Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ CloudPoint Install and Upgrade Guide
  5. Section I. CloudPoint installation and configuration
  7. CloudPoint cloud plug-ins
  9. AWS plug-in configuration notes
  11. Before you create a cross account configuration
Veritas NetBackup™ CloudPoint Install and Upgrade Guide

Before you create a cross account configuration

For CloudPoint cross account configuration, you need to perform the following additional tasks before you can create the configuration:

  • Create a new IAM role in the other AWS account (target account)

  • Create a new policy for the IAM role and ensure that it has required permissions to access the assets in that target AWS account

  • Establish a trust relationship between the source and the target AWS accounts

  • In the source AWS account, create a policy that allows the IAM role in the source AWS account to assume the IAM role in the target AWS account

  • In the target AWS account, set the maximum CLI/API session duration to 1 hour, at a minimum

Perform the following steps:

  1. Using the AWS Management Console, create an IAM role in the additional AWS account (the target account) whose assets you want to protect using CloudPoint.

    While creating the IAM role, select the role type as Another AWS account.

  2. Define a policy for the IAM role that you created in the earlier step.

    Ensure that the policy has the required permissions that allow the IAM role to access all the assets (EC2, RDS, and so on) in the target AWS account.

  3. Set up a trust relationship between the source and target AWS accounts.

    In the target AWS account, edit the trust relationship and specify source account number and source account role.

    This action allows only the CloudPoint instance hosted in source AWS account to assume the target role using the credentials associated with source account's IAM role. No other entities can assume this role.

  4. Grant the source AWS account access to the target role.

    In the source AWS account, from the account Summary page, create an inline policy and allow the source AWS account to assume the target role ("sts:AssumeRole").

  5. From the target account's Summary page, edit the Maximum CLI/API session duration field and set the duration to 1 hour, at a minimum.

    This setting determines the amount of time for which the temporary security credentials that the source account IAM role gets when it assumes target account IAM role remain valid.

Feedback

Was this page helpful?
Previous

AWS permissions required by CloudPoint

Next

Google Cloud Platform plug-in configuration notes

Feedback

Was this page helpful?