Manual setup for AWS account integration
This article describes how to manually add your AWS account and configure the permissions required to deploy the Clumio service to perform backup and restore operations. For details about the permissions for each of the entities created below, refer to the Permissions file article. For step-by-step information about how to use the Terraform provider to manually onboard your AWS accounts, see this article.
- Log on to the Clumio platform and navigate to the AWS > Accounts page. Click Add AWS account to launch the wizard.
Note that the wizard only guides you through the Clumio configuration steps. You will need to log on to your AWS account console and manually configure the permissions that Clumio requires to protect your assets. - Type in the ID of the AWS account to connect to Clumio and select an account region.
- Click Customize Assets to select specific assets from the list. All listed asset types are selected by default. Click Next.
- Clumio generates an external ID displayed on this page. Make a note of this external ID as it is required when you create the roles and permissions on your AWS console. In addition to the external ID, Clumio also generates a permissions file based on the asset types you selected on the first page of the wizard. This file contains the IAM roles, topics, and rules definitions that gives Clumio permission to backup and restore your assets. Download the file and have it ready to access when you are working in your AWS console.
Log on to your AWS console. The following steps describe how to create the topic, rules, and role in AWS using the information from the permissions file. We recommend that you create these items in the following order: Topics, Rules, and then Roles so that you can keep track of the ARN dependencies while creating these objects.
Create an SNS topic
This topic notifies Clumio services about any new events in your resource inventory.
- Navigate to your Amazon SNS console and select Topics from the left navigation panel.
- Click Create topic and select Standard as the topic type, type a name for the topic or use the Clumio provided name (“ClumioEventPub”) from the “topics” section in the Clumio permissions file.
- Create the topic and make a note of the ARN.
- Next, edit the topic you just created. Copy the policy_document string from the “topics” section in the permissions file, convert it to JSON format and paste in the JSON editor of the Access policy section of the topic. Replace the CLUMIOEVENTPUB placeholder in the JSON object with the ARN of the topic that you made a note of in the previous step. Save your changes.
Your topic file is now ready.
Create a rule
There are two rules in the Clumio permission file. Make sure you copy the content from the same rule in the permissions file to the corresponding rule in your AWS account.
- Open your Amazon EventBridge console and select Rules from the left navigation panel.
- Click Create rule and type a name for the rule or use a Clumio provided name (
ClumioCloudtrailEventRule
orClumioCloudwatchEventRule
) from the Clumio permissions file. Select Rule with an event pattern as the Rule type. - Click next and scroll down to the Creation method section and select Custom pattern (JSON editor).
- Copy the “event_pattern” string from the rule in the Clumio permissions file, convert it to JSON format, and paste it into the editor. Click Next
- On the Select targets page, select the AWS Service target type, then select SNS topic from the Select a target drop down list, and select the name of the topic you created in the Create SNS topic section. Click Next.
- The Configure tags step is optional as Clumio does not require you to create any tags. You can move to the final step to review the rule configuration information and create the rule.
- Make a note of the rule ARN.
Repeat these steps to create the other rules.
Create a role
There may be several roles (this may change if more asset types are supported in the future) in the permissions file depending on the asset types selected in the Clumio Add AWS account wizard. Be sure to copy the correct information for the role from the permission file to the corresponding role in AWS, do not mix them up as this will cause errors.
When you create roles, you must create asset specific roles first (if the assets you selected require a role, the permissions file will contain those roles) and then the base ClumioIAMRole
and ClumioSupportRole
roles after that.
- Open your IAM console and select Roles from the left navigation panel.
- Click Create role and select the Custom trust policy as the Trusted entity type. Copy the relevant “trust_policy” string from the Clumio permissions file for the role that you are creating, convert it to JSON format and paste it into the Custom trust policy editor. Replace the ROLEEXTERNALID placeholder text with the Clumio generated External ID that you made a note of in step 4 above. Click Next.
- On the Role details page, type a name for the role or use the Clumio provided name for the role from the permissions file.
- You can add permissions at this step by clicking Edit in the Add permission step, this will open the policy editor. When you add permissions while creating a role, you are adding a managed policy.
Each of the roles in the Clumio permissions files has one or more Inline policies and some Managed policies (refer to AWS documentation for more information about these types of policies). Create the role, then later edit that role to add policies that contain the necessary permissions for Clumio to protect your assets. - To create a managed policy select Policies from the left navigation pane and click Create policy.
- Select JSON to open a JSON editor. Copy a managed policy string from the Clumio permissions file for the role you are creating, convert it to JSON format and paste it into the editor. Replace any placeholder text with the ARN for that entity.
- Click Review, type a name for the policy or use the Clumio provided name from the permissions file. Click Create policy.
- Repeat this step to create all the managed policies required by that role.
IMPORTANT:Make a note of each managed policy ARN you create for a role. These ARNs will be required by some of the inline policies you need to create for the same role in the following steps.
- Select Roles from the left navigation pane and find the role you just created the policies for and click to select it. On the role details page in the Permissions policies section, click the Add permissions drop down menu and select Attach policies.
- Use the filter to find the relevant policies, select them and click Add permissions. Repeat as necessary to add the rest of the policies to the role.
- To create inline policies, navigate to the Roles page and find the role you created. Click the role to view a details page. In the Permissions policies section, click the Add permissions drop down menu and select Create inline policy.
- Select JSON to open a JSON editor. Copy the inline policy string from the Clumio permission file, convert it to JSON format, and paste it into the editor.
Replace any placeholders for managed policy ARNs with the appropriate ARN. - Click Review, type a name for the policy or use the Clumio provided name from the permissions file. Click Create policy.
- Select JSON to open a JSON editor. Copy the inline policy string from the Clumio permission file, convert it to JSON format, and paste it into the editor.
Repeat these steps to create all the roles listed in the permissions file that are needed to deploy the Clumio service in your account.
IMPORTANT: If you select SQL Server as one of the data sources to be protected by Clumio, you will need to create 2 roles one of which is
ClumioEC2MSSQLSSMInstanceRoleV2
. When you create this role, you must make a note of the Instance profile ARN. You can find this in the details section of the role under IAM > Roles.
Create SSM documents
If you have selected SQL on EC2 as one of the data sources to manually onboard, you will also need to create AWS Systems Manager documents (SSM documents) to define the actions the Systems Manager performs on your managed instances. The permissions file will contain a section called ssm_documents, which are a series of key-value pairs, the name of the document is the key and the contents is the value.
- Access the Systems Manager console and on the left navigation bar, scroll to the bottom where you find the Documents menu item.
- Click Documents to launch the Systems Manager explorer.
- Click Create document.
- From the permissions file, expand the
ssm_documents
section to view a list of key-value pairs of the documents you need to create. - Copy the name of the first SSM key-value pair and paste it in the name field on the Systems Manager > Create document page. Replace the CLUMIOTOKEN string with the token that was generated when you connected your account.
- Expand the contents of the SSM document in the permissions file and copy this into the JSON content field.
Repeat these steps to create the remaining documents.
After you create all of the required objects, make a note of their ARNs.
On the Clumio platform
Return to the Clumio platform and resume the set up from the Add AWS account wizard.
- Enter the ARNs of each AWS entity in the relevant fields. Click Next.
- The Validate permissions page has a progress bar at the top of the page that indicates Clumio is checking if the required permissions have been granted. Once the validation is complete, the table displays the access granted to Clumio to perform inventory, backup, and restore operations on the selected assets. If a connection cannot be established, you may have to revisit the Clumio objects you created in your AWS account and verify that you have enabled the required permissions.
Contact [email protected] in case of any clarifications or questions.
Updated 9 months ago