Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ CloudPoint Install and Upgrade Guide
  5. Section I. CloudPoint installation and configuration
  7. CloudPoint cloud plug-ins
  9. AWS plug-in configuration notes
  11. Prerequisites for configuring the AWS plug-in
Veritas NetBackup™ CloudPoint Install and Upgrade Guide

Prerequisites for configuring the AWS plug-in

If the CloudPoint instance is deployed in the AWS cloud, do the following before you configure the plug-in:

  • Create an AWS IAM role and assign permissions that are required by CloudPoint.

    See Configuring AWS permissions for CloudPoint.

    Refer to the AWS documentation for instructions on how to create an IAM role:

    https://docs.aws.amazon.com/IAM/latest/UserGuide/iam-roles-for-amazon-ec2.html #create-iam-role

  • Attach the IAM role to the CloudPoint instance.

    Refer to the AWS documentation for instructions on how to attach an IAM role:

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html #attach-iam-role

    Note:

    If you have deployed CloudPoint using the CloudFormation Template (CFT), then the IAM role is automatically assigned to the instance when the CloudPoint stack is launched.

  • For cross account configuration, from the AWS IAM console (IAM Console > Roles), edit the IAM roles such that:

    • A new IAM role is created and assigned to the other AWS account (target account). Also, assign that role a policy that has the required permissions to access the assets in the target AWS account.

    • The IAM role of the other AWS account should trust the Source Account IAM role (Roles > Trust relationships tab).

    • The Source Account IAM role is assigned an inline policy (Roles > Permissions tab) that allows the source role to assume the role ("sts:AssumeRole") of the other AWS account.

    • The validity of the temporary security credentials that the Source Account IAM role gets when it assumes the Cross Account IAM role is set to 1 hour, at a minimum (Maximum CLI/API session duration field).

    See Before you create a cross account configuration.

  • If the assets in the AWS cloud are encrypted using AWS KMS Customer Managed Keys (CMK), then you must ensure the following:

    • If using an IAM user for CloudPoint plug-in configuration, ensure that the IAM user is added as a key user of the CMK.

    • For source account configuration, ensure that the IAM role that is attached to the CloudPoint instance is added as a key user of the CMK.

    • For cross account configuration, ensure that the IAM role that is assigned to the other AWS account (cross account) is added as a key user of the CMK.

    Adding these IAM roles and users as the CMK key users allows them to use the AWS KMS CMK key directly for cryptographic operations on the assets. Refer to the AWS documentation for more details:

    https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html #key-policy-default-allow-users

Feedback

Was this page helpful?
Previous

AWS plug-in configuration notes

Next

Configuring AWS permissions for CloudPoint

Feedback

Was this page helpful?