Create a recovery target for an AWS cleanroom site

To recover to an AWS cleanroom site, you need an AWS recovery target that specifies details about the cleanroom site.

Start the recovery target wizard

1. From the Command Center navigation pane, go to Cleanroom > Targets.

2. In the upper-right area of the page, click Add.

3. Select Amazon Web Services.

4. Click Next.

General page

1. Enter a descriptive name for the recovery target.

2. For Destination, click the add button to create a hypervisor for the recovery target.

3. In Name, enter a descriptive name for the hypervisor.

4. For Regional endpoints, do one of the following:

   • To connect with all available public regional endpoints, leave All public regions selected.

   • To limit connections to only some regions, select the regions.

5. Select one of the following authentication methods:

   • IAM role: Select an access node that has an IAM role associated with it in the AWS Management Console.

   • Access and secret key: Enter the access key ID and the secret access key for your AWS account.

   • STS assume role with IAM policy: Enter the name of the STS (Amazon Resource Name) ARN in the Role ARN box.

6. For Use service account resources, if you already configured a hypervisor for a service account, you can select this option, and then select the hypervisor.

7. For Credentials, select existing credentials or create new credentials.

   Important

   The credentials must have an external ID and an IAM role ARN. If you select existing credentials, verify that the credentials have an external ID and an IAM role ARN by clicking the edit button.

8. Click Save.

9. For Access node, select the access nodes to use for the recovery target.

10. For Security, you can enter users and/or user groups to give them access to the recovery target. ///

Recovery Options page

1. For Availability zone, select the AZ for the recovered EC2 instances.

2. For Instance type, select the instance type for the recovered EC2 instances.

   The Automatic option attempts to recover the EC2 instances as the same instance type as the source.

3. Recommended: From the Key pair list, select the Amazon EC2 key pair to access the recovered EC2 instances.

4. From the IAM role for Amazon EC2 list, select the role that you selected for authentication when you created the hypervisor for the recovery target.

5. For Network, click the browse button, and then select a network interface for the subnets that you created in Create the AWS resources required for cleanroom.

   Important

   • You must be in the same availability zone as the network interface that you want to select.

   • The network interface can be isolated based on the virtual private cloud (VPC), subnet, and security group configuration.

6. For Security groups, select one of the following:

   • Auto-assign: Assign the same security group that the source EC2 instances have.

   • Custom: Select a security group from the AWS account that you're recovering the EC2 instances to.

7. For Volume type, the options are limited to only those that are supported for the volume size.

   Volume types that are not supported for the volume size are visible, but not available to select.

   To view the minimum and maximum volume sizes for a volume type that is not available, hover over that volume type.

8. For KMS key, select Auto.

   If the identity that performs the recovery has the ec2:GetEbsDefaultKmsKeyId action, which is included in amazon_restricted_role_permissions.json, then the default KMS key for EBS encryption will have "Default EBS Key" tag.

9. Click Submit.