Amazon Web Services User Permissions for VM Conversion

You can assign Amazon user permissions by creating a policy as described in Overview of IAM Policies.

For non-admin users, you must set permissions in the Amazon Web Services (AWS) user policy to enable virtual machines to be converted to Amazon instances.

Download the amazon_permission_conversion.json file and use it on the AWS command line to apply all of the required permissions. For information about how Commvault uses each permission, see Amazon Web Services Permission Usage.

Prior to any conversion operations that use the import method, you must enable the VM Import Service role (vmimport) on the Amazon Web Services account and associate that role to the user account that is used to perform conversion operations. For more information, see Creating a vmimport Role.

You can check if the VM meets the specifications for import method, see Checking the VM for Import Specifications.

For more information about Amazon permissions, see Amazon Elastic Compute Cloud API Reference or Amazon Simple Storage Service API Reference.

Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.

These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.


When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.