Add the Amazon S3 Object Storage Repository with an AWS STS Assume Role with IAM Role Policy

To back up S3 buckets in different AWS accounts using an Amazon EC2 instance, add the Amazon S3 object storage repository with a security token service (STS) assume role. Use the Amazon EC2 instance on the source account which has the STS assume role permission on the second AWS account.

Procedure

1. From the navigation pane, go to Protect > Object storage.

   The Object storage page appears.

2. In the upper-right area of the page, click Add object storage.

   The Add object storage dialog box appears.

3. Click Amazon S3.

   The Add Amazon S3 Storage dialog box appears.

   The Configure Amazon S3 wizard appears.

4. On the Access Node tab of the wizard, select one or more Amazon EC2 instances or the server group of Amazon EC2 instances where the Cloud Apps package is installed, and then click Next.

   Note

   • The access nodes must be of similar operating system type.

   • All servers in the server group must be reachable through network routes.

5. On the Plan tab of the wizard, select the backup plan that you want to use for the object storage repository, and then click Next.

6. On the Add object storage tab of the wizard, complete the following steps:

   1. In the Object storage name box, enter a name for the repository.

   2. In the Host URL box, enter the Amazon S3 account URL, s3.amazonaws.com.

      To back up region-based data, enter the AWS service endpoint URL for the region in the format: s3.region.amazonaws.com.

      To back up Amazon S3 Express One Zone directory buckets:

      • Download the amazon_s3_express_one_zone_minimal_permissions.json file and use it on the AWS command line to apply the minimal permissions required by the IAM role to perform backups.

      • Enter the AWS service endpoint URL for Amazon S3 Express One Zone in the format: s3express-azid.region.amazonaws.com. For example, s3express-use1-az5.us-east-1.amazonaws.com.

        For more information about Available Zone IDs, see S3 Express One Zone Availability Zones and Regions.

   3. From the Authentication list, select STS assume role with IAM role.

   4. Do one of the following:

      • From the Credentials dialog box, select the credentials that you are going to use, and then click Next.

      • To add credentials to the Credential Manager, click the plus button (+).

        The Add Credential dialog box appears.

      • Enter the following information:

      • Credential name: Enter a name for the credentials that you are creating.

      • Role ARN: Enter the full IAM role Amazon Resource Name (ARN) of the cross account that includes the bucket that you want to back up.

      • Description: Enter a description of the credentials.

      • Click Save.

7. On the Backup Content tab of the wizard, complete the following steps:

   1. Click Add, and do one of the following:

      • To enter a custom path, click Custom path, and then enter the path for the content.

      • To browse for content, click Browse, and then select the content.

   2. To exclude some of the content you selected, move the Specify exclusion toggle key to the right, and then add the exclusion.

   3. To back up ACLs, move the Backup ACL toggle key to the right.

   4. Click Next.

8. On the Summary tab of the wizard, review the options, and then click Finish.