How to configure AWS to enable copying encrypted snapshots across accounts using CloudRanger
This article applies to:
- Product edition: CloudRanger
Overview
You can configure a backup policy in CloudRanger to perform AWS cross-account backups. This may be required for instances with encrypted volumes. In such cases, you must enable the external AWS account to access an encryption key in the primary account. This enables CloudRanger to perform a cross-account copy of the encrypted snapshots from the primary to an external account.
You can allow IAM users or roles in one AWS account to access an encryption key in another account. For example, the users or roles in the External account can use an encryption key in the Primary account.
To enable this access:
- Change the key policy for the encryption key in the Primary account.
- Add an IAM policy for the roles in the External account.
Cross-account backups cannot work with the default key or AWS managed keys. The backup succeed on with the user-generated keys.
Configure AWS to enable copying encrypted snapshots across account
The below procedures describe the AWS configurations required on both the Primary and external accounts. This enables CloudRanger to perform the cross-account copy of the backup job, from the primary to the external account.
The primary and external accounts used in this procedure:
- Primary account: 444455556666
- External Account: 111122223333
Change the key policy of the encryption key in the primary account
- Log into the AWS Management Console Primary account (444455556666) and open the IAM Service console.
- Select 'Encryption keys' section on the left.
- Change the AWS Region to that of the EC2 volumes encrypted with the key, use the Region selector in the upper-left corner of the page.
- Click on the key Alias currently used to encrypt the EC2 volumes and open the key properties.
- Note the ARN on a notepad.
- Scroll down to the Key Users and click Add.
- Tick all the CloudRanger roles associated with the cloud formation stack and click Attach.
All the roles are displayed under Key Users after addition.
- Scroll down to External Accounts and click Add External Account.
- Enter the external account id (eg. 111122223333) and click Save Changes.
Add an IAM policy for the roles in the external account
After adding the external account to the encryption key policy, add an IAM policy to the roles in the external account. Roles in the external account (111122223333) must use an encryption key that is in the Primary account (444455556666). To allow this, create an IAM policy in the external account (111122223333) that allows access to the CMK in the primary account (9444455556666) as described below:
- Sign in to the AWS Management Console external account (111122223333) and open the IAM Service console.
- Select the Policies section on the left.
- Click Create policy and open the JSON tab.
- Copy the below JSON to the tab to create a Policy for Key sharing on external account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfCMKInAccount444455556666",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:444455556666:key/c6b52789-0ba8-4ab8-ba03-c777ad4deae7"
},
{
"Sid": "AllowUseofCMKToCreateEncryptedResourcesInAccount444455556666",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "arn:aws:kms:us-east-1:444455556666:key/c6b52789-0ba8-4ab8-ba03-c777ad4deae7",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
- Select Review policy and save the policy with an appropriate name.
- Return to the policies and search for the newly created policy.
- Click Policies > Policy actions > Attach.
- Select the CloudRanger roles in the external account and select Attach policy. All the selected roles are displayed on the Policy usage tab.
Cross-account backup to additional AWS accounts
All backup policies automatically generate a backup in the original AWS region. To perform a cross-account backup to an additional AWS account, use the following functionality.
- Select the ADVANCED option from the main backup policy section.
- Select the external AWS account to which the additional backup copy must be saved.
This saves the additional copies in the account specified in the backup policy.