Amazon Web Services User Permissions for Backups and Restores

Updated

You can create and assign Amazon Identity and Access Management (IAM) policies to IAM Roles and Users. For more information, on the AWS documentation site, see Policies and permissions in IAM.

For non-administrative users to perform Commvault backup and restores, you must create IAM policies with required permissions, and attach to the IAM User or Role.

Use the following IAM policy definitions to configure your IAM Roles and Users:

Amazon service

JSON file to use

Amazon Compute Cloud (EC2)

amazon_restricted_role_permissions.json (recommended)

Amazon Compute Cloud (EC2)

amazon_permission_backup_restore.json (alternate, wider permission set)

Amazon Relational Database Service (Amazon RDS)

amazon_rds_backup_restore_permissions.json

Amazon Redshift

amazon_redshift_backup_restore_permissions.json

Amazon DocumentDB

amazon_documentdb_backup_restore_permissions.json

Amazon DynamoDB

AWS_DynamoDB_permissions.json

Amazon S3 on Outposts

Amazon_S3_on_Outposts_permissions.json

Amazon Compute Cloud (EC2) database file system and application agents

amazon_DB_FS_backup_restore_permissions.json

Use case

JSON file to use

Virtual Machine conversion to Amazon EC2

amazon_permission_conversion.json

AWS Cloud Library Creation with AWS STS – IAM Role Policy Authentication

EC2 role creation with STS Policy with AssumeRole for STS Assume IAM Role

amazon_s3_EC2_IAM_role_01.json

S3 role creation with S3 Policy with limited permissions for STS Assume IAM Role

amazon_s3_EC2_IAM_role_02.json

EC2 role ARN for STS Assume IAM Role

amazon_s3_EC2_IAM_role_03.json

AWS Cloud Library Creation with AWS STS Assume Role

S3 STS Assume Role creation with STS Policy with AssumeRole

STSAssumeRole.json

Necessary permissions for the S3 role creation with S3 Policy

s3LimitedPermissions.json

S3 role ARN for STS Assume Role

STSAssumeRole_TrustRelationShip.json

Amazon VM Import and Export Service IAM Role

trust-policy.json

Amazon VM Import and Export IAM Policy

role-policy.json

How Commvault Uses AWS Permissions

Commvault uses Amazon Web Services (AWS) permissions to perform data protection and data recovery operations for instances that run in AWS. These permissions are used only to access snapshots, volumes, and instance configuration information that are required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. In cases where a user with the required administrative privileges requests that a recovered instance overwrites the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use IAM roles or an access key and secret key pair to access the AWS account.

For information about how Commvault uses each permission, see Amazon Web Services Permission Usage.

For more information about Amazon permissions, in the AWS documentation, see Amazon Elastic Compute Cloud API Reference or Amazon Simple Storage Service API Reference.