Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ CloudPoint Install and Upgrade Guide
  5. Section I. CloudPoint installation and configuration
  7. CloudPoint cloud plug-ins
  9. AWS plug-in configuration notes
Veritas NetBackup™ CloudPoint Install and Upgrade Guide

AWS plug-in configuration notes

The Amazon Web Services (AWS) plug-in lets you create, restore, and delete snapshots of the following assets in an Amazon cloud:

  • Elastic Compute Cloud (EC2) instances

  • Elastic Block Store (EBS) volumes

  • Amazon Relational Database Service (RDS) instances

  • Aurora clusters

Note:

Before you configure the AWS plug-in, make sure that you have configured the proper permissions so CloudPoint can work with your AWS assets.

CloudPoint supports the following AWS regions:

Table: AWS regions supported by CloudPoint

AWS commercial regions

AWS GovCloud (US) regions

  • us-east-1, us-east-2, us-west-1, us-west-2

  • ap-east-1, ap-south-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2

  • eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, eu-south-1 Milan, eu-south-1 Cape Town

  • cn-north-1, cn-northwest-1

  • ca-central-1

  • me-south-1

  • sa-east-1

  • us-gov-east-1

  • us-gov-west-1

The following information is required for configuring the CloudPoint plug-in for AWS:

If CloudPoint is deployed on a on-premise host or a virtual machine:

Table: AWS plug-in configuration parameters

CloudPoint configuration parameter

AWS equivalent term and description

Access key

The access key ID, when specified with the secret access key, authorizes CloudPoint to interact with the AWS APIs.

Secret key

The secret access key.

Regions

One or more AWS regions in which to discover cloud assets.

Note:

CloudPoint encrypts credentials using AES-256 encryption.

If CloudPoint is deployed in the AWS cloud:

Table: AWS plug-in configuration parameters: cloud deployment

CloudPoint configuration parameter

Description

For Source Account configuration

Regions

One or more AWS regions associated with the AWS source account in which to discover cloud assets.

Note:

If you deploy CloudPoint using the CloudFormation template (CFT), then the source account is automatically configured as part of the template-based deployment workflow.

For Cross Account configuration

Account ID

The account ID of the other AWS account (cross account) whose assets you wish to protect using the CloudPoint instance configured in the Source Account.

Role Name

The IAM role that is attached to the other AWS account (cross account).

Regions

One or more AWS regions associated with the AWS cross account in which to discover cloud assets.

When CloudPoint connects to AWS, it uses the following endpoints. You can use this information to create a whitelist on your firewall.

  • ec2.*.amazonaws.com

  • sts.amazonaws.com

  • rds.*.amazonaws.com

  • kms. *.amazonaws.com

In addition, you must specify the following resources and actions:

  • ec2.SecurityGroup.*

  • ec2.Subnet.*

  • ec2.Vpc.*

  • ec2.createInstance

  • ec2.runInstances

AWS plug-in considerations and limitations

Before you configure the plug-in, consider the following:

  • You cannot delete automated snapshots of RDS instances and Aurora clusters through CloudPoint.

  • You cannot take application-consistent snapshots of AWS RDS instances. Even though CloudPoint allows you to create an application-consistent snapshot for such an instance, the actual snapshot that gets created is not application-consistent.

    This is a limitation from AWS and is currently outside the scope of CloudPoint.

  • All automated snapshot names start with the pattern rds:.

  • If you are configuring the plug-in to discover and protect AWS Nitro-based Windows instances that use NVMe EBS volumes, you must ensure that the AWS NVMe tool executable file, ebsnvme-id.exe, is present in any of the following locations on the AWS instance:

    • %PROGRAMDATA%\Amazon\Tools

      This is the default location for most AWS instances.

    • %PROGRAMFILES%\Veritas\Cloudpoint

      Manually download and copy the executable file to this location.

    • System PATH environment variable

      Add or update the executable file path in the system's PATH environment variable.

    If the NVMe tool is not present in one of the mentioned locations, CloudPoint may fail to discover the file systems on such instances. You may see the following error in the logs:

    "ebsnvme-id.exe" not found in expected paths!"

    This is required for AWS Nitro-based Windows instances only. Also, if the instance is launched using the community AMI or custom AMI, you might need to install the tool manually.

  • CloudPoint does not support cross-account replication for AWS RDS instances or clusters, if the snapshots are encrypted using the default RDS encryption key (aws/rds). You cannot share such encrypted snapshots between AWS accounts.

    If you try to replicate such snapshots between AWS accounts, the operation fails with the following error:

    Replication failed The source snapshot KMS key [<key>] does not exist, 
is not enabled or you do not have permissions to access it.

    This is a limitation from AWS and is currently outside the scope of CloudPoint.

  • If a region is removed from the AWS plug-in configuration, then all the discovered assets from that region are also removed from the CloudPoint assets database. If there are any active snapshots that are associated with the assets that get removed, then you may not be able perform any operations on those snapshots.

    Once you add that region back into the plug-in configuration, CloudPoint discovers all the assets again and you can resume operations on the associated snapshots. However, you cannot perform restore operations on the associated snapshots.

  • If you are creating multiple configurations for the same plug-in, ensure that they manage different regions. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.

    CloudPoint currently does not block you from creating such a configuration. If there is an overlap of cloud assets between plug-in configurations, you may have to resolve the configuration issue by deleting the plug-in configurations and adding them again, ensuring that there are no overlapping assets.

    However, CloudPoint does not allow you to delete a plug-in configuration if there are any snapshots associated with the assets in that configuration.

  • CloudPoint supports commercial as well as GovCloud (US) regions. During AWS plug-in configuration, even though you can select a combination of AWS commercial and GovCloud (US) regions, the configuration will eventually fail.

  • CloudPoint does not support IPv6 addresses for AWS RDS instances. This is a limitation of Amazon RDS itself and is not related to CloudPoint.

    Refer to the AWS documentation for more information:

    https://aws.amazon.com/premiumsupport/knowledge-center/rds-ipv6/

  • CloudPoint does not support application consistent snapshots and granular file restores for Windows systems with virtual disks or storage spaces that are created from a storage pool. If a Microsoft SQL server snapshot job uses disks from a storage pool, the job fails with an error. But if a snapshot job for virtual machine which is in a connected state is triggered, the job might be successful. In this case, the file system quiescing and indexing is skipped. The restore job for such an individual disk to original location also fails. In this condition, the host might move to an unrecoverable state and requires a manual recovery.

Feedback

Was this page helpful?
Previous

How to configure the CloudPoint cloud plug-ins?

Next

Prerequisites for configuring the AWS plug-in

Feedback

Was this page helpful?