Create a runbook for an AWS cleanroom site

Create a runbook that specifies the cleanroom site and the region to recover to. For workloads that include databases or applications, the runbook can restore the VM first and then restore the application data to the required point in time. It can also repave the VM from a secure image and then restore the application data onto the new VM.

Create an AWS account for cleanroom

To complete the add runbook wizard, you must create a new AWS account that's only for cleanroom recovery.

Start the add runbook wizard

1. In the Command Center navigation pane, go to Security services > Cleanroom.

2. On the Recovery groups tab, click the recovery group to create a runbook for.

3. On the Runbooks tab, click Add runbook.

4. Select Amazon Web Services.

5. Click Next.

General page

For details about the resources Commvault creates in your cleanroom recovery AWS account for the Create new options, see Resources automatically created in your AWS or Commvault account for cleanroom recovery.

1. Enter a name for the runbook.

2. For Cleanroom site, leave Create new selected. Or if you prepared an existing Amazon EC2 hypervisor, select it.

3. Select the Availability Zone to recover VMs to.

4. For Destination hypervisor, leave Create new selected.

5. If you're a Commvault software customer, select the authentication method to use.

6. Click the Launch CloudFormation Stack link to open your AWS cleanroom recovery account in the AWS Management Console.

   Note

   If you don't have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.

7. Log on to the AWS Management Console.

   The Quick create stack page appears.

8. Under Capabilities, read the information about the template, and then select the acknowledgment check box.

9. Click Create stack.

   The wizard provides an AWS CloudFormation stack that creates the IAM roles, groups, and related permissions required for cleanroom recovery. Wait for the CloudFormation stack to finish creating the AWS permissions required for cleanroom recovery in your cleanroom AWS account.

   For information about the AWS permission definitions used for cleanroom recovery, see AWS permission files for cleanroom recovery.

10. After the stack is created, on the Outputs tab in the AWS Management Console, copy the values for ExternalID and IAMRole.

    Return to Commvault, and then create new credentials by using the ExternalID and IAMRole values.

11. Return to Commvault.

12. For Credentials, create new credentials using the ExternalID and IAMRole key values you copied.

13. If you're a Commvault software customer, select an access node.

14. Click Next.

Resources page

The Resources page displays the resources associated with the recovery group.

Verify that:

• The VM is included
• Associated applications or databases are included
• The runbook includes the resources that need to be recovered together

Advanced options page

1. Specify validation options:

   • Run threat scan: Run a threat scan on all VMs.

     Every 7 days, the count of discovered threats is reset to 0.

   • Run Windows Defender: Run a Microsoft Windows Defender Antivirus scan on Windows VMs.

2. For Custom scripts, you can specify validation scripts to confirm that the recovered data is usable and applications are functioning correctly:

   1. Click Add.

   2. Upload a file or enter a UNC path and credentials to access the path.

      UNC path examples:

      • Windows: Enter the UNC path as WindowsPathwin.ps1.
      • Unix: Enter the UNC path as \\Pathtofile\file.sh.

   3. Enter a name for the script, and then click Save.

3. To finish creating the runbook, click Submit.

For information about other settings on this page, see Modify settings for a cleanroom recovery group.