You can configure replication of AWS-encrypted snapshots of Amazon EC2 instances from the AWS Console.
For default-encrypted volumes, Commvault automatically converts such snapshots to custom-encrypted snapshots, and shares the snapshots with the destination account. If the cvlt
keys or tags are not configured in the target region, then the snapshots of default-encrypted volumes cannot be shared with the destination account.
Procedure
-
Log on to the AWS Console as a user associated with the access key and secret key or the IAM role that is configured for the Amazon EC2 client from which you will be sharing the snapshots.
-
In the ribbon, click Services.
-
Click IAM.
-
Click Users.
-
Select the required user, and then add the
kms:ListResourceTags
permission to the permission policy.For IAM role authentication, the security policy associated with the IAM role must be updated with
kms:ListResourceTags
permission. -
In the ribbon, click Services.
-
Click Key Management Service.
-
Select the region to replicate the snapshots to.
-
To use a key, do one of the following:
-
To use an existing key, add either
cvlt-ec2
orcvlt-master
as a tag to the key.When you tag a key with
cvlt-ec2
, Commvault uses it for all EC2 specific snapshot replication of volumes. If however, such a key does not exist, then any key tagged withcvlt-master
will be used for encryption.If there is no key tagged with
cvlt-master
, then the replicated volume snapshot will be encrypted using the default encryption method of Amazon. -
To create a new key, click Create a key, and follow the instructions to create a key.
Specify the alias as
cvlt-ec2
orcvlt-master
.The precedence of keys is as follows: A key with the alias
cvlt-ec2
has the highest precedence, followed by a key with the aliascvlt-master
, followed by the key associated with the tagcvlt-ec2
, with the key associated withcvlt-master
having the lowest precedence. If none of the keys are found, then the replicated volume snapshot is encrypted using default encryption method of Amazon Web Services.
-
-
If you used a key, verify that the key is associated with the user whose permissions were updated.