> Documentation > End User Access > Command Center > Virtualization > Amazon > Implementation Planning > Using Resources from an Admin Account

Processing for Using Resources from an AWS Service Account

When you configure a hypervisor to use service account resources, most processes that are initiated from the member account hypervisor use resources from the service account and most of the processing is performed in the service account, with minimal effect on the member account. When using resources from a service account, you must add JSON permissions to both the service account and the member accounts.

AWS account terms are defined as follows:

  • Service account: A hypervisor that is added to Commvault and that contains shared backup resources such as access nodes and cloud libraries.

  • Member account (also called workload account): An organizational account with workloads to protect. Member accounts are accessed by service accounts for the purposes of backup and recovery.

Encrypted Amazon EBS volumes

For Amazon EC2 instances with Amazon EBS volumes that use AWS default encryption, the snapshots that Commvault takes during backups also use AWS default encryption.

To enable snapshots to be shared from the member account to the service account, Commvault creates a copy of each volume snapshot. The snapshot copies use custom encryption keys that have the alias 'cvlt-ec2'. Commvault shares the snapshots and custom encryption key to the service account. The service account can access the custom-encrypted snapshots as needed when performing backups and restores for the member account.

Streaming Backup Processes

Streaming backup processes use the following steps:

  1. On the member account:

    1. Create an Amazon Machine Image (AMI) from the source Amazon EC2 instance.

    2. Share the AMI to the service account.

  2. On the service account:

    1. Create Amazon EBS volumes from the AMI.

    2. Attach Amazon EBS volumes to the proxy, create an Amazon EC2 instance, and back up the Amazon EC2 instance and Amazon EBS volumes.

    3. Detach the Amazon EBS volumes, and then delete them.

    4. Delete the AMI.

IntelliSnap Backup Processes

IntelliSnap backup processes are unchanged for processes that use resources from a service account.

IntelliSnap backup processes use the following steps:

  1. For each Amazon EC2 instance, create an AMI.

    This operation creates crash-consistent snapshots of Amazon EBS volumes.

  2. Write the Amazon EC2 instance configuration file and the Amazon EC2 instance metadata to the backup index.

Backup Copy Processes

Backup copy processes use the following steps:

  1. On the member account, share snapshots with the service account.

  2. On the service account:

    1. Create Amazon EBS volumes.

    2. Attach the Amazon EBS volumes to the proxy.

    3. Back up the Amazon EBS volumes.

    4. Detach the Amazon EBS volumes.

    5. Unshare the snapshots.

HotAdd Restore Processes

HotAdd restore processes use the following steps:

  1. On the service account:

    1. Create empty Amazon EBS volumes.

    2. Attach the Amazon EBS volumes to the proxy and create an Amazon EC2 instance.

    3. Restore data.

    4. Detach the Amazon EBS volumes.

    5. Create a snapshot of the Amazon EBS volumes, and then delete the Amazon EBS volumes.

    6. Share snapshots to the member account.

  2. On the member account:

    1. Create Amazon EBS volumes from snapshots.

    2. Create the Amazon EC2 instance and attach the Amazon EBS volumes.

Import Restore Processes

Verify that the VM Import Service role (vmimport) is enabled on the AWS service account and associate that role to the user account that is used to perform restore processes. For more information, see Creating a vmimport Role.

Import restore processes use the following steps:

  1. On the service account:

    1. Initialize the cloud file system.

    2. Attach the Amazon S3 prefix to the proxy.

    3. Share the Amazon S3 bucket to the member account.

    4. Restore data as Virtual Hard Disk (VHD) pages in Amazon S3.

    5. Merge the VHDs.

    6. Launch the AWS VM Import task to create an AMI.

    7. Share the AMI to the member account.

  2. On the member account, restore the Amazon EC2 instance from the AMI.

Live Browse and File Recovery Processes

Live browse and file recovery processes are unchanged for processes that use resources from a service account.

Agentless File Recovery Processes

Agentless file recovery processes use the following steps:

  1. Restore files to the local proxy.

  2. Share the Amazon S3 bucket to the member account.

  3. Upload to the Amazon S3 bucket.

Loading...