> Clumio user guide > Set up > Account connection

Manual setup for AWS account integration

This page describes how to manually add your AWS account and configure the permissions required to deploy the Clumio service to perform backup and restore operations. For details about the permissions for each of the entities created below, see Permissions file details. For step-by-step information about how to use the Terraform provider to manually onboard your AWS accounts, see Manual onboarding process using Clumio Terraform provider.

  1. Log in to the Clumio platform and navigate to the AWS > Accounts page. Click Add AWS account to launch the wizard.

    Note

    The wizard only guides you through the Clumio configuration steps. You will need to log in to your AWS account console and manually configure the permissions that Clumio requires to protect your assets.

  2. Type in the ID of the AWS account to connect to Clumio and select an account region.

  3. Click Customize Assets to select specific assets from the list. All listed asset types are selected by default. Click Next.

  4. Clumio generates an external ID displayed on this page. Make a note of this external ID as it is required when you create the roles and permissions on your AWS console. In addition to the external ID, Clumio also generates a permissions file based on the asset types you selected on the first page of the wizard. This file contains the IAM roles, topics, and rules definitions that gives Clumio permission to backup and restore your assets. Download the file and have it ready to access when you are working in your AWS console.

Log on to your AWS console. The following steps describe how to create the topic, rules, and role in AWS using the information from the permissions file. We recommend that you create these items in the following order: Topics, Rules, and then Roles so that you can keep track of the ARN dependencies while creating these objects.

Create an SNS topic

This topic notifies Clumio services about any new events in your resource inventory.  

  1. Navigate to your Amazon SNS console and select Topics from the left navigation panel.

  2. Click Create topic and select Standard as the topic type, type a name for the topic or use the Clumio provided name (“ClumioEventPub”) from the “topics” section in the Clumio permissions file.

  3. Create the topic and make a note of the ARN.

  4. Next, modify the topic you just created. Copy the policy_document string from the “topics” section in the permissions file, convert it to JSON format and paste in the JSON editor of the Access policy section of the topic. Replace the <> placeholder in the JSON object with the ARN of the topic that you made a note of in the previous step. Save your changes.

Your topic file is now ready.

Create a rule

There are two rules in the Clumio permission file. Make sure you copy the content from the same rule in the permissions file to the corresponding rule in your AWS account.

  1. Open your Amazon EventBridge console and select Rules from the left navigation panel.

  2. Click Create rule and type a name for the rule or use a Clumio provided name (ClumioCloudtrailEventRule or ClumioCloudwatchEventRule) from the Clumio permissions file. Select Rule with an event pattern as the Rule type.

  3. Click next and scroll down to the Creation method section and select Custom pattern (JSON editor).

  4. Copy the “event_pattern” string from the rule in the Clumio permissions file, convert it to JSON format, and paste it into the editor. Click Next

  5. On the Select targets page, select the AWS Service target type, then select SNS topic from the Select a target drop down list, and select the name of the topic you created in the Create SNS topic section. Click Next.

  6. The Configure tags step is optional as Clumio does not require you to create any tags. You can move to the final step to review the rule configuration information and create the rule.

  7. Make a note of the rule ARN.

Repeat these steps to create the other rules.

Create a role

There may be several roles (this may change if more asset types are supported in the future) in the permissions file depending on the asset types selected in the Clumio Add AWS account wizard. To avoid errors, carefully copy the correct information for each role from the permission file to the corresponding role in AWS. Do not mix them up.

When you create roles, create asset-specific roles first. Then create the base ClumioIAMRole and ClumioSupportRole roles. (If the assets that you selected require roles, then the permissions file includes those roles.)

  1. Open your IAM console and select Roles from the left navigation panel.

  2. Click Create role and select Custom trust policy as the Trusted entity type. Copy the relevant “trust_policy” string from the Clumio permissions file for the role that you are creating, convert it to JSON format, and paste it into the Custom trust policy editor. Replace the <> placeholder text with the Clumio generated External ID that you made a note of in step 4 above. Click Next.

  3. On the Role details page, enter a name for the role or use the Clumio-provided name from the permissions file.

  4. You can add permissions at this step by clicking Edit in the Add permission step. This opens the policy editor. When you add permissions while creating a role, you are adding a managed policy.

    Each role in the Clumio permissions file includes one or more Inline policies and some Managed policies (refer to AWS documentation for more information about these types of policies). Create the role, then modify it later to add policies that contain the necessary permissions for Clumio to protect your assets.

  5. To create a managed policy select Policies from the left navigation pane and click Create policy.

  6. Select JSON to open a JSON editor. Copy a managed policy string from the Clumio permissions file for the role you are creating, convert it to JSON format and paste it into the editor. Replace any placeholder text with the ARN for that entity.

  7. Click Review, type a name for the policy or use the Clumio provided name from the permissions file. Click Create policy.

  8. Repeat this step to create all the managed policies required by that role.

    Important

    Make a note of each managed policy ARN you create for a role. These ARNs are required by some of the inline policies you need to create for the same role in the following steps.

  9. Select Roles from the left navigation pane and find the role you just created the policies for, and click to select it. On the role details page, in the Permissions policies section, click the Add permissions drop down menu and select Attach policies.

  10. Use the filter to find the relevant policies, select them, and click Add permissions. Repeat as needed to add the remaining policies to the role.

  11. To create inline policies, navigate to the Roles page and find the role you created. Click the role to view a details page. In the Permissions policies section, click the Add permissions drop down menu and select Create inline policy.

  12. Select JSON to open a JSON editor. Copy the inline policy string from the Clumio permission file, convert it to JSON format, and paste it into the editor. 

    Replace any placeholders for managed policy ARNs with the appropriate ARN.

  13. Click Review, type a name for the policy or use the Clumio provided name from the permissions file. Click Create policy.

Repeat these steps to create all the roles listed in the permissions file that are needed to deploy the Clumio service in your account.

Create SSM documents

  1. Access the Systems Manager console and on the left navigation bar, scroll to the bottom where you find the Documents menu item.

  2. Click Documents to launch the Systems Manager explorer.

  3. Click Create document.

  4. From the permissions file, expand the ssm_documents section to view a list of key-value pairs of the documents you need to create.

  5. Copy the name of the first SSM key-value pair and paste it in the name field on the Systems Manager > Create document page. Replace the <> string with the token that was generated when you connected your account.

  6. Expand the content of the SSM document in the permissions file, copy the content, and then paste it into the JSON content field.

Repeat these steps to create the remaining documents.

After you create the required objects, make a note of their ARNs.

On the Clumio platform

Return to the Clumio platform and resume the setup from the Add AWS account wizard.

  1. Enter the ARNs of each AWS entity in the relevant fields. Click Next.

  2. A progress bar at the top of the Validate permissions page indicates that Clumio is checking whether the required permissions are granted. Once the validation is complete, the table displays the access granted to Clumio to perform inventory, backup, and restore operations on the selected assets. If a connection cannot be established, revisit the Clumio objects you created in your AWS account and verify that the required permissions are enabled.

×

Loading...