Protecting multiple cross-accounts using single source provider configuration

Assets from multiple cross-accounts can be protected using single provider configuration which is configured using the source account.

To use this feature, ensure that the NetBackup Snapshot Manager and the NetBackup Primary Server are upgraded to 11.1 and later.

Note:

The cross-accounts which are already being protected using some other existing cross-account configuration cannot be changed.

To configure cross-accounts using the same source plugin configuration

Create a new IAM role in the other AWS account (that is the target account).
Create a new policy for the IAM role and ensure that it has the required permissions to access the assets in that target AWS account.
Establish a trust relationship between the source and the target AWS accounts.
For example, in its trust policy, allow the Assume Role action for the source account role which will be used to configure the provider. Following is an example of this trust policy configuration:
```
{
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<source-account-id>:role/source-role"
            },
            "Action": "sts:AssumeRole",
}
```

To create and edit the inline policy

Create the inline policy that will allow the cross-accounts to be protected from the source account.
In source account, create an inline policy by the name Implicitly_Protected_Accounts, that allows the Assume Role action on the other accounts role. Create one entry for each implicit protected account.
For example,
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [

                 "sts:AssumeRole"

             ]
            "Resource": [

                     "arn:aws:iam::<cross-account-1-id>:role/cross-role-1",

                     "arn:aws:iam::<cross-account-2-id>:role/cross-role-2"

            ]

        }
    ]
}
```
Note:
Edit the existing role in source account and add the inline policy with the exact name as Implicitly_Protected_Accounts.
To allow the source account configuration to read the inline policy, provide the following additional IAM permission:
```
iam:GetPolicyRole
```
Edit and save the inline policy to add all the cross-accounts to be protected and assign the same source account configuration. In this inline policy, allow the Assume Role action for the cross-accounts role. Create one entry for each implicit protected account.