By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Elastic Disaster Recovery (DRS) Cross Account & Cross Region Configuration & Authentication Failed

0

Dear all,

This is the first time to use the AWS DRS service. I want to configure DRS between two AWS accounts, I try my best and also ask friends to help, but still cannot fix the problem.

Information: Account A: Stockholm region (Source instances are here) Account B: HK region (Staging and recovery subnets are here)

I followed the last diagram in the below URL to build the VPC and use VPC peering: https://docs.aws.amazon.com/drs/latest/userguide/Network-diagrams.html

(1) The AWSElasticDisasterRecoveryEC2InstancePolicy sts permission deny First of all, I need to install the replication agent in the source EC2, I try to follow the steps in the below post to create role: https://aws.amazon.com/blogs/storage/securely-installing-aws-replication-agent-using-aws-security-token-service/

I created a role with the policy "AWSElasticDisasterRecoveryEC2InstancePolicy" in the Account B, and create a role in Account A to assume the role (This is the first time I create cross account role, I am not sure is my setting correct or not, if there is anything wrong, please correct me).

  1. Create the role "DRS_SourceEC2" in Account B (HK region) and below is the setting in the "Trust Relationships" Tag:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account A ID>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
  1. Create the role "AssumeRoleDRS_SourceEC2" with the below inline policy in Account A (Stockholm region):
{
	"Version": "2012-10-17",
	"Statement": {
		"Effect": "Allow",
		"Action": "sts:AssumeRole",
		"Resource": "arn:aws:iam::<Account B ID>:role/DRS_SourceEC2"
	}
}
  1. In Source EC2 (OS is Windows) Create the ".aws" folder and the "config" file: C:\Users\Administrator.aws\config
[profile AssumeRoleDRS_SourceEC2]
arn:aws:iam::<Account A ID>:role/AssumeRoleDRS_SourceEC2
credential_source = Ec2InstanceMetadata

When I execute the AwsReplicationWindowsInstaller.exe, I input the region "ap-east-1", then it ask for the access key, but refer to the blog post, if the assume role success, it should not ask for access key.

I search from the internet, and use command to connect sts manually, but it show permission deny and not able to get the access key, secret access key and token. Finally, I add the AWSElasticDisasterRecoveryAgentInstallationPolicy to the role and test again, it is able to get the temp access key, secret access key and token. I input these information, it is able to install the agent, but these credential will expire.

(2) DRS Authentication Failed I use another EC2 to test. Create a user and attach AWSElasticDisasterRecoveryAgentInstallationPolicy, use the user's access key and secret access key to install the agent. Then I see both EC2 appear in the DRS console, but both Replication initiation steps failed in step 4: Authenticate with service.

The DRS interface endpoint is created in Account B (HK region), I modified the NACL and security group to allow All TCP traffic between the two VPC CIDR, but still failed in the authentication step.

Don't know how to fix the two problems above... Welcome to share your idea and experience, many thanks!

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Identity and Access ManagementIAM PoliciesAWS Elastic Disaster Recovery
Language
English
Ng Man Yiu
asked 20 days ago99 views
1 Answer
0

The issues you're facing with the AWS Elastic Disaster Recovery (DRS) cross-account and cross-region configuration and authentication are not uncommon. Let's address each problem step by step:

  1. AWSElasticDisasterRecoveryEC2InstancePolicy sts permission deny:

    • The issue with the AWSElasticDisasterRecoveryEC2InstancePolicy not allowing the STS permission is likely due to a misconfiguration in the trust policy of the DRS_SourceEC2 role.
    • Double-check the trust policy of the DRS_SourceEC2 role in Account B. The trust policy should allow the sts:AssumeRole action for the principal (the IAM user or role) in Account A that will be assuming the role.
    • Ensure that the AssumeRoleDRS_SourceEC2 role in Account A has the correct permissions to assume the DRS_SourceEC2 role in Account B.
    • You can also try adding the sts:AssumeRole permission to the AWSElasticDisasterRecoveryEC2InstancePolicy to troubleshoot this issue.

  2. DRS Authentication Failed:

    • The authentication failure in the DRS console is likely due to a network or permission issue between the two accounts.
    • Ensure that the VPC peering connection between the two accounts is properly configured and that the necessary routing tables and security group rules are in place to allow communication between the source and target VPCs.
    • Check the network ACLs (NACLs) and security groups to ensure they are not blocking the necessary communication between the accounts.
    • Verify that the IAM user or role you're using to install the DRS agent has the necessary permissions, including the AWSElasticDisasterRecoveryAgentInstallationPolicy.
    • Try using the AWS CLI or AWS SDK to perform the DRS agent installation and see if you can get more detailed error messages or logs that might help identify the root cause.

To further troubleshoot these issues, you can try the following steps:

  1. Simplify the setup:

    • Start with a simpler setup, such as configuring DRS within a single AWS account and a single region.
    • Once you have a working setup in a single account, gradually introduce the cross-account and cross-region components to identify where the issues are occurring.

  2. Verify the IAM roles and policies:

    • Carefully review the IAM roles and policies you've created, ensuring that the trust policies and permissions are configured correctly.
    • Consider using the AWS CLI or AWS SDK to programmatically validate the IAM roles and policies.

  3. Enable enhanced logging and debugging:

    • Enable enhanced logging and debugging for the DRS agent installation and the DRS service itself to obtain more detailed error messages and troubleshooting information.
    • Review the CloudTrail logs and CloudWatch logs for any relevant error messages or events that might provide more insight into the issues.

  4. Engage with AWS Support:

    • If you continue to face challenges, consider reaching out to AWS Support for assistance. They may be able to provide more specific guidance or escalate the issue to the appropriate engineering teams.

By following these troubleshooting steps and thoroughly validating your configurations, you should be able to resolve the issues you're facing with the DRS cross-account and cross-region setup.

AWS
JonQ
answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content