In the following step, select the policy we just created:
Select Another AWS account and retrieve the account ID of the Master account to be placed here.
VEEAM BACKUP TO AWS ZIP FILE
In the zip file at the end of the page, you will find a file called aws_policy_permissions_Advanced_Enterprise_BYOL.json, this one already has all the needed permissions to allow external accounts to access the target resources. You can use the json files available here: In AWS IAM of the Target account, create a new policy. So, once we log into the target account, we open the IAM management and we start the creation of a new role. We need to configure a role in the Target account that allows Master to login and complete its tasks against the protected resources. Let’s assume we have two AWS accounts: Master is the one where all the backups are managed, and T arget is the account that we want to protect.
VEEAM BACKUP TO AWS HOW TO
This could be easy, but after a while it may become complicated to manage all those keys: either we change them often to avoid compromisations, or at some point some lazy admin will let them age too much, and expose the target to security issues.įor this reason, it’s way better to use IAM roles, but at the beginning it may be a bit complicated to understand how to properly configure them. The easiest way to do so is by creating simple IAM accounts. How to allow the master account to access target resources How to configure this is the main topic of this article. To do so, it needs some permissions that have to be created into the protected account.
VEEAM BACKUP TO AWS SOFTWARE
N2WS software runs inside this dedicated account, and has the option to access another account. This solution can also be offered “as a service” if the two accounts are a customer and a service providers. In this way, even if the production account is compromised and data are deleted, the backups are stored into another account, that cannot be accessed from the other one. The idea in our software is to completely bypass this problem, by allowing a customer to be protected using another account where backups and replicas are stored. I’ve used extensively IAM and I’m a huge fan of it, but as much as it can protect our AWS resources, there’s like always a point where someone will have enough powers to damage something. Some theoryĪWS has an amazing security platform, thanks to the way they developed over time their IAM (Identity and Access Management) system. One of the things I’ve learned is how to create a dedicated account to protect other accounts. I started a few weeks ago to deep dive into our solutions for Amazon Web Services, using N2WS Backup & Recovery. One of the main focus of this year for me as a cloud architect at Veeam, is to learn as much as possible about public cloud technologies, and how our software solutions can interact with them. 0 Flares Twitter 0 Facebook 0 LinkedIn 0 Email - 0 Flares ×
0 kommentar(er)
