For recovery to an AWS cleanroom site, you need a new AWS account, a new virtual network, a new security group, and other resources.
Note
The steps on this page are performed in AWS, and many of the links are to AWS documentation.
To create the required resources, do the following:
-
Create a new IAM policy using the JSON editor, and paste amazon_restricted_role_permissions.json in the editor.
-
Create a new AWS role and assign the new IAM policy to the new role.
-
Create a new AWS virtual private cloud (VPC) and subnet to logically isolate the recovered VMs/instances.
-
Create a new AWS security group to control access for inbound and outbound traffic for the recovered VMs/instances.
-
For the auto-scaled access nodes create another new virtual private cloud (VPC) and subnet with the following specifications:
-
Connectivity: Establish bidirectional connectivity with your recovered control plane.
-
Port configuration:
-
Open outbound ports 8400 and 8403 for connectivity with your recovered control plane.
-
Open outbound port 443 for Air Gap Protect.
-
-
-
Create a security group for the VPC and subnet created in a previous step for the access nodes, to isolate the auto-scaled access nodes.
-
To connect to the recovered instances in the isolated network, configure a bastion host.
For information, see the following: