Connecting multiple accounts with CloudFormation using AWS Organizations

You can integrate multiple AWS accounts with Clumio by using AWS Organizations and CloudFormation StackSets.

The StackSet template provided by Clumio automates the provisioning of necessary resources (including IAM roles, policies, and event rules) across targeted AWS accounts and regions based on the target configuration. It also configures those accounts within Clumio, eliminating the need for manual setup. Once set up, Clumio will automatically initiate the required setups to make the accounts ready for backup.

Prerequisites

Ensure the following requirements are met:

• AWS Organizations Configuration:

  • AWS Organizations must be enabled.

  • StackSets service must be configured for organization-wide deployments.

  • You must have access to the AWS management account.

• AWS Control Tower:

  • AWS Control Tower must be set up to manage the multi-account environment.

• Trusted Access:

  • Trusted access must be enabled for all target AWS accounts.

  To configure trusted access, see Enable Trusted Access with AWS Organizations.

Setting Up Clumio Integration in a New Organization

Retrieve StackSet Template

Retrieve the CloudFormation template for deployment via the Clumio portal or API.

Option 1: Using the Clumio Portal

1. Log in to the Clumio portal.

2. In the left-hand navigation pane, go to AWS → Connect.

3. Click Add Accounts → Add accounts via Organization.

4. Enter your AWS Organization ID and then select the asset type to be backed up.

5. Click Next to generate a tailored, least-privileged CloudFormation template.

6. Download the template and then copy the required parameters (ClumioToken, RoleExternalId) shown in the modal.

Option 2: Using the Clumio API

1. Use the following API endpoint to retrieve the required parameters:

   PUT https://us-west-2.api.clumio.com/connections/aws/org-deployment-parameters

2. Authenticate using a bearer token with request body as the following:

   {
     "aws_org_id": "<your-aws-org-id>"
   }

3. The response will return the following two parameters:

4. token → to be used as ClumioToken

5. external_id → to be used as RoleExternalId

6. Retrieve the CloudFormation template from the Generate Connection Template API. In the request body, provide the parameter asset_types_enabled.

Deploy the StackSet via AWS Console

Step 1: Log in

• Use the AWS management account or a delegated admin account with StackSet deployment permissions.

Step 2: Navigate to CloudFormation

• Go to CloudFormation → StackSets → Create StackSet.

Step 3: Upload Template

• Upload the CloudFormation template that you downloaded from Clumio's portal or API.

Step 4: Specify StackSet Parameters

Populate the following parameters using values from the Clumio modal/API:

• ClumioToken

• RoleExternalId

Optional Parameters:

• SendCFTDeploymentEventsToClumio: Enabled by default and creates a dedicated event rule (ClumioDeploymentTrackingEventRule) to send deployment event logs to Clumio for monitoring and support.

• PermissionsBoundaryARN: Specify a policy ARN to apply as a permissions boundary for all IAM roles created.

• CreateClumioInventoryTopicEncryptionKey / ClumioInventoryTopicEncryptionKey: For encrypting SNS messages at rest, either create a new KMS key with the stack or provide an existing one. If providing an existing one, make sure the permissions are properly configured.

Step 5: Configure StackSet Options

• Set Execution Configuration to Inactive to perform operations sequentially for better stability.

• Select the checkbox to acknowledge the Capabilities of creating IAM roles by the template.

Step 6: Set Deployment Targets

You can deploy across the following:

• The entire Organization

• Specific Organizational Units (OUs)

• A custom set of accounts

Step 7: Specify Deployment Regions

• Select all AWS regions where the integration should be deployed. For information about supported regions during onboarding, see Supported AWS regions.

Step 8: Set Deployment Options

Note the following important considerations:

• Stack deployment typically takes 2 to 3 minutes per instance, depending on the configuration.

• Post-deployment, Clumio may take a few seconds up to a few minutes to complete the setup per account+region.

• It is recommended to onboard accounts in small batches, prioritizing the most critical accounts first.

• Review AWS StackSet limitations (that is, maximum concurrent operations and stack instances). For more information, see Understand CloudFormation quotas

Step 9: Review and Deploy

1. Review all configuration settings.

2. To initiate the StackSet creation, click Submit.

3. Monitor deployment progress. Depending on the number of accounts, this could take several minutes to complete.

Post-Deployment

• Go to the Clumio Connections page and verify that all accounts appear connected.

(Optional) Onboarding the AWS Management Account

Due to AWS restrictions on Service-managed permissions, the management account is not automatically included in StackSet deployments.

To onboard the management account, perform the following steps:

1. Create a new StackSet using the same template.

2. Use Self-managed permissions.

3. Target the management account specifically.

Updating Clumio Integration

Clumio proactively updates the CloudFormation Template (CFT) with new features, security patches, and refactoring for easier consumption. When updates are available, the Clumio Portal will display "Update available" next to your AWS accounts.

You have the following options for updating:

• Individual Connections: Update individual connections directly from the Clumio Portal.

• Full StackSet: To update the entire StackSet, follow the same steps outlined in "Setting up Clumio Integration in a New Organization," but instead of creating a new StackSet, update the existing one with the newer template retrieved from the API or UI.