How to configure AWS to enable copying encrypted snapshots across accounts using CloudRanger
Overview
You can configure a backup policy in CloudRanger to perform AWS cross-account backups. This may be required for instances with encrypted volumes. In such cases, you must enable the external AWS account to access an encryption key in the primary account. This enables CloudRanger to perform a cross-account copy of the encrypted snapshots from the primary to an external account.
You can allow IAM users or roles in one AWS account to access an encryption key in another account. For example, the users or roles in the External account can use an encryption key in the Primary account.
To enable this access:
- Change the key policy for the encryption key in the Primary account.
- Add an IAM policy for the roles in the External account.
Cross-account backups cannot work with the default key or AWS managed keys. The backup succeed on with the user-generated keys.
Configure AWS to enable copying encrypted snapshots across accounts
The below procedures describe the AWS configurations required on both the Primary and external accounts. This enables CloudRanger to perform the cross-account copy of the backup job, from the primary to the external account.
The primary and external accounts used in this procedure:
- Primary account: 444455556666
- External Account: 111122223333
Change the key policy of the encryption key in the primary account
Cross-account access requires permissions in the key policy of the KMS key and in an IAM policy in the external account. To grant an external account permission to use the KMS key, add a statement to the key policy that specifies the external account.
For more information and detailed instructions, see Allowing users in other accounts to use a KMS key.
Add an IAM policy for the roles in the external account
After adding the external account to the encryption key policy, add an IAM policy to the roles in the external account. Roles in the external account (111122223333) must use an encryption key that is in the Primary account (444455556666). To allow this, create an IAM policy in the external account (111122223333) that allows access to the CMK in the primary account (9444455556666) as described below:
- Sign in to the AWS Management Console external account (111122223333) and open the IAM Service console.
- Select the Policies section on the left.
- Click Create policy and open the JSON tab.
- Copy the below JSON to the tab to create a Policy for Key sharing on external account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfCMKInAccount444455556666",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:444455556666:key/c6b52789-0ba8-4ab8-ba03-c777ad4deae7"
},
{
"Sid": "AllowUseofCMKToCreateEncryptedResourcesInAccount444455556666",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "arn:aws:kms:us-east-1:444455556666:key/c6b52789-0ba8-4ab8-ba03-c777ad4deae7",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
- Select Review policy and save the policy with an appropriate name.
- Return to the policies and search for the newly created policy.
- Click Policies > Policy actions > Attach.
- Select the CloudRanger roles in the external account and select Attach policy.
All the selected roles are displayed on the Policy usage tab.
Cross-account backup to additional AWS accounts
All backup policies automatically generate a backup in the original AWS region. To perform a cross-account backup to an additional AWS account, use the following functionality.
- Select the ADVANCED option from the main backup policy section.
- Select the external AWS account to which the additional backup copy must be saved.
This saves the additional copies in the account specified in the backup policy.