> Software > Secure > Cleanroom recovery > Cloud-based cleanrooms > Setup > AWS cleanroom sites

Prepare an existing Amazon EC2 hypervisor for a cleanroom runbook

You can use an existing Amazon EC2 hypervisor for a cleanroom runbook. Otherwise, when you create your cleanroom runbook, Commvault creates the hypervisor for you.

To use an existing hypervisor, you apply the roles, permissions, and credentials to the hypervisor that are required for cleanroom recovery

Support in Commvault SaaS

In Commvault SaaS, using an existing Amazon EC2 hypervisor for cleanroom is supported only for hypervisors that were created with the Commvault-hosted infrastructure.

Prerequisites

You must have permissions to:

  • Access the AWS cleanroom account
  • Deploy CloudFormation stacks
  • Modify hypervisor settings in Commvault
  • Support post-recovery operations for VMs and applications
  • Allow communication through MediaAgents or network gateways used during recovery

Procedure

  1. Deploy the hosted infrastructure CloudFormation stack.

    Example

    https://console.aws.amazon.com/cloudformation/home?region=[region]#/stacks/quickcreate?templateURL=https://commvault-express-config-templates.s3.amazonaws.com/11.42/2026-02/cleanroom-hosted-infrastructure-assume-role.yml&stackName=CommvaultCleanroomPermissionsStack&param_ExternalId=[external-id]&param_HostedInfrastructureRoleArn=[infrastructure-role-arn]

    The stack creates the CommvaultCleanroomTenantRole role.

  2. In Commvault, in the hypervisor's settings, update the credentials to use the ARN of CommvaultCleanroomTenantRole and verify that the ARN exactly matches the role created in the AWS account.

STS Assume Role authentication

  1. Deploy the Cleanroom Assume Role CloudFormation stack.

    Example

    https://console.aws.amazon.com/cloudformation/home?region=[region]#/stacks/quickcreate?templateURL=https://commvault-express-config-templates.s3.amazonaws.com/11.42/2026-02/cleanroom-assume-role-cft.yml&stackName=CommvaultCleanroomPermissionsStack

    The stack creates the CommvaultCleanroomAdminRole role in the AWS account.

  2. Verify that the role exists.

  3. In Commvault, in the hypervisor's settings, verify that the access node references the new role and update the hypervisor credentials to use the ARN in this format:

    arn:aws:iam::[account-id]:role/Commvault/CommvaultCleanroomAdminRole

    The ARN must match the role created in your AWS account.

IAM Role for Amazon EC2 authentication

  1. Deploy the Cleanroom IAM Role CloudFormation stack.

    Example

    https://console.aws.amazon.com/cloudformation/home?region=[region]#/stacks/quickcreate?templateURL=https://commvault-express-config-templates.s3.amazonaws.com/11.42/2026-02/cleanroom-iam-role-cft.yml&stackName=CommvaultCleanroomPermissionsStack

    The stack creates the CommvaultCleanroomRole role.

  2. Attach or configure this role on the EC2 instance that's used as the hypervisor access node.

  3. In Commvault, verify that the hypervisor uses the updated IAM role.

  1. Deploy the Cleanroom Access Key CloudFormation stack.

    Example

    https://console.aws.amazon.com/cloudformation/home?region=[region]#/stacks/quickcreate?templateURL=https://commvault-express-config-templates.s3.amazonaws.com/11.42/2026-02/cleanroom-access-key-cft.yml&stackName=CommvaultCleanroomPermissionsStack

  2. The stack creates the CommvaultCleanroomUserGroup role.

  3. Generate or retrieve the Access Key ID and Secret Access Key for the IAM user that's associated with this group.

  4. In Commvault, in the hypervisor's settings, update the credentials with the new Access Key ID and Secret Access Key.

×

Loading...