Loading...

Configuring Replication of AWS-Encrypted Snapshots with IntelliSnap for Amazon

You can configure replication of AWS-encrypted snapshots from the AWS Console.

In addition to custom-encrypted volumes, AWS also supports cross-account snapshot sharing of non-encrypted volumes. For default-encrypted volumes that have the cvlt keys or tags configured, Commvault automatically converts such volumes to custom-encrypted volumes, and shares the snapshots with another account. If the cvlt keys or tags are not configured for default-encrypted volumes, then the snapshots of default-encrypted volumes cannot be shared with another account.

Procedure

  1. Log in to the AWS Console as a user associated with the access key and secret key or the IAM role that is configured for the Amazon client from which you will be sharing the snapshots.
  2. From the AWS Console ribbon, click Services.
  3. Click IAM.
  4. Click Users.
  5. Select the required user, and then add the kms:ListResourceTags permission to the permission policy.

    For IAM role, the security policy associated with the IAM role must be updated with kms:ListResourceTags permission.

  6. From the AWS Console ribbon, click Services.
  7. Click Key Management Service.
  8. Select the required destination region.
  9. To use a key, do one of the following:
    • If you want to use an existing key, you must add either cvlt-ec2 or cvlt-master as a tag to the key.

      When you tag a key with cvlt-ec2, Commvault uses it for all EC2 specific snapshot replication of volumes. If however, such a key does not exist, then any key tagged with cvlt-master will be used for encryption.

      If there is no key tagged with cvlt-master, then the replicated volume snapshot will be encrypted using the default encryption method of Amazon.

    • If you want to create a new key, then click Create a key, and follow the instructions to create a key.

      Specify the alias as cvlt-ec2 or cvlt-master.

      A key with the alias cvlt-ec2 has a higher precedence than a key with the alias cvlt-master.

      Note:

      • The following order of precedence is observed when selecting a key:
        A key with the alias cvlt-ec2 has the highest precedence, followed by a key with the alias cvlt-master¸ followed by the key associated with the tag cvlt-ec2¸ with the key associated with cvlt-master having the lowest precedence. If none of the keys are found, then the replicated volume snapshot will be encrypted using default encryption method of Amazon.
      • Verify that the key is associated with the user whose permissions were updated.

Last modified: 5/16/2019 11:01:27 AM