Manual setup for AWS account integration

This feature currently requires participation in our Early Access program. Customers can opt-in by contacting support@clumio.com

This article describes how to manually add your AWS account and configure the permissions required to deploy the Clumio service to perform backup and restore operations. For details about the permissions for each of the entities created below, refer to the Permissions file article.

1. Log on to the Clumio platform and navigate to the AWS > Accounts page. Click Add AWS account to launch the wizard.
   Note that the wizard only guides you through the Clumio configuration steps. You will need to log on to your AWS account console and manually configure the permissions that Clumio requires to protect your assets.
2. Type in the ID of the AWS account to connect to Clumio and select an account region. 
3. Click Customize Assets to select specific assets from the list. All listed asset types are selected by default. Click Next.
4. Clumio generates an external ID displayed on this page. Make a note of this external ID as it is required when you create the roles and permissions on your AWS console. In addition to the external ID, Clumio also generates a permissions file based on the asset types you selected on the first page of the wizard. This file contains the IAM roles, topics, and rules definitions that gives Clumio permission to backup and restore your assets. Download the file and have it ready to access when you are working in your AWS console.

Log on to your AWS console. The following steps describe how to create the topic, rules, and role in AWS using the information from the permissions file. We recommend that you create these items in the following order: Topics, Rules, and then Roles so that you can keep track of the ARN dependencies while creating these objects.

Create an SNS topic

This topic notifies Clumio services about any new events in your resource inventory.  

1. Navigate to your Amazon SNS console and select Topics from the left navigation panel. 
2. Click Create topic and select Standard as the topic type, type a name for the topic or use the Clumio provided name (“ClumioEventPub”) from the “topics” section in the Clumio permissions file.
3. Create the topic and make a note of the ARN. 
4. Next, edit the topic you just created. Copy the policy_document string from the “topics” section in the permissions file, convert it to JSON format and paste in the JSON editor of the Access policy section of the topic. Replace the <<CLUMIOEVENTPUB>> placeholder in the JSON object with the ARN of the topic that you made a note of in the previous step. Save your changes. 

Your topic file is now ready.

Create a rule

There are two rules in the Clumio permission file. Make sure you copy the content from the same rule in the permissions file to the corresponding rule in your AWS account.

1. Open your Amazon EventBridge console and select Rules from the left navigation panel.
2. Click Create rule and type a name for the rule or use a Clumio provided name (ClumioCloudtrailEventRule or ClumioCloudwatchEventRule) from the Clumio permissions file. Select Rule with an event pattern as the Rule type.
3. Click next and scroll down to the Creation method section and select Custom pattern (JSON editor).
4. Copy the “event_pattern” string from the rule in the Clumio permissions file, convert it to JSON format, and paste it into the editor. Click Next
5. On the Select targets page, select the AWS Service target type, then select SNS topic from the Select a target drop down list, and select the name of the topic you created in the Create SNS topic section. Click Next.
6. The Configure tags step is optional as Clumio does not require you to create any tags. You can move to the final step to review the rule configuration information and create the rule. 
7. Make a note of the rule ARN.

Repeat these steps to create the second rule.

Create a role

There may be up to 3 roles (this may change if more asset types are supported in the future) in the permissions file depending on the asset types selected in the Clumio Add AWS account wizard. Be sure to copy the correct information for the role from the permission file to the corresponding role in AWS, do not mix them up as this will cause errors.

When you create roles, you must create asset specific roles first (if the assets you selected require a role, the permissions file will contain those roles) and then the base ClumioIAMRole and ClumioSupportRole roles after that. 

1. Open your IAM console and select Roles from the left navigation panel.
2. Click Create role and select the Custom trust policy as the Trusted entity type. Copy the relevant “trust_policy” string from the Clumio permissions file for the role that you are creating, convert it to JSON format and paste it into the Custom trust policy editor. Replace the <<ROLEEXTERNALID>> placeholder text with the Clumio generated External ID that you made a note of in step 4 above. Click Next.
3. On the Role details page, type a name for the role or use the Clumio provided name for the role from the permissions file. 
4. You can add permissions at this step by clicking Edit in the Add permission step, this will open the policy editor. When you add permissions while creating a role, you are adding a managed policy.
   Each of the roles in the Clumio permissions files has one or more Inline policies and some Managed policies (refer to AWS documentation for more information about these types of policies). Create the role, then later edit that role to add policies that contain the necessary permissions for Clumio to protect your assets.
5. To create a managed policy select Policies from the left navigation pane and click Create policy.
   1. Select JSON to open a JSON editor. Copy a managed policy string from the Clumio permissions file for the role you are creating, convert it to JSON format and paste it into the editor. Replace any placeholder text with the ARN for that entity. 
   2. Click Review, type a name for the policy or use the Clumio provided name from the permissions file. Click Create policy
   3. Repeat this step to create all the managed policies required by that role.
      Important:Make a note of each managed policy ARN you create for a role. These ARNs will be required by some of the inline policies you need to create for the same role in the following steps.
   4. Select Roles from the left navigation pane and find the role you just created the policies for and click to select it. On the role details page in the Permissions policies section, click the Add permissions drop down menu and select Attach policies.
   5. Use the filter to find the relevant policies, select them and click Add permissions. Repeat as necessary to add the rest of the policies to the role.
6. To create inline policies, navigate to the Roles page and find the role you created. Click the role to view a details page. In the Permissions policies section, click the Add permissions drop down menu and select Create inline policy.  
   1. Select JSON to open a JSON editor. Copy the inline policy string from the Clumio permission file, convert it to JSON format, and paste it into the editor. 
      Replace any placeholders for managed policy ARNs with the appropriate ARN.
   2. Click Review, type a name for the policy or use the Clumio provided name from the permissions file. Click Create policy. 

Repeat these steps to create all the roles listed in the permissions file that are needed to deploy the Clumio service in your account.

After you create all of the required objects, make a note of their ARNs.

Return to the Clumio platform and resume the set up from the Add AWS account wizard.

1. Enter the ARNs of each AWS entity in the relevant fields. Click next.
2. The Validate permissions page has a progress bar at the top of the page that indicates Clumio is checking if the required permissions have been granted. Once the validation is complete, the table displays the access granted to Clumio to perform inventory, backup, and restore operations on the selected assets. If a connection cannot be established, you may have to revisit the Clumio objects you created in your AWS account and verify that you have enabled the required permissions.