Permissions for Forest Recovery in Cayosoft Guardian
Cayosoft Guardian uses multiple identities such as connection accounts and applications to access and manage your environment.
To add a subscription to Cayosoft Guardian for forest recovery, a connection account must be a member of the Global Admin role in this tenant. For more details about connection accounts, see Connection accounts in Guardian.
Microsoft Azure permissions
Create resources
Manage backups
| System or task | Permissions | Details |
|---|---|---|
| Create an Azure share for backups | Contributor role in the resource group | Create a resource group manually and only allow Cayosoft Guardian to create resources, such as Azure file shares, for backups. |
| Using an Azure blob storage in backup plans | Storage Blob Data Contributor role | Assign this role to an account used to add a new subscription under Cloud Services. Grants read, write, and delete access to blob data within the assigned subscription for backup and recovery purposes. |
Manage storage
| System or task | Permissions | Details |
|---|---|---|
| Azure Storage access | Enabled from all networks | Ensure network access is not restricted in Azure Storage Account settings to allow backup and recovery tasks. |
AWS permissions
To back up to S3 storage and create resources in AWS, Cayosoft Guardian requires an account with the following permissions:
Create resources
| System or task | Permissions | Details |
|---|---|---|
| Provision and manage EC2 instances for the recovery site | AmazonEC2FullAccess | Full access to EC2 instances for provisioning, managing, and recovering resources at the recovery site. |
| Create and managing AWS resources | AWSCloudFormationFullAccess | Automating the deployment of the recovery site using infrastructure-as-code templates and defining the infrastructure setup in CloudFormation stacks. |
| Run automation scripts for failover, configuration adjustments, and recovery tasks | AWSLambda_FullAccess | Full access to AWS Lambda to run automation scripts for handling instance failover, configuration adjustments, and other event-driven recovery tasks. |
| Create and manage IAM roles and policies | IAMFullAccess | Create and manage IAM roles and policies required for the recovery site's services and components. Assign necessary permissions to recovery resources (e.g., allowing EC2 instances to access S3 or SSM). |
| Organize recovery-related resources using tags and resource groups |
ResourceGroupsandTagEditor FullAccess |
Organize recovery-related resources using tags and resource groups. Automate tagging of new resources to maintain proper tracking and cost allocation. |
Manage backups
| System or task | Permission/Role |
Details |
|---|---|---|
| Store recovery site backups, logs, and configurations | AmazonS3FullAccess | Full access to Amazon S3 for storing recovery site backups, logs, and configurations. |
| Enable automated retrieval of backup data when initiating recovery | AmazonS3FullAccess | Retrieve backup data stored in S3 buckets when initiating recovery processes. |
| Automate recovery processes using AWS Systems Manager | AmazonSSMFullAccess | Full access to AWS Systems Manager to automate recovery processes, including instance management, patching, and configuration. |
NOTE: Cayosoft recommends creating a separate organization and accounts for instant forest recovery, so the service accounts can only access resources required for forest recovery, and do not have access to production workloads.
Comments
0 comments
Please sign in to leave a comment.