Overview
This article provides an overview on linking your AWS account to Druva CloudRanger via an AWS access role. Druva CloudRanger offers an out-of-the-box Quick Setup approach to configure access to your AWS account. The CloudFormation stack allows you to provision the access role for your AWS environment.
Before you begin
Make sure that you are logged into the AWS account for which you wish to configure the Access Role.
β Important
The CloudFormation template creates various resources in your AWS account and must be executed by a user with the following permissions:
βIAM create role/policy
s3 create bucket
IAM create instance profile
SNS publish
Create AWS access role
The following steps describe how to create an IAM access role to grant CloudRanger access to your AWS account.
Log in to your management console.
Click Add New Account.
Copy or download the CloudFormation template to manually create the stack and provision the access role for your AWS environment.
Click Launch AWS Console to be automatically directed to the CloudFormation section of your AWS account.
The details are pre-populated in the required sections.
π Note
If you are not redirected to the appropriate page, you can create a new stack from your AWS management console.
Navigate to the AWS CloudFormation console.
On the Stacks page, choose Create stack at top right, and then click With new resources (standard).
β
5. Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box, and then click Create Stack to generate the CloudFormation stack.
6. Refresh the stack until the Status reads CREATE_COMPLETE.
β
AWS Workloads (CloudRanger) then initiates a Sync with AWS to synchronize Druva management console with your AWS environment. Once the synchronization is complete, all resources are highlighted with a green checkmark. This validates that your resources on AWS Workloads (CloudRanger) are now synchronized with your AWS account.
π Note
To whitelist an IAM role when adding a new CloudFormation stack template, you will need to specify a CloudRanger AccountID parameter (as an 8-digit alphanumeric value). If not specified, we will create this parameter for you and attach it to the IAM roles.
Naming convention for all new and updated roles::
( arn:aws:iam::{aws_account_id}:role/cloudranger-orchestration-{account_id} and
( arn:aws:iam::{aws_account_id}:role/cloudranger-ec2-data-{account_id} ).No special characters are allowed for the CRAccountIdParameter.
All existing roles will be updated to follow this naming convention.
The CRAccountIdparameter specified here cannot be modified when updating the CF stack.
IAM roles cannot be whitelisted with stacksets since the CRAccountIdParameter needs to be unique.
β
Add new AWS accounts
You can add multiple AWS Accounts and manage them all from your integrated CloudRanger console.
Log into your Druva CloudRanger console and navigate to the Organization in which you wish to add a new account(s).β
Click Add New Account on the top right.
Follow the same process as when creating your initial AWS Access Role.
π Note
β You will need to generate a new CloudFormation stack for each AWS Account that you wish to manage on Druva CloudRanger.
Once the AWS account access is setup, the Last Access Status displays the appropriate status:
Latest: Indicates that the AWS access role is up to date.
Update: Indicates that the AWS access role needs to be updated. Click the link to update the CloudFormation template on your AWS console. For more information, see Update Existing AWS Access Roles.
π Note
β To verify the access status with your AWS environment, select an Account and then click Verify AWS account access.