Overview
This article provides an overview on linking your AWS account to Druva CloudRanger via an AWS access role. Druva CloudRanger offers an out-of-the-box Quick Setup approach to configure access to your AWS account. The CloudFormation stack allows you to provision the access role for your AWS environment.
Before you begin
Make sure that you are logged into the AWS account for which you wish to configure the Access Role.
β Important
The CloudFormation template creates various resources in your AWS account and must be executed by a user with the following permissions:
βIAM create role/policy
s3 create bucket
IAM create instance profile
SNS publish
Create AWS access role
The following steps describe how to create an IAM access role to grant CloudRanger access to your AWS account.
Log in to your management console.
Click Add New Account.
Copy or download the CloudFormation template to manually create the stack and provision the access role for your AWS environment.
Click Launch AWS Console to be automatically directed to the CloudFormation section of your AWS account.
The details are pre-populated in the required sections.Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box, and then click Create Stack to generate the CloudFormation stack.
Refresh the stack until the Status reads CREATE_COMPLETE.
CloudRanger then initiates a Sync with AWS to synchronize with your AWS environment. Once the synchronization is complete, all resources are highlighted with a green checkmark. This validates that your resources on CloudRanger are now synchronized with your AWS account.
π Note
To whitelist an IAM role when adding a new CloudFormation stack template, you will need to specify a CloudRanger AccountID parameter (as an 8-digit alphanumeric value). If not specified, we will create this parameter for you and attach it to the IAM roles.
Naming convention for all new and updated roles::
( arn:aws:iam::{aws_account_id}:role/cloudranger-orchestration-{account_id} and
( arn:aws:iam::{aws_account_id}:role/cloudranger-ec2-data-{account_id} ).No special characters are allowed for the CRAccountIdParameter.
All existing roles will be updated to follow this naming convention.
The CRAccountIdparameter specified here cannot be modified when updating the CF stack.
IAM roles cannot be whitelisted with stacksets since the CRAccountIdParameter needs to be unique.
β
Add new AWS accounts
You can add multiple AWS Accounts and manage them all from your integrated CloudRanger console.
Log into your Druva CloudRanger console and navigate to the Organization in which you wish to add a new account(s).β
Click Add New Account on the top right.
Follow the same process as when creating your initial AWS Access Role.
π Note
β You will need to generate a new CloudFormation stack for each AWS Account that you wish to manage on Druva CloudRanger.
Once the AWS account access is setup, the Last Access Status displays the appropriate status:
Latest: Indicates that the AWS access role is up to date.
Update: Indicates that the AWS access role needs to be updated. Click the link to update the CloudFormation template on your AWS console. For more information, see Update Existing AWS Access Roles.
π Note
β To verify the access status with your AWS environment, select an Account and then click Verify AWS account access.
Configure Multiple AWS Accounts
AWS StackSet is a powerful tool that brings a dynamic and customizable approach to multi-account management, with enhanced flexibility and control, ensuring a seamless experience for managing multiple AWS accounts with ease.
Benefits of AWS StackSet
Improved Flexibility: With AWS StackSet, customers gain enhanced control over account configuration and management. You can now customize the account provisioning process to suit your organization's specific needs, ensuring a tailored onboarding experience.
Streamlined Deployment: AWS StackSet allows you to deploy and manage infrastructure, AWS resources, and configurations across multiple accounts and regions with ease. This simplifies the process of maintaining consistency and standardization throughout your AWS environment.
Simplified Account Management: Transitioning to AWS StackSet means you can continue to maintain governance and compliance policies across all your accounts, just as you did with AWS Control Tower. The StackSet framework enables you to enforce guardrails, implement security measures, and ensure compliance effortlessly.
Integration with Existing Services:AWS StackSet seamlessly integrates with various AWS services, such as AWS Identity and Access Management (IAM), AWS Organizations, AWS Config, and AWS CloudTrail, providing you with comprehensive control and monitoring capabilities.
Procedure
To add multiple AWS accounts:
Log into your Druva CloudRanger console and navigate to the Organization in which you wish to add new accounts.
Click Add New Account on the top right.
Copy or download the CloudFormation template to manually create the stack and provision the access role for your AWS environment.
Click Launch AWS Console to be automatically directed to the CloudFormation section of your AWS account.
Click StackSets on the left navigation menu and then click Create StackSet
π Note
β The Stack Names must be unique if you wish to link more than one CloudRanger account to the same AWS account.
The CRAccountIdparameter specified here cannot be modified when updating the CF stack.Select the Upload a template file option if you have downloaded the CloudFormation template in the previous step.
Alternatively, you may copy the CloudFormation URL and paste this into Amazon S3 template URL Click Next.Specify the AWS Account numbers to be configured with Druva CloudRanger via the CloudFormation StackSet.
Alternatively, you may upload a . csv file with the account numbers listed.Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box, and then click Submit to generate the CloudFormation StackSet.
Refresh the StackSet until the Status reads CREATE_COMPLETE.
Once the AWS account access is setup, the Last Access Status displays the appropriate status, as described previously.
π Note
β IAM roles cannot be whitelisted with stacksets since the CRAccountIdParameter needs to be unique.