> Documentation > Backup and Restore Agents > Virtualization > Virtual Server Agent > Amazon > Configuration

Use Service Account Resources

You can configure a virtualization client (hypervisor) for Amazon Web Services (AWS) to use a separate Admin account for data protection operations.

This approach provides the following benefits:

  • Reduces the impact of backup operations and restore operations on tenant production accounts.

  • Minimizes the configuration required for tenant accounts.

  • Eliminates the need for tenants to deploy proxies (access nodes) and MediaAgents in Amazon, reducing tenant costs.

  • Hides backup infrastructure from tenants.

Note

This feature was previously called "cross-account operations."

By using this feature, tenants in a managed services environment can access resources that are provided by a managed service provider (MSP) to support data protection operations. Similarly, groups within an organization can access shared resources from an AWS Admin account that provides infrastructure for data protection.

You can configure access to an Admin account in the CommCell Console or in the Command Center. Production accounts can use an Admin account for streaming backup operations, IntelliSnap backup operations, backup copy operations, and restore operations.

After you configure access to an Admin account, you can initiate operations from the tenant account, but the operations use resources such as VSA proxies and MediaAgents that are deployed in the Admin account.

Operations can use Windows and Linux proxies, and can include Windows and Linux instances.

Requirements

  • For backups, the VSA proxy that is used by the Admin account must be in the same region as the guest instances.

    For example, a proxy in Account1 and the us-east-1a region can back up instances in Account2 for any availability zones in the us-east-1 region.

  • For restores, the VSA proxy that is used by the Admin account must be in the same availability zone as the availability zone that you specify for the restore.

    For example, a proxy in Account1 and the us-east-1a availability zone can restore instances in Account2 to the us-east-1a availability zone.

  • The admin account can use an access key and secret key for authentication, or an IAM role.

  • The tenant (user) account must use an access key and secret key for authentication.

  • The Admin account IAM user or IAM role and the Tenant account IAM user must have the following additional permissions for this feature:

    • "ec2:ModifySnapshotAttribute"

    • "ec2:ModifyImageAttribute"

    • "s3:PutBucketAcl"

    • "s3:GetBucketAcl"

    For more information, see User Permissions.

Considerations

  • You cannot restore volume tags from a backup that was performed by an Admin account.

  • Streaming backup operations and backup copy operations skip encrypted volumes that use AWS encryption or custom encryption. If an instance has encrypted volumes, the backup job completes with errors. When you perform IntelliSnap backups, you can back up and restore encrypted volumes.

  • Tenant users can restore guest files and folders only from a streaming backup or backup copy. Only Admin account users can restore guest files and folders from a snap copy.

Configuration Process

To enable cross-account operations, perform the following configuration:

  1. Create a virtualization client for the admin account (for example, for the MSP).

  2. Create a virtualization client for the tenant account, and refer to the admin client using the Use admin account backup resources option.

Creating an Amazon Client

Loading...