Overview
This article explains how to set up an Amazon EC2 instance for consistent snapshots for Windows.
Installing the SSM agent
SSM is an AWS service that allows for remote management of AWS resources. In this case, it will allow CloudRanger to send commands to an EC2 instance to perform actions like freezing all I/O operations and creating backups.
Some instances will have SSM enabled by default, such Windows Server 2016 and instances created from Windows Server 2003 - 2012 R2 AMI’s. The Amazon Linux AMI will also come with the SSM agent pre-installed. If your instance does not fall into these categories, please use the following link for instructions on how to get started.
How to install and configure the SSM agent for Windows and Linux instances:
http://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html
Granting instance permissions
The instance that will be performing consistent snapshots will need certain IAM permissions. When these are not granted it will not be able to create these backups. These permissions are granted by attaching an IAM role with these permissions to your instance(s).
For the instance’s SSM agent to be able to communicate with AWS, it will need certain permissions:
EC2MESSAGES:* (Needed for SSM)
SSM:UpdateInstanceInformation (Needed for SSM)
SSM:ListAssociations (Needed for SSM)
EC2:DescribeInstances (Needed for CloudRanger)
EC2:CreateSnapshot (Needed for CloudRanger)
EC2:CreateImage (Needed for CloudRanger)
CloudRanger will create these permissions in the form of an IAM role in your AWS environment as a part of the credential creation process. When you’ve successfully attached these permissions to your instance, it should show up in the AWS Console in the EC2 service under Managed instances. If you’re trying to back up an instance that doesn’t have these permissions attached, CloudRanger will do this for you if no role has already been attached to the instance.
The overall policy document should look like this (it’s not case sensitive):
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2messages:*", "ssm:updateinstanceinformation", "ssm:listassociations", "ec2:describeinstances", "ec2:createsnapshot", "ec2:createimage" ], "Effect": "Allow", "Resource": "*" } ] }
❗ Important
There may be issues during processing of VSS with older versions of PowerShell.
The version of the AWS tools for PowerShell is 3.3.221.0 and can be upgraded by installing it with
Install-Module -Name AWSPowerShell
To find out what version of PowerShell you are currently using please execute the following command:
Get-AWSPowerShellVersion