Managing Backups as Code – Configuring IAM roles in Veeam Backup for AWS with AWS Lambda and CloudFormation

Among the cornerstones of Amazon Internet Services (AWS) guidelines is using a number of accounts to control your workloads. Dedicating accounts to particular sections or specific programs provides numerous advantages that increase agility actually, improve safety and streamline operations. This exercise helps operators stick to the basic principle of least privilege furthermore, whereby just a minimal group of privileges needed to perform a job are assigned to accountable users and solutions, and ideally, limited to the right time necessary to complete the task.

For clients using Veeam Backup for AWS to safeguard their AWS workloads, it is suggested to dedicate a merchant account to serve because the backup accounts. The backup accounts is where Veeam Back-up for AWS will be deployed and where Amazon Basic Storage Assistance (Amazon S3) buckets will be intended to store backup information. To gain access to other accounts to execute restores and backups, Veeam Back-up for AWS utilizes the AWS Safety Token Program to temporarily assume cross-account Identification and Access Administration (IAM) functions. This architecture enables Veeam to use and store backup information in an account that is completely independent and isolated from accounts that keep your production data.

The major requirement with this particular architecture would be to create IAM roles in each account you need to protect with Veeam. In a little environment with a small number of accounts, it is possible to create the roles and add them to Veeam yourself feasibly. But for a big organization where there could be hundreds of accounts maintained by multiple teams, the duty becomes more daunting. Fortunately, AWS provides many providers and equipment for simplifying duties like creating IAM functions in every your accounts, and these tools may be used with Veeam’s Sleep APIs to automate the procedure.

A solution for this situation was recently posted to VeeamHub , Veeam’s curated assortment of tasks on GitHub. The task is situated in the veeam-aws-cloudformation repository in the veeam-backup-aws folder.

It uses two standard AWS services to attain our objective of fabricating IAM roles in business associate accounts and automatically adding them to Veeam Back-up for AWS . Let’s examine the AWS solutions briefly to comprehend what they’re and how they’re used.

 <h2>          <span id="AWS_CloudFormation_and_Lambda-backed_custom_resources">     AWS CloudFormation and Lambda-backed custom assets     </span>          </h2>     

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-cloud-formation.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="330" height="330" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-cloud-formation.png" alt class="wp-image-156139 lazyload" loading="lazy" />          <img width="330" height="330" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-cloud-formation.png" alt class="wp-image-156139" data-eio="l" />          </a>          </figure>          </div>     

The foremost is AWS CloudFormation . CloudFormation will be AWS’s native infrastructure-as-program code (IaC) service that can help you design and provision AWS sources. For example, you can write a template that defines an Amazon Elastic Compute Cloud (Amazon EC2) example and all its attributes, then use CloudFormation to produce a fresh Amazon EC2 instance as specified within your template exactly. When CloudFormation deploys a template, the resources developed by the deployment are usually managed within a unit known as a stack. A stack may also be deployed into several accounts within an corporation making use of StackSets . We’ll look at StackSets in a little closer.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-lambda.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="330" height="330" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-lambda.png" alt class="wp-image-156153 lazyload" loading="lazy" />          <img width="330" height="330" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-lambda.png" alt class="wp-image-156153" data-eio="l" />          </a>          </figure>          </div>     

The second reason is AWS Lambda , a computing service that enables you to run code without operating a server. An integral feature of Lambda will be that functions run only once they’re invoked by a meeting. This actual way you don’t have to manage an operating-system to perform your code, and you don’t have to keep a server running at fine times to pay attention for events.

While CloudFormation enables you to provision AWS assets like Amazon EC2 Amazon and situations S3 buckets, it does not assistance third-party resources natively. However, AWS includes a way for CloudFormation to connect to third-party resources by means of custom made resources . In a nutshell, a custom reference is one where you define your personal provisioning logic to react to an event. A custom useful resource specifies a ongoing support token that references a source, such as for example an SNS subject or perhaps a Lambda function, that will handle the specific provisioning task.

This capability to invoke Lambda functions from CloudFormation custom resources is ideal for our use case:

 <ol>          <li>          <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">     Lambda works with a variety of vocabulary runtimes     </a>      that people can use to create a function to create REST API phone calls to Veeam Back-up      <em>     for AWS     </em>     . (This solution’s features are composed in Python.)     </li>     
 <li>     We are able to add custom sources to a template that defines our IAM functions in order that when our functions are created, the Lambda function will be invoked to include the roles to Veeam.     </li>     
 <li>     CloudFormation integrates with      <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">     AWS Organizations     </a>     , rendering it an easy task to create the IAM functions in organization associate accounts making use of StackSets.     </li>     

Given that we’ve reviewed the AWS providers and features the perfect solution is uses, let’s have a look at how it works.

 <h2>          <span id="How_it_works_-_Lambda_functions">     How it operates - Lambda features     </span>          </h2>     

You can find two components to the answer:

 <ol>          <li>     A stack in the back-up account which includes two Lambda features and a magic formula stored in AWS Strategies Manager. We’ll contact this the      <em>     Lambdas stack     </em>     .     </li>     
 <li>     A stack set which produces stacks in firm member accounts that induce IAM functions for Veeam. This stack includes the custom resources which will invoke our Lambda functions also. This is actually the      <em>     Functions stack     </em>     .     </li>     

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-cloudformation-lambda.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-cloudformation-lambda.png" alt class="wp-image-156167 lazyload" width="715" height="137" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/aws-cloudformation-lambda.png" alt class="wp-image-156167" width="715" height="137" data-eio="l" />          </a>          </figure>          </div>     

The Lambdas stack contains:

 <ol>          <li>     A Lambda functionality called      <em>     RandomExtIdLambda     </em>      that generates random strings. The random strings are accustomed to give each function a distinctive      <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">     exterior ID     </a>      in the role trust plan.     </li>     
 <li>     A Lambda functionality called      <em>     VeeamConfiguratorLambda     </em>      that utilizes data supplied by the custom reference to include an IAM part to Veeam Back-up      <em>     for AWS     </em>      utilizing the REST API.     </li>     
 <li>     A key containing admin-level consumer credentials for the Veeam Back-up      <em>     for AWS     </em>      system.     </li>     

 <h2>          <span id="Protecting_secrets">     Protecting techniques     </span>          </h2>     

Why the trick? For requests to be produced to the Veeam Back-up for AWS Relaxation API, litigant must authenticate with the API to authorize the demand. Since we will be adding IAM functions to the Veeam gaming console, the user account will need to have Portal Administrator rights. Storing this kind of credentials in plain textual content presents a severe risk of security and should be avoided anywhere.

Protecting sensitive secrets such as user credentials is strictly exactly what AWS Techniques Supervisor is made for, which is how the remedy accesses and shops credentials. The Lambdas stack will create a secret once the stack will be deployed to help keep the credentials from actually appearing in plain textual content. The stack is established once, an individual simply retrieves the trick from AWS Secrets Supervisor and uses the created credentials to generate an administrator accounts in the Veeam Back-up for AWS console.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/veeam-backup-aws-credentials.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/veeam-backup-aws-credentials.png" alt class="wp-image-156181 lazyload" width="715" height="479" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/veeam-backup-aws-credentials.png" alt class="wp-image-156181" width="715" height="479" data-eio="l" />          </a>          </figure>          </div>     

Additionally, the perfect solution is uses the lately released AWS Parameters and Secrets Lambda Extension to retrieve the credentials once the Veeam configurator function is invoked. This keeps the credentials secure and can make subsequent credential rotations achievable easily. For example, if you had been to rotate an individual credentials on the Veeam system, you’ll simply update the trick in AWS Secrets Supervisor with the brand new password, and next time the event is invoked, it could have legitimate credentials to accomplish its work – all without actually exposing them in basic textual content in a template or program code.

 <h2>          <span id="Network_considerations">     Network factors     </span>          </h2>     

Another consideration the answer accounts for is the way the REST API will be accessed. If the Veeam Sleep and console API is obtainable only from internal systems, as is typical for a data security option, the Veeam configurator functionality must operate within that system to help make the API phone calls. The event also needs usage of AWS Secrets Supervisor to gain access to the credentials also to Amazon S3 to deliver responses to CloudFormation.

Therefore, the Veeam configurator function is configured for connecting to an Amazon Virtual Private Cloud (Amazon VPC) , and the Lambdas stack creates a VPC endpoint for AWS Secrets Manager to provide the function private usage of the service. This enables the function to use inside a private network and satisfies security guidelines properly.

 <h2>          <span id="How_it_works_-_CloudFormation_StackSets">     How it operates - CloudFormation StackSets     </span>          </h2>     

The second element of the solution may be the Roles stack which contains:

 <ol>          <li>     An IAM function named      <em>     VeeamEc2Function     </em>      and related policies.     </li>     
 <li>     An IAM part called      <em>     VeeamWorkerRole     </em>     , associated plans, and an example profile because of this role.     </li>     
 <li>     A custom made resource for every role of type “Custom made::RandomExtIdGenerator” to generate exterior IDs.     </li>     
 <li>     A custom made resource for every role of type “Custom made::VeeamAwsConfigurator” which invokes the      <em>     VeeamConfiguratorLambda     </em>      functionality to add the function to Veeam Back-up      <em>     for AWS.     </em>          </li>     

As stated earlier, CloudFormation StackSets are accustomed to create these assets in the organization associate accounts. This can make the deployment procedure very straightforward and enables you to make use of the integration between AWS companies and CloudFormation.

For example, once you develop a stack set, you define a target where in fact the stacks will be created. The target could be either the entire company or an organizational device (OU), providing you control associated with where these roles will be created. You can even specify whether you need the stack to end up being deployed immediately or manually when a merchant account is put into the deployment target.

Finally, should any kind of changes have to be designed to these roles ever, such as for example adding permissions to aid new services in another release, it is possible to update the template with the added permissions and update the stack set to roll out there the changes to all or any accounts with reduced effort.

As soon as you create your stack place and define your deployment and target options, the roles will undoubtedly be created within the accounts and you will be put into the Veeam Backup for AWS console. Now you can get on Veeam Back-up for AWS and begin using these functions to generate backup policies.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/veeam-backup-for-aws-cloudformation-lambda.jpg" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/veeam-backup-for-aws-cloudformation-lambda.jpg" alt class="wp-image-156195 lazyload" width="723" height="335" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/veeam-backup-for-aws-cloudformation-lambda.jpg" alt class="wp-image-156195" width="723" height="335" data-eio="l" />          </a>          </figure>          </div>     

 <h2>          <span id="Conclusion">     Bottom line     </span>          </h2>     

Using native AWS companies with Veeam Relax APIs creates significant possibilities with regard to orchestration and automation. This solution is merely one example of everything you can accomplish once you manage your backups as program code and bring the energy of your platform alongside the energy of Veeam to create data protection safe and simple.

Lastly, please feel absolve to customize and adapt this treatment for suit your needs simply by forking the repo about GitHub . In the event that you include enhancements that you imagine would benefit the higher community, submit a pull request to really get your changes examined and merged back to the main repo.

%d bloggers like this: