Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.
These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.
Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.
Note
When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.
You can use the following IAM Policies to apply these permissions to a user account:
-
Agentless file recovery
-
AmazonSSMManagedInstanceCore AWS IAM Policy.
-
The following table summarizes the Amazon permissions that are needed for Commvault operations and explains how Commvault uses each permission.
|
Permission |
Backups and restores |
Agentless file recovery |
In-place instance restore with same GUID |
VM conversion |
Replication |
Usage |
|---|---|---|---|---|---|---|
|
ebs:ListChangedBlocks |
Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume. Required for CBT-enabled backups. |
|||||
|
ebs:ListSnapshotBlocks |
Return allocated blocks in an Amazon Elastic Block Store snapshot. Required for CBT-enabled backups. |
|||||
|
ec2:AssociateIamInstanceProfile |
|
Attach IAM role to an instance. |
||||
|
ec2:AttachNetworkInterface |
|
Attach network interface to an instance. |
||||
|
ec2:AttachVolume |
|
|
|
Attach volume to proxy for reads and writes during backup, restore, and replication operations. |
||
|
ec2:CancelImportTask |
|
Cancel the import task. |
||||
|
ec2:CopySnapshot |
|
Copy snapshot from one region to another during snap replication. |
||||
|
ec2:CreateImage |
|
|
|
Create AMI of source instance during backup. |
||
|
ec2:CreateNetworkInterface |
|
Create a new network interface. |
||||
|
ec2:CreateSnapshot |
(across AWS accounts) |
|
Share the image to admin or user account. |
|||
|
ec2:CreateTags |
Create tags on resources such as instances, volumes, and snapshots. |
|||||
|
ec2:CreateVolume |
|
|
|
Create volume from snapshot for backup or create empty volumes for restores. |
||
|
ec2:DeleteNetworkInterface |
|
|
|
Delete old network interfaces during incremental replication. |
||
|
ec2:DeleteSnapshot |
|
|
|
Clean up snapshots after job completion. |
||
|
ec2:DeleteTags |
|
|
|
Delete tags after backup and restore operations. |
||
|
ec2:DeleteVolume |
|
|
|
Clean up volumes after job completion. |
||
|
ec2:DeregisterImage |
|
|
|
Delete AMI after backup operations and delete old integrity snapshot. |
||
|
ec2:DescribeAccountAttributes |
|
|
|
Get supported network platforms (if EC2 is supported). |
||
|
ec2:DescribeAvailabilityZones |
|
|
|
Get list of availability zones. |
||
|
ec2:DescribeIamInstanceProfileAssociations |
|
Get IAM role information. |
||||
|
ec2:DescribeImages |
|
|
|
Get list of AMIs. |
||
|
ec2:DescribeImportImageTasks |
|
|
|
Used for restore operations with an on-premise proxy, including replication operations that use the import method. Get import task information to check the status of the task. |
||
|
ec2:DescribeInstanceAttribute |
|
|
|
Get EBS optimization information of instance. |
||
|
ec2:DescribeInstances |
|
|
|
Get list of instances, including proxy and source instance information. |
||
|
ec2:DescribeInstanceStatus |
|
|
Validate instance status after restore operation. |
|||
|
ec2:DescribeKeyPairs |
|
|
|
Get list of key pairs. |
||
|
ec2:DescribeNetworkInterfaces |
|
|
|
Get network interface list. |
||
|
ec2:DescribeRegions |
|
|
|
Get list of all regions. |
||
|
ec2:DescribeSecurityGroups |
|
|
|
Get list of security groups. |
||
|
ec2:DescribeSnapshots |
|
|
|
Get snapshot information. |
||
|
ec2:DescribeSubnets |
|
|
|
Get list of subnets. |
||
|
ec2:DescribeTags |
|
|
|
Get tag list to backup and restore tags on instances and volumes. |
||
|
ec2:DescribeVolumeAttribute |
|
|
Get product code associated with volume. |
|||
|
ec2:DescribeVolumes |
|
|
|
Get volume list and information such as size, type, and attachments. |
||
|
ec2:DescribeVolumesModifications |
|
Get IOPS values used during hotadd backups. |
||||
|
ec2:DescribeVpcs |
|
|
|
Get list of VPCs. |
||
|
ec2:DetachNetworkInterface |
|
|
Detach a network interface from an instance. |
|||
|
ec2:DetachVolume |
|
|
|
Detach volume from proxy after reads and writes. |
||
|
ec2:DisassociateIamInstanceProfile |
|
Remove IAM role from instance. |
||||
|
ec2:GetConsoleOutput |
|
|
|
Get operating system information. |
||
|
ec2:ImportImage |
|
|
|
Used for restore operations with an on-premise proxy, including replication operations that use the import method. Import image during conversion job. |
||
|
ec2:ModifyImageAttribute |
|
|
Share the image to admin or user account. |
|||
|
ec2:ModifyInstanceAttribute |
|
|
|
Set or reset delete on termination policy after restore. |
||
|
ec2:ModifyNetworkInterfaceAttribute |
|
|
|
Set or reset delete on termination policy after restore. |
||
|
ec2:ModifySnapshotAttribute |
|
|
|
|
Share snapshot to a different region during snap replication and cross account backups and restores. |
|
|
ec2:ModifyVolume |
|
Adjust IOPS values during hotadd backups. |
||||
|
ec2:RunInstances |
|
|
|
Create new instance. |
||
|
ec2:StartInstances |
|
|
|
Start instance after job completion (based on user input). |
||
|
ec2:StopInstances |
|
|
|
Stop instance after restore operation (based on user input). |
||
|
ec2:TerminateInstances |
|
|
|
Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication. |
||
|
iam:GetAccountAuthorizationDetails |
|
|
|
Required to get account info during snap backup operations that use IAM role. |
||
|
iam:GetRole |
|
|
|
Required for IAM based authentication. |
||
|
iam:GetUser |
|
Get information about the user specified in the AWS client. Used during snap replication. |
||||
|
iam:ListInstancesProfiles |
|
|
|
Required to get list of instance profile names to populate IAM roles for restores. |
||
|
iam:ListRoles |
|
|
|
Required to list key pairs in restore screen using IAM role. |
||
|
iam:passrole |
Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation. |
|
|
Required for restoring IAM role on instance. |
||
|
kms:CreateAlias |
|
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
||||
|
kms:CreateGrant |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:CreateKey |
|
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
||||
|
kms:Decrypt |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:DescribeKey |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:Encrypt |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:GenerateDataKey |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:GenerateDataKeyPair |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:GenerateDataKeyWithoutPlaintext |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:GenerateDataKeyPairWithoutPlaintext |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:ListAliases |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:ListGrants |
|
|
|
|
Attach encrypted volume to proxy for reads and writes during backup, restore, and replication operations. |
|
|
kms:ListKeys |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:ListResourceTags |
|
Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication. |
||||
|
kms:ReEncryptFrom |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:ReEncryptTo |
|
|
Required for snap replication of default encrypted Amazon snapshots. |
|||
|
kms:TagResource |
|
|
Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region. |
|||
|
s3:CreateBucket |
|
|
|
|
Required to create an S3 bucket for restores. |
|
|
s3:DeleteObject |
|
|
|
|
Used for restore operations with an on-premise proxy, including replication operations that use the import method. |
|
|
s3:GetBucketAcl |
|
Share the bucket to admin account. |
||||
|
s3:GetBucketLocation |
|
|
|
|
Get the bucket region for restore operations that use a non-AWS proxy. |
|
|
s3:GetObject |
|
|
|
|
Used for restore operations with an on-premise proxy, including replication operations that use the import method. |
|
|
s3:ListAllMyBuckets |
|
|
|
Used for restore operations that use an on-premise proxy, including replication operations that use the import method. |
||
|
s3:ListBucket |
|
|
|
|
Used for restore operations that use an on-premise proxy, including replication operations that use the import method. |
|
|
s3:PutBucketAcl |
|
Share the bucket to admin account. |
||||
|
s3:PutObject |
|
|
|
|
Used for restore operations that use an on-premise proxy, including replication operations that use the import method. |
|
|
s3:PutObjectAcl |
|
Used to upload objects to S3 bucket. |
||||
|
s3:PutObjectTagging |
|
|
|
|
Required by MediaAgent if S3 library is used with DASH copy. |
|
|
ssm:CancelCommand |
|
Cancel run commands. |
||||
|
ssm:DescribeDocument |
|
Describe the run command document. |
||||
|
ssm:DescribeInstanceInformation |
|
Get a list of instances that have the AWS Systems Manager (SSM) installed. |
||||
|
ssm:ListCommands |
|
List the run commands. |
||||
|
ssm:ListDocuments |
|
List all run command documents in the account. |
||||
|
ssm:SendCommand |
|
Launch run commands. |
