Skip to main content
Druva Documentation

About administrators, IAM roles, backup policies, and backup

Phoenix Editions: File:/tick.png Elite File:/cross.png EnterpriseFile:/tick.png Business 


Two types of administrators are involved in the backup and restore of EC2 instances using Phoenix"

  • Phoenix administrator: The Phoenix administrator registers an AWS account Phoenix so that Phoenix can run backups and protect AWS workloads. Phoenix administrators with the role of a cloud admin or an org admin can register an AWS account and configure AWS resources for backup.
  • AWS administrator: The AWS administrator provides Phoenix the IAM role so that Phoenix can run backups in the AWS account. 

IAM Role

An Identity and Access Management (IAM) role grants Phoenix special permissions so that Phoenix can register your account and run backups in it. To create an IAM role, Druva provides a CloudFormation template that you use to create a CloudFormation stack. The CloudFormation stack performs the required steps in your account and creates an IAM role. You have to attach the IAM role to Phoenix so that it can run backups in your account. 

Note: When you generate a CloudFormation template URL at the time of registering an AWS account, it is tied to the organization under which it was generated. You cannot use the generated URL to register an AWS account in a different organization.

Backup policy

A backup policy defines properties of a backup, such as:

  • The AWS account in which Phoenix takes backups of the resources
  • The backup schedule and retention
  • Additional copies of the backup to be created
  • Perform extra tasks such as rebooting the EC2 instance before backup


After an AWS account is registered with Phoenix, Phoenix can back up AWS resources. At the moment, Phoenix supports backup and recovery of EC2 instances. You can back up an AWS resource using a backup policy or you can run a backup job from the Phoenix Management Console. When a backup job runs, an AMI of the EC2 instance is created and stored in the location where the EC2 instance is running. However, if you want to create additional copies in separate regions, specify the accounts and regions in the backup policy and then apply the backup policy to the resource. When a policy runs a backup for the configured workload, the AMI is also stored in the location specified in the policy.