Amazon Web Services Permission Usage

Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.

These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.

Note

When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.

The following table summarizes the Amazon permissions that are needed for Commvault operations and explains how Commvault uses each permission.

Permission

Backups and restores

Agentless file recovery

In-place instance restore with same GUID

VM conversion

Replication

Usage

ec2:AssociateIamInstanceProfile

tick

Attach IAM role to an instance.

ec2:AttachNetworkInterface

tick

Attach network interface to an instance.

ec2:AttachVolume

tick

tick

tick

Attach volume to proxy for reads and writes during backup, restore, and replication operations.

ec2:CancelImportTask

tick

Cancel the import task.

ec2:CopySnapshot

tick

Copy snapshot from one region to another during snap replication.

ec2:CreateImage

tick

tick

tick

Create AMI of source instance during backup.

ec2:CreateNetworkInterface

tick

Create a new network interface.

ec2:CreateSnapshot

(across AWS accounts)

tick

Share the image to admin or user account.

ec2:CreateTags

Create tags on resources such as instances, volumes, and snapshots.

ec2:CreateVolume

tick

tick

tick

Create volume from snapshot for backup or create empty volumes for restores.

ec2:DeleteNetworkInterface

tick

tick

tick

Delete old network interfaces during incremental replication.

ec2:DeleteSnapshot

tick

tick

tick

Clean up snapshots after job completion.

ec2:DeleteTags

tick

tick

tick

Delete tags after backup and restore operations.

ec2:DeleteVolume

tick

tick

tick

Clean up volumes after job completion.

ec2:DeregisterImage

tick

tick

tick

Delete AMI after backup operations and delete old integrity snapshot.

ec2:DescribeAccountAttributes

tick

tick

tick

Get supported network platforms (if EC2 is supported).

ec2:DescribeAvailabilityZones

tick

tick

tick

Get list of availability zones.

ec2:DescribeIamInstanceProfileAssociations

tick

Get IAM role information.

ec2:DescribeImages

tick

tick

tick

Get list of AMIs.

ec2:DescribeImportImageTasks

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Get import task information to check the status of the task.

ec2:DescribeInstanceAttribute

tick

tick

tick

Get EBS optimization information of instance.

ec2:DescribeInstances

tick

tick

tick

Get list of instances, including proxy and source instance information.

ec2:DescribeInstanceStatus

tick

tick

Validate instance status after restore operation.

ec2:DescribeKeyPairs

tick

tick

tick

Get list of key pairs.

ec2:DescribeNetworkInterfaces

tick

tick

tick

Get network interface list.

ec2:DescribeRegions

tick

tick

tick

Get list of all regions.

ec2:DescribeSecurityGroups

tick

tick

tick

Get list of security groups.

ec2:DescribeSnapshots

tick

tick

tick

Get snapshot information.

ec2:DescribeSubnets

tick

tick

tick

Get list of subnets.

ec2:DescribeTags

tick

tick

tick

Get tag list to backup and restore tags on instances and volumes.

ec2:DescribeVolumeAttribute

tick

tick

Get product code associated with volume.

ec2:DescribeVolumes

tick

tick

tick

Get volume list and information such as size, type, and attachments.

ec2:DescribeVpcs

tick

tick

tick

Get list of VPCs.

ec2:DetachNetworkInterface

tick

tick

Detach a network interface from an instance.

ec2:DetachVolume

tick

tick

tick

Detach volume from proxy after reads and writes.

ec2:DisassociateIamInstanceProfile

tick

Remove IAM role from instance.

ec2:GetConsoleOutput

tick

tick

tick

Get operating system information.

ec2:ImportImage

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Import image during conversion job.

ec2:ModifyImageAttribute

tick (across AWS accounts)

tick

Share the image to admin or user account.

ec2:ModifyInstanceAttribute

tick

tick

tick

Set or reset delete on termination policy after restore.

ec2:ModifyNetworkInterfaceAttribute

tick

tick

tick

Set or reset delete on termination policy after restore.

ec2:RunInstances

tick

tick

tick

Create new instance.

ec2:StartInstances

tick

tick

tick

Start instance after job completion (based on user input).

ec2:StopInstances

tick

tick

tick

Stop instance after restore operation (based on user input).

ec2:TerminateInstances

tick

tick

tick

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

iam:GetAccountAuthorizationDetails

tick

tick

tick

Required to get account info during snap backup operations that use IAM role.

iam:GetRole

tick

tick

tick

Required for IAM based authentication.

iam:ListInstancesProfiles

tick

tick

tick

Required to get list of instance profile names to populate IAM roles for restores.

iam:ListRoles

tick

tick

tick

Required to list key pairs in restore screen using IAM role.

iam:passrole

tick

tick

tick

Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation.

kms:CreateGrant

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:Decrypt

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:DescribeKey*

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:Encrypt

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKey*

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKeyWithoutPlaintext

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ListAliases

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ListKeys

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ReEncrypt*

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

s3:CreateBucket

tick (when using Import method)

tick

tick (when using Import method)

tick (when using Import method)

Required to create an S3 bucket for restores.

s3:DeleteObject

tick

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:GetBucketAcl

tick (across AWS accounts)

Share the bucket to admin account.

s3:GetBucketLocation

tick

tick

tick

tick

Get the bucket region for restore operations that use a non-AWS proxy.

s3:GetObject

tick

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:ListAllMyBuckets

tick

tick

tick

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:ListBucket

tick

tick

tick

tick

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutBucketAcl

tick (across AWS accounts)

Share the bucket to admin account.

s3:PutObject

tick

tick

tick

tick

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutObjectAcl

tick

Used to upload objects to S3 bucket.

s3:PutObjectTagging

tick

tick

tick (when using Import method)

tick

Required by MediaAgent if S3 library is used with DASH copy.

ssm:CancelCommand

tick

Cancel run commands.

ssm:DescribeDocument

tick

Describe the run command document.

ssm:DescribeInstanceInformation

tick

Get a list of instances that have the AWS Systems Manager (SSM) installed.

ssm:ListCommands

tick

List the run commands.

ssm:ListDocuments

tick

List all run command documents in the account.

ssm:SendCommand

tick

Launch run commands.

Loading...