AWS account management

An AWS cloud account can be created based on one of the following authentication types:

  • Role Based (Preferred) - Uses an IAM Role to authenticate with an AWS account.
  • Credential Based - Each account has its own long term API access keys.

AWS security recommends the use of role based access over credential based. Role based access allows you to grant third parties access to your AWS resources without sharing your AWS security credentials.

NOTE: To copy AWS snapshots to PowerProtect DD Virtual Edition, you require an AWS role based cloud account.

Secure AWS DR account

Cloud Snapshot Manager supports copying snapshots from one AWS account to another AWS account (also known as cross-account copying of snapshots) for disaster recovery. The target AWS account has to be configured as a secure DR account in Cloud Snapshot Manager. A DR account is an AWS account with a limited set of permissions. You can enable or disable deletion of snapshots from this DR account by Cloud Snapshot Manager for added security. Snapshots that are created in this account are full backups.

If Cloud Snapshot Manager does not have permission to delete the snapshots, the metadata of the snapshots is deleted from the Cloud Snapshot Manager database and the Cloud Snapshot Manager related tags are removed. A new tag, CSMExpired: true is assigned to the snapshot to indicate that it is a Cloud Snapshot Manager snapshot that has expired. You can search for the snapshots using the tag. After that, you can either delete them using the Lambda script, provided under Additional Scripts in the Help page of the PowerProtect Cloud Snapshot Manager portal or use a preferred deletion method of your own.

The Lambda script can be triggered and scheduled to run with any suitable AWS supported mechanism. You can modify the script to suit your requirements. Permissions required to run the Lambda script successfully are provided in AWS cross-account permissions. Use Node.js 12.x to run this script, and provide an appropriate timeout value based on the region and the snapshot count. After running the script, the script execution status details and error messages if any are available in CloudWatch Logs.

In case your primary account gets corrupted, you can use the copy of the snapshot in this DR account to recover resources. Once an account is created as a DR account, it cannot be changed to a regular account. Neither can a regular account be changed to a DR account. You can delete a DR account if there is no snapshot metadata stored in Cloud Snapshot Manager. For permissions that Cloud Snapshot Manager requires for cross-account copying of snapshots, see AWS cross-account permissions.