Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. NetBackup Snapshot Manager for cloud providers
  5. AWS plug-in configuration notes
  6. Protecting multiple cross-accounts using single source provider configuration
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Protecting multiple cross-accounts using single source provider configuration

Assets from multiple cross-accounts can be protected using single provider configuration which is configured using the source account.

To use this feature, ensure that the NetBackup Snapshot Manager and the NetBackup Primary Server are upgraded to 11.1 and later.

Note:

The cross-accounts which are already being protected using some other existing cross-account configuration cannot be changed.

To configure cross-accounts using the same source plugin configuration

  1. Create a new IAM role in the other AWS account (that is the target account).
  2. Create a new policy for the IAM role and ensure that it has the required permissions to access the assets in that target AWS account.
  3. Establish a trust relationship between the source and the target AWS accounts.

    For example, in its trust policy, allow the Assume Role action for the source account role which will be used to configure the provider. Following is an example of this trust policy configuration:

    {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<source-account-id>:role/source-role"
                },
                "Action": "sts:AssumeRole",
    }

To create and edit the inline policy

  1. Create the inline policy that will allow the cross-accounts to be protected from the source account.

    In source account, create an inline policy by the name Implicitly_Protected_Accounts, that allows the Assume Role action on the other accounts role. Create one entry for each implicit protected account.

    For example,

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
    
                     "sts:AssumeRole"
    
                 ]
                "Resource": [
    
                         "arn:aws:iam::<cross-account-1-id>:role/cross-role-1",
    
                         "arn:aws:iam::<cross-account-2-id>:role/cross-role-2"
    
                ]
    
            }
        ]
    }

    Note:

    Edit the existing role in source account and add the inline policy with the exact name as Implicitly_Protected_Accounts.

  2. To allow the source account configuration to read the inline policy, provide the following additional IAM permission:
    iam:GetPolicyRole
  3. Edit and save the inline policy to add all the cross-accounts to be protected and assign the same source account configuration. In this inline policy, allow the Assume Role action for the cross-accounts role. Create one entry for each implicit protected account.

Feedback

Was this page helpful?
Previous

Before you create a cross account configuration

Next

Prerequisites for application consistent snapshots using AWS Systems Service Manager

Feedback

Was this page helpful?