You can configure a virtualization client (hypervisor) for Amazon Web Services (AWS) to use a separate Admin account for data protection operations.
This approach provides the following benefits:
Reduces the impact of backup operations and restore operations on tenant production accounts.
Minimizes the configuration required for tenant accounts.
Eliminates the need for tenants to deploy access nodes and MediaAgents in Amazon, reducing tenant costs.
Hides backup infrastructure from tenants.
Note: This feature was previously called "cross-account operations."
By using this feature, tenants in a managed services environment can access resources that are provided by a managed service provider (MSP) to support data protection operations. Similarly, groups within an organization can access shared resources from an AWS Admin account that provides infrastructure for data protection.
You can configure access to an Admin account in the CommCell Console or in the Command Center. Production accounts can use an Admin account for streaming backup operations, IntelliSnap backup operations, backup copy operations, and restore operations.
After you configure access to an Admin account, you can initiate operations from the tenant account, but the operations use resources such as access nodes and MediaAgents that are deployed in the Admin account.
Operations can use Windows and Linux access nodes, and can include Windows and Linux instances.
You must add JSON permissions to both Admin and Tenant accounts.
The admin account can use an access key and secret key for authentication, or an IAM role, or an STS assume role with IAM policy.
The tenant (user) account can use an access key and secret key, or an STS assume role with IAM policy, for authentication.
You cannot use replication/disaster recovery replication (from VMware to Amazon or from Amazon to Amazon) using resources that are in another account. For example, to replicate VMs to Account1, you must use the resources in Account1. You cannot use the resources in Account2.
To perform a HotAdd cross-vendor conversion to an AWS account, you cannot use an access node that is in another AWS account. For example, to perform cross-vendor conversion to Account1, the access node must be in Account1. You cannot use an access node in Account2.
When you perform a restore from a streaming backup or backup copy using a tenant account, volume tags are not restored.