Scenario
After a backup finishes, FMOS can perform additional actions. These actions include copying the new backup file to a remote server, sending an e-mail notification, or executing a command on the local machine.
Actions can be configured to run after a successful backup or after a backup fails.
Post Backup Actions are configured in the FMOS System Configuration File. They can be defined using the fmos config command or the FMOS Control Panel.
This procedure is for any customer who has an FMOS installation in AWS or on-prem and would like to be able to transfer backup files to an AWS S3 bucket. You can designate the AWS transfer server URL as an SFTP target using the public/private key pair for the fmbackup user.
Prerequisites
AWS S3 bucket
IAM permissions to do the following:
- Create/Edit IAM Policy
- Create IAM Role
- Create AWS Transfer Server
Procedure
In the AWS device account, you will need to create an IAM user named fmbackup with permissions to S3 Bucket and then generate a Secret Access Key and Access Key ID.
Note: Please review Amazon's AWS documentation for Creating IAM roles.
Copy to a Remote SFTP Server
FMOS can copy backup files to a remote location using the SSH File Transfer Protocol (SFTP). This protocol is widely supported by network-attached storage systems, Linux and BSD servers, cloud storage services, and more. FMOS supports public-key and password authentication. Remote host key verification is supported using a pre-configured public key.
To enable public-key authentication for SFTP post-backup actions, omit the password configuration option. FMOS will attempt to authenticate to the remote host using a pre-generated private key. This key cannot be changed or replaced. The public key is stored in the /etc/firemon/fmbackup.pubkey file. It is currently only accessible using the FMOS command-line interface:
cat /etc/firemon/fmbackup.pubkey
This file contains two different key types:
- Legacy ssh-rsa type
- Modern ssh-ed25519 type
The ssh-rsa type is used by default. If you want to use a stronger, faster key type, switch to the Modern type. Set the key_type option to ed25519.
To enable SSH host key validation, enter the full host key of the remote server. If the server does not present a matching key during the initial handshake, the connection will fail. If the remote server has multiple keys of different types, only one will be checked. Only the first key type from this list that the server supports will be checked:
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- rsa-sha2-512
- rsa-sha2-256
- ssh-rsa
- ssh-dss
- ssh-ed25519
Host key verification will fail if the provided key is of a type lower in the list than another type of key that the server supports.
Example 1
This example uses password-based authentication and does not enable remote host key verification:
post_backup:
success:
copy-sftp:
- hostname: my-file-server.example.com
username: firemon
password: secretanduniquepassword
Example 2
This example uses public-key authentication and remote host key verification, and stores the file in the /backups/firemon directory on the remote host:
post_backup:
success:
copy-sftp:
- hostname: backups.example.org
username: sip
key_type: ed25519
host_pubkey:
Copy to an S3 Bucket
FMOS can copy files to any storage service compatible with the Amazon Simple Storage Service (S3) protocol. Authentication can be performed using a specific Amazon Access Key ID and Secret Key pair or, when FMOS is running in AWS, using an IAM instance role assigned to the EC2 instance.
Example:
post_backup:
success:
copy-aws:
- bucket: myorgbackups
path: /firemon/
access_key_id:
secret_access_key:
Create IAM Policy
In AWS, go to Policy > Create Policy.
- Select Service: S3
- Add Actions:
- ListBucket
- GetBucketLocation
- Select Resources: Specific
- Click Add ARN
-
Enter a Bucket name in the field.
-
Click Save Changes.
- Click Add additional permissions.
- Select Service: S3
- Add Actions:
- GetObject
- GetObjectVersion
- DeleteObject
- DeleteObjectVersion
- PutObject
- Select Resources: Specific
- Click Add ARN.
- Enter a Bucket name in the field.
- Enter an asterisk (*) in the Object name field. Any should be automatically selected.
- Click Save Changes
- Click Next: Tags, and add tags if needed, and then click Next: Review.
- Enter a Name for the policy and then click Create Policy.
Create IAM Role
- In AWS, click Roles
- Click Create Role
- Select AWS Service > Transfer
- Click Next: Permissions
- Search for and select the IAM Policy created in the previous step.
- Click Next: Tags, and add tags if needed, and then click Next: Review
- Click Create role.
Create Transfer Server
- In AWS, search for AWS Transfer Family
- Click Create Server
- Choose Protocols: SFTP
- Identity provider type: Service Managed
- Endpoint type: Public or VPC
- Domain: Amazon S3
- Configure additional details: Add any settings that are required for your organization
- Review and click Create Server
Add "fmbackup" user to AWS Transfer Server
- In AWS, click Transfer server to edit.
- Click Add user
Note: You will add a user called fmbackup, selecting the IAM role and policy that was created in a previous steps.
- Choose the S3 bucket
- Add the public key
- Save user when complete
- Run "fmos backup" from FMOS command line and verify that the backup file is in the S3 destination.
Comments
1 comment
Hi team, is this still valid for FMOS versions 9.7+ ?
Also, is the same procedure valid when the FMOS server is also at AWS?
Thanks
Please sign in to leave a comment.