Creating an AWS Role with Restricted Access

To restrict access to AWS resources for Commvault operations, you can create a policy that restricts access to resources that are created and used by Commvault.

You can associate the policy with an Amazon hypervisor (Commvault virtualization client) using one of the following methods:

  • Create an IAM role that uses the policy, and attach the role to an Amazon instance that is configured as a VSA proxy for the hypervisor. With this method, choose the IAM Role option for authentication when you configure the hypervisor in Commvault, and specify access nodes (VSA proxies) that have the IAM role attached.

  • Attach the restricted policy to users or user groups. With this method, choose the Access and Secret Key option for authentication when you configure the hypervisor in Commvault, and then enter the access key and secret key associated with a user who has the restricted policy attached.

You can use this restricted role for operations that are performed from the Command Center or from the CommCell Console.

You can perform the following operations using a role with restricted access:

  • Streaming backups

  • All supported restore operations from streaming backups

  • IntelliSnap backups

  • All supported restore operations from IntelliSnap backups

  • Operations that are performed by a tenant user in a managed services environment, using resources that are configured in a separate Admin account

  • Cross-hypervisor restores (VM conversion) and replication from VMware to AWS

  • Replication from AWS to AWS

A restricted policy limits the VSA proxy to resources that are tagged with the string '_GX_BACKUP_', including AMI snapshots, volumes, and EBS snapshots, and does not enable the VSA proxy to delete or detach other AWS resources that are not tagged with that string.

In addition, the policy permits deletion only of tags that are created by Commvault, such as '_GX_BACKUP_', 'CV_Retain_Snap', 'CV_Integrity_Snap', '_GX_BACKUP_', and '_GX_AMI_'.

The restrictions apply to the following EC2 operations:

  • DeleteVolume

  • DeleteSnapshot

  • TerminateInstances

  • DeleteTags

  • DetachVolume

Before You Begin

Install the Virtual Server Agent on an Amazon EC2 instance.


  1. Download the amazon_restricted_role_permissions.json policy file.

  2. Assign the policy to an IAM user or IAM role that is used for authentication of the Amazon hypervisor (Commvault virtualization client).

For more information about IAM policies, see Policies and permissions in IAM on the AWS documentation site.