3:GetBucketAcl s3:GetObject s3:HeadObject s3:PutBucketAcl s3:PutBucketPublicAccessBlock |
iam:PassRole |
Run the CFT
To run the Cohesity CloudFormation Template:
-
Log in to your AWS Management Console.
-
Navigate to All services and select CloudFormation.
-
Click Create stack > With new resources (standard) to create a stack using the downloaded CloudFormation Template.
-
In the Prerequisite - Prepare template page, select Upload a template file.
-
Click Choose File to browse and upload the downloaded JSON CloudFormation Template.
You can download the CFT when you register your AWS account as a source with Cohesity DataProtect as a Service.
-
Click Next.
-
Provide a Stack name. The stack name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).
-
(Optional) If you want to restrict the cross-account IAM role’s permissions to a set of resources, then use the following parameters to restrict the required permissions.
-
Restrict IAM permissions:
In the List of allowed IAM Role ARNs, enter the IAM Role ARNs that are attached to the EC2 instances you intend to protect. The Role ARNs of the EC2 instances are required for EC2 recovery.
You can enter more than one ARN in a comma-separated list. The Role ARN you enter must be in the following format:
arn:partition:iam::account-id:role/role-name
If your IAM role ARNs have some known prefixes then you can use the pattern instead of providing each ARN as below:
arn:partition:iam::account-id:role/prefix-*
-
Restrict KMS permissions (Optional):
Use this field to limit the backup of encrypted EC2 instances to just those that are encrypted using an AWS KMS key with a specified tag.
In the Allowed KMS Tag field, enter the tag key-value pair attached to the KMS aliases for which you want to grant the access. The key-value pair should be in the key$value format. For example,
team$research
, whereteam
is the key andresearch
is the value attached to the KMS alias.You can provide only one key-value pair. Leaving this field blank will grant access to all the KMS aliases in your account.
-
Restrict SSM permissions: Use this field to limit the available targets for file and folder recovery to only those EC2 instances with the specified tag.
In the Allowed SSM Tag field, enter the tag key-value pair attached to the targets (EC2 instances) for which you want to grant the access. The key-value pair should be in the key$value format. For example,
team$research
, whereteam
is the key andresearch
is the value attached to the EC2 instances. You can provide only one key-value pair.
-
-
Click Next.
-
Retain all the default stack configuration options and click Next.
-
On the Review page, select the checkboxes that need to be acknowledged and click Create stack.
In addition to the primary stack, the CFT execution will create two additional nested stacks with the following naming format:
<stack_name>-Macro-<random_aws_suffix>
This stack is responsible for creating the lambda function for the CFT.
<stack_name>-CrossAccountRole-<random_aws_suffix>
This stack is responsible for creating the Cohesity cross-account roles.
For example, if you executed a CFT with stack name Test, this will create three stacks:
-
Test
-
2. Test-Macro-<suffix>
-
3. Test-CrossAccountRole-<suffix>
Once the CFT has executed, you are ready to register your AWS sources with Cohesity DataProtect as a Service.
Update CohesityPolicy
Once the stack is created, optionally you can update the CohesityPolicy attached to the CrossAccountRole for the following purposes:
-
Add IAM Role ARNs for EC2 Instances:
If you did not specify the IAM Role ARNs attached to the EC2 instances you intend to protect during stack creation, you can add them later as a statement to the CohesityPolicy attached to the CrossAccountRole.
For example:
{ "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::498211347717:role/role-1", "arn:aws:iam::498211347717:role/role-2", ], "Effect": "Allow" }
If your IAM role ARNs share a common prefix, you can simplify the policy statement by using a pattern instead of specifying each ARN individually.
For example:
"arn:aws:iam::498211347717:role/*"
-
Grant SendCommand Permission for File and Folder Recovery
To perform file and folder recovery on the targets (EC2 instances), add a statement to the CohesityPolicy attached to the CrossAccountRole, granting the SendCommand permission for the target:
For example:
{ "Action" : [ "ssm: SendCommand ], "Resource" : "arn:aws:ec2:*:<account-id>:instance/*" , "Effect" : "Allow" }
-
Specify Tags to Limit Available EC2 Targets:
During stack creation, if you did not specify the tags to limit the available EC2 targets for file and folder recovery, you can add them later as a statement to the CohesityPolicy attached to the CrossAccountRole.
For example:
{ "Condition" : { "StringLike: { "aws:ResourceTag/<Key> ": "<value>" } }, "Action" : [ "ssm: SendCommand ], "Resource" : "arn:aws:ec2:*:account-id:instance/*" , "Effect" : "Allow" },
Update the Existing CloudFormation Template
In some situations, you might need to restrict the cross-account IAM role’s permissions to a set of resources. For example, if you need to change the use cases in a registered AWS source (such as adding RDS or S3 backups), you’ll need to update the Cohesity permissions in your AWS account. To do so, you’ll need to update and run a new CFT.
To update and run the new CFT template:
-
In DataProtect as a Service, update the CFT by editing the AWS source, changing your settings as necessary, clicking Next, and downloading updated CFT.
-
Go to your AWS account, and from the Stack page (CloudFormation > Stacks), select the primary stack created.
-
Select the Update tab.
-
On the Update stack page, select Replace existing template and Upload a template file.
-
Click Choose File to browse and upload the downloaded JSON CloudFormation Template.
-
Click Next.
-
(Optional) If you need to restrict the cross-account IAM role’s permissions to a set of resources, follow the guidelines in Step 8 in Run the CFT above.
-
Click Next and select the checkboxes that need to be acknowledged, and then click Next.
-
Review the stack details and then click Submit.
Your updated IAM role permissions are now associated with your AWS registration with Cohesity DataProtect as a Service.
View the Created IAM Role
To view the IAM role created by the CFT:
-
From the Stack page (CloudFormation > Stacks), select the primary stack created.
-
Click the Outputs tab.
The value column will display the ARN in the following format, from which you can get the name of the role created:
arn:partition:iam::account-id:role/role-name
Next > Return to registering your AWS account or, if you've already done so, start protecting the Amazon EC2 instances or RDS databases in your AWS account!