Amazon Web Services Permission Usage

Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.

These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.

Note

When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.

You can use the following IAM Policies to apply these permissions to a user account:

The following table summarizes the Amazon permissions that are needed for Commvault operations and explains how Commvault uses each permission.

Permission

Backups and restores

Agentless file recovery

In-place instance restore with same GUID

VM conversion

Replication

Usage

ebs:ListChangedBlocks

Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume.

Required for CBT-enabled backups.

ebs:ListSnapshotBlocks

Return allocated blocks in an Amazon Elastic Block Store snapshot.

Required for CBT-enabled backups.

ec2:AssociateIamInstanceProfile

tick

Attach IAM role to an instance.

ec2:AttachNetworkInterface

tick

Attach network interface to an instance.

ec2:AttachVolume

tick

tick

tick

Attach volume to proxy for reads and writes during backup, restore, and replication operations.

ec2:CancelImportTask

tick

Cancel the import task.

ec2:CopySnapshot

tick

Copy snapshot from one region to another during snap replication.

ec2:CreateImage

tick

tick

tick

Create AMI of source instance during backup.

ec2:CreateNetworkInterface

tick

Create a new network interface.

ec2:CreateSnapshot

(across AWS accounts)

tick

Share the image to admin or user account.

ec2:CreateTags

Create tags on resources such as instances, volumes, and snapshots.

ec2:CreateVolume

tick

tick

tick

Create volume from snapshot for backup or create empty volumes for restores.

ec2:DeleteNetworkInterface

tick

tick

tick

Delete old network interfaces during incremental replication.

ec2:DeleteSnapshot

tick

tick

tick

Clean up snapshots after job completion.

ec2:DeleteTags

tick

tick

tick

Delete tags after backup and restore operations.

ec2:DeleteVolume

tick

tick

tick

Clean up volumes after job completion.

ec2:DeregisterImage

tick

tick

tick

Delete AMI after backup operations and delete old integrity snapshot.

ec2:DescribeAccountAttributes

tick

tick

tick

Get supported network platforms (if EC2 is supported).

ec2:DescribeAvailabilityZones

tick

tick

tick

Get list of availability zones.

ec2:DescribeIamInstanceProfileAssociations

tick

Get IAM role information.

ec2:DescribeImages

tick

tick

tick

Get list of AMIs.

ec2:DescribeImportImageTasks

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Get import task information to check the status of the task.

ec2:DescribeInstanceAttribute

tick

tick

tick

Get EBS optimization information of instance.

ec2:DescribeInstances

tick

tick

tick

Get list of instances, including proxy and source instance information.

ec2:DescribeInstanceStatus

tick

tick

Validate instance status after restore operation.

ec2:DescribeKeyPairs

tick

tick

tick

Get list of key pairs.

ec2:DescribeNetworkInterfaces

tick

tick

tick

Get network interface list.

ec2:DescribeRegions

tick

tick

tick

Get list of all regions.

ec2:DescribeSecurityGroups

tick

tick

tick

Get list of security groups.

ec2:DescribeSnapshots

tick

tick

tick

Get snapshot information.

ec2:DescribeSubnets

tick

tick

tick

Get list of subnets.

ec2:DescribeTags

tick

tick

tick

Get tag list to backup and restore tags on instances and volumes.

ec2:DescribeVolumeAttribute

tick

tick

Get product code associated with volume.

ec2:DescribeVolumes

tick

tick

tick

Get volume list and information such as size, type, and attachments.

ec2:DescribeVolumesModifications

tick

Get IOPS values used during hotadd backups.

ec2:DescribeVpcs

tick

tick

tick

Get list of VPCs.

ec2:DetachNetworkInterface

tick

tick

Detach a network interface from an instance.

ec2:DetachVolume

tick

tick

tick

Detach volume from proxy after reads and writes.

ec2:DisassociateIamInstanceProfile

tick

Remove IAM role from instance.

ec2:GetConsoleOutput

tick

tick

tick

Get operating system information.

ec2:ImportImage

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Import image during conversion job.

ec2:ModifyImageAttribute

tick (across AWS accounts)

tick

Share the image to admin or user account.

ec2:ModifyInstanceAttribute

tick

tick

tick

Set or reset delete on termination policy after restore.

ec2:ModifyNetworkInterfaceAttribute

tick

tick

tick

Set or reset delete on termination policy after restore.

ec2:ModifySnapshotAttribute

tick

tick

tick

tick

Share snapshot to a different region during snap replication and cross account backups and restores.

ec2:ModifyVolume

tick

Adjust IOPS values during hotadd backups.

ec2:RunInstances

tick

tick

tick

Create new instance.

ec2:StartInstances

tick

tick

tick

Start instance after job completion (based on user input).

ec2:StopInstances

tick

tick

tick

Stop instance after restore operation (based on user input).

ec2:TerminateInstances

tick

tick

tick

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

iam:GetAccountAuthorizationDetails

tick

tick

tick

Required to get account info during snap backup operations that use IAM role.

iam:GetRole

tick

tick

tick

Required for IAM based authentication.

iam:GetUser

tick

Get information about the user specified in the AWS client. Used during snap replication.

iam:ListInstancesProfiles

tick

tick

tick

Required to get list of instance profile names to populate IAM roles for restores.

iam:ListRoles

tick

tick

tick

Required to list key pairs in restore screen using IAM role.

iam:passrole

Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation.

tick

tick

Required for restoring IAM role on instance.

kms:CreateAlias

tick

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

kms:CreateGrant

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:CreateKey

tick

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

kms:Decrypt

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:DescribeKey

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:Encrypt

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKey

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKeyPair

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKeyWithoutPlaintext

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKeyPairWithoutPlaintext

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ListAliases

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ListGrants

tick

tick

tick

tick

Attach encrypted volume to proxy for reads and writes during backup, restore, and replication operations.

kms:ListKeys

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ListResourceTags

tick

Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication.

kms:ReEncryptFrom

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ReEncryptTo

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:TagResource

tick

tick

Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region.

s3:CreateBucket

tick (when using Import method)

tick

tick (when using Import method)

tick (when using Import method)

Required to create an S3 bucket for restores.

s3:DeleteObject

tick

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:GetBucketAcl

tick (across AWS accounts)

Share the bucket to admin account.

s3:GetBucketLocation

tick

tick

tick

tick

Get the bucket region for restore operations that use a non-AWS proxy.

s3:GetObject

tick

tick

tick

tick

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:ListAllMyBuckets

tick

tick

tick

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:ListBucket

tick

tick

tick

tick

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutBucketAcl

tick (across AWS accounts)

Share the bucket to admin account.

s3:PutObject

tick

tick

tick

tick

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutObjectAcl

tick

Used to upload objects to S3 bucket.

s3:PutObjectTagging

tick

tick

tick (when using Import method)

tick

Required by MediaAgent if S3 library is used with DASH copy.

ssm:CancelCommand

tick

Cancel run commands.

ssm:DescribeDocument

tick

Describe the run command document.

ssm:DescribeInstanceInformation

tick

Get a list of instances that have the AWS Systems Manager (SSM) installed.

ssm:ListCommands

tick

List the run commands.

ssm:ListDocuments

tick

List all run command documents in the account.

ssm:SendCommand

tick

Launch run commands.

Loading...