Workspace Backup and Restore Prerequisites
To backup and restore workspaces, check that the following prerequisites are satisfied.
AWS Backup Service Opt-in
Login to your AWS account and navigate to the AWS Backup Service console. Make sure the AWS region matches the region where you have your CML workspace. Click on Settings in the navigation pane, and in the Service opt-in table, ensure that EBS and EFS services are enabled for protection by the AWS Backup service, as shown here.
For additional information about this feature, see July 2022: Cloudera Customer Advisory: The new feature CML Backup and Restore on AWS requires changes to IAM permissions in their cross account roles (requires login).
AWS CDP Cross-Account Role Permissions
- Install the Backup IAM Policy. On the AWS console, navigate to the IAM service and click on . Click on the JSON tab, and replace the default text with the contents of the
following JSON file. (Click here to download the file)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "backup:*", "Resource": "*" }, { "Effect": "Allow", "Action": "backup-storage:*", "Resource": "*" }, { "Action": [ "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" ], "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:describeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribePlacementGroups", "ec2:DescribeInstances", "ec2:DescribeTags" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*::snapshot/*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:CreateSnapshot" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action": [ "ec2:DeleteSnapshot" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "backup.amazonaws.com" ] } } }, { "Action": [ "tag:GetTagKeys", "tag:GetTagValues", "tag:GetResources" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:ListRoles", "iam:GetRole" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringLike": { "iam:PassedToService": "backup.amazonaws.com" } } }, { "Action": [ "kms:ListKeys", "kms:DescribeKey", "kms:GenerateDataKey", "kms:ListAliases" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:CreateGrant" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:backup:backup-vault" }, "Bool": { "kms:GrantIsForAWSResource": true }, "StringLike": { "kms:ViaService": "backup.*.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "backup.amazonaws.com" } } } ] }Save this policy as cml-backup-policy.
- Install the Restore Policy. On the AWS console, navigate to the IAM service and click on . Click on the JSON tab, and replace the default text with the
contents of the following JSON file. (Click here to download the file)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*::snapshot/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:Restore", "elasticfilesystem:CreateFilesystem", "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:DeleteFilesystem", "elasticfilesystem:TagResource" ], "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*" }, { "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com", "elasticfilesystem.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }Save this as cml-restore-policy.
- Set up the Trust Relationship. AWS Backup service needs to be able to assume the AWS
cross-account role that is used by the CDP control plane to manage AWS cloud resources. To
enable this, add the following trust relationship to your AWS cross-account role’s Trust
relationships (navigate to the IAM service console, then find your cross-account role by
clicking on Roles).
{ "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" } - Attach the Backup and Restore policies to the Cross-Account Role. While still on the
configuration page of your cross-account role in the IAM console, click on the
Permissions tab. Click Attach policies to attach
the
cml-backup-policyandcml-restore-policypolicies created above. This step ensures that the AWS Backup service will have the necessary permissions to call the EBS and EFS services on behalf of the cross-account role to manage backups.
