Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ CloudPoint Install and Upgrade Guide
  5. Section I. CloudPoint installation and configuration
  7. Deploying CloudPoint using the Docker image
  9. Configuring AWS KMS in CloudPoint
Veritas NetBackup™ CloudPoint Install and Upgrade Guide

Configuring AWS KMS in CloudPoint

This is applicable only if CloudPoint instance is deployed in the AWS cloud.

Perform the following steps if you wish to configure CloudPoint to use AWS Key Management Service (KMS) for encrypting and decrypting your CloudPoint configuration information. CloudPoint provides REST APIs that you can use to configure AWS KMS in your CloudPoint environment.

CloudPoint AWS KMS configuration prerequisites

  • Ensure that you have successfully installed and configured CloudPoint on the EC2 instance in the AWS cloud.

    See Installing CloudPoint.

  • Ensure that you have created an AWS IAM role and attached it to the CloudPoint EC2 instance.

    The IAM role must have the following permissions at a minimum:

    kms:DescribeKey
kms:GenerateDataKey
kms:Decrypt

    Refer to the following AWS KMS documentation for detailed instructions:

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#working-with-iam-roles

  • Ensure that you have created a customer managed Customer Master Key (CMK). The Key ID of the CMK is required for configuring AWS KMS in CloudPoint.

    Refer to the following AWS KMS documentation for detailed instructions:

    https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

To configure AWS KMS in CloudPoint

  1. Generate an authentication token for the CloudPoint administrator user account by using the following CloudPoint Identity Management API:

    POST /v4/idm/login

    On any system that can connect to the CloudPoint instance, type the following cURL command:

    # curl -k https://<cloudpointhostFQDN>/cloudpoint/api/v4/idm/login -X 'POST' -H "Content-Type: application/json" -d '{"email":"<username>", "password":"<password>"}'

    Replace the following parameters as per your environment:

    Parameter

    Description

    <cloudpointhostFQDN>

    Represents the Fully Qualified Domain Name (FQDN) that was specified while performing the initial CloudPoint configuration on the host.

    <username>

    Represents the user name that was specified as the CloudPoint administrator user during initial configuration.

    <password>

    Represents the password of the CloudPoint administrator user account.

  2. Observe the API output on the command prompt. You will see an output that resembles the following:
    {
    "accessToken": "eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJWZXJpdGFzIiwidXN",
    "applicationId": "",
    "applicationPath": "",
    "errorCode": ""
}

    The alphanumeric entry that appears as the accessToken represents the token that is used to authorize all CloudPoint API requests on the host. Copy the token, it is required in the subsequent steps.

    Note:

    The alphanumeric authentication token displayed here is for representation purpose only. Use the actual token that is generated when you run this command in your environment.

  3. Create a new AWS KMS configuration using the CloudPoint Key Management Service API POST /v4/kms.

    Enter the following cURL command on the same command prompt:

    # curl -k "https://<cloudpointhostFQDN>/cloudpoint/api/v4/kms" 
-X 'POST' -H  "Content-Type: application/json" 
-H  "Authorization: Bearer <authtoken>"
-d "{"platform":"aws", "masterKeyId":"<cmk_keyid>", 
"credentials":{"type":"iamrole", "regionname":"<cmk_regionname>"}}"

    Replace the following parameters as per your environment:

    Parameter

    Description

    <cloudpointhostFQDN>

    Represents the Fully Qualified Domain Name (FQDN) that was specified while performing the initial CloudPoint configuration on the host.

    <authtoken>

    Represents the alpha numeric authentication token that you generated in the earlier step.

    <cmk_keyid>

    Represents the AWS customer managed Customer Master Keys (CMK) key ID that you created for CloudPoint.

    <cmk_regionname>

    Represents the CMK region where the CloudPoint instance is deployed.

  4. Observe the API output on the command prompt and wait for the task to complete.
  5. You can quickly verify if the AWS KMS is configured successfully by using the CloudPoint API GET /v4/kms.

    Run the following cURL command:

    # curl -k -X GET "https://<cloudpointhostFQDN>/cloudpoint/api/v4/kms" 
-H  "accept: application/json" 
-H  "Authorization: Bearer <authtoken>"

    Replace the following parameters as per your environment:

    Parameter

    Description

    <cloudpointhostFQDN>

    Represents the Fully Qualified Domain Name (FQDN) that was specified while performing the initial CloudPoint configuration on the host.

    <authtoken>

    Represents the alpha numeric authentication token that you generated in step 2 earlier.

    An HTTP 200 status indicates that the configuration was performed successfully.

Feedback

Was this page helpful?
Previous

Verifying that CloudPoint installed successfully

Next

CloudPoint cloud plug-ins

Feedback

Was this page helpful?