Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. NetBackup Snapshot Manager for cloud providers
  5. AWS plug-in configuration notes
  6. Prerequisites for application consistent snapshots using AWS Systems Service Manager
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Prerequisites for application consistent snapshots using AWS Systems Service Manager

Ensure that you perform the following before you take filesystem/application consistent snapshots using AWS Systems Service Manager (SSM) of VM workload:

  • SSM agent must be installed on the VM workload and the AWS SSM agent service must be active.

    For more information, see Manually installing SSM Agent.

  • An IAM role attached to the VM workload must be updated with the policy having the following permissions and AmazonSSMManagedInstanceCore policy:

    {
                "Sid": "providerManagedConsistency",
                "Effect": "Allow",
                "Action": [
                    "ec2:CreateSnapshots",
                    "ec2:CreateTags",
                    "ec2:CreateSnapshot"
                ],
                "Resource": [
                    "*"
                ]
         } 
           

    See AWS permissions required by NetBackup Snapshot Manager.

  • For Windows

    For Linux

    • AWSPowerShell version greater than or equal to 4.1.144 (AWS PowerShell)

    • AWS VSS Components version greater than or equal to 2.3.2 (Install the VSS package)

    Note:

    If the above modules are not installed, then NetBackup Snapshot Manager will install them if the VM workload has access to the internet.

    For a complete list of supported Windows OS version and AWS VSS component package, refer to AWS VSS solution version history.

    Install or update the latest version of the AWS CLI.

    Install or update the latest version of the AWS CLI

    By default application consistent snapshot would be be taken.

    A filesystem consistent snapshot will be taken.

    If application consistent snapshots must be taken, then perform the following steps:

    • The directory (/etc/veritas) must be present on Linux VM workload, if not present create it.

    • Create provider_managed_consistency.conf file within the /etc/veritas directory as follows:

      # cat /etc/veritas/provider_managed_consistency.conf
       
      PRE_SCRIPT_LOCATION = "/preScript.sh"
      PRE_SCRIPT_PARAMS = ""
      POST_SCRIPT_LOCATION = "/postScript.sh"
      POST_SCRIPT_PARAMS = ""
    • The user must create pre and post-scripts and add its absolute path in provider_managed_consistency.conf file.

      Pre-scripts invoke native application APIs, which quiesce the IOs, and flush in-memory content to the disk. These actions ensure that the snapshot is application consistent.

      Post-scripts use native application APIs to thaw the IOs, which enable the application to resume normal operations after the VM snapshot.

    • Pre-script parameters must be passed to PRE_SCRIPT_PARAMS and post-script parameters must be passed to POST_SCRIPT_PARAMS key.

    • Modify the permission of the files as follows:

      chmod 700 /preScript.sh /postScript.sh

If the above prerequisites are met, then by default NetBackup Snapshot Manager would take filesystem/application consistent snapshot of the VM workload. When AWS cloud provider plug-in is configured, then a new SSM document with name Veritas-Consistent-Snapshot would be created in the specified AWS account and region. This SSM document is managed by NetBackup Snapshot Manager and must not be modified by the user.

The logs can be located at the following respective location:

  • Snapshot Manager: /cloudpoint/logs/flexsnap.log

  • Host VM: Check the Amazon SSM logs (Viewing SSM Agent logs)

Feedback

Was this page helpful?
Previous

Protecting multiple cross-accounts using single source provider configuration

Next

Prerequisites for configuring AWS plug-in using VPC endpoint

Feedback

Was this page helpful?