Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.
These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.
Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.
Note
When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.
You can use the following IAM Policies to apply these permissions to a user account:
-
Agentless file recovery
-
AmazonSSMManagedInstanceCore AWS IAM Policy.
-
The following table summarizes the Amazon permissions that are needed for Commvault operations and explains how Commvault uses each permission.
Permission |
Usage |
Backups and restores |
Agentless file recovery |
In-place instance restore with same GUID |
VM conversion |
Replication |
---|---|---|---|---|---|---|
ebs:CompleteSnapshot |
Seal and complete the Amazon Elastic Block Store snapshot. This is required for direct write restores. |
|||||
ebs:GetSnapshotBlock |
Return data in the Amazon Elastic Block Store snapshots. This is required for direct read backups. |
|||||
ebs:ListChangedBlocks |
Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume. Required for CBT-enabled backups. |
|||||
ebs:ListSnapshotBlocks |
Return allocated blocks in an Amazon Elastic Block Store snapshot. Required for CBT-enabled backups. |
|||||
ebs:PutSnapshotBlock |
Write a block of data to the Amazon Elastic Block Store snapshot. This is required for direct write restores. |
|||||
ebs:StartSnapshot |
Create a new Amazon Elastic Block Store snapshot. This is required for direct write restores. |
|||||
ec2:AssociateIamInstanceProfile |
Attach IAM role to an instance. |
|||||
ec2:AttachNetworkInterface |
Attach network interface to an instance. |
|||||
ec2:AttachVolume |
Attach volume to proxy for reads and writes during backup, restore, and replication operations. |
|||||
ec2:CancelImportTask |
Cancel the import task. |
|||||
ec2:CopySnapshot |
Copy snapshot from one region to another during snap replication. |
|||||
ec2:CreateTags |
Create tags on resources such as instances, volumes, and snapshots. This is required for direct write restores. |
|||||
ec2:CreateImage |
Create AMI of source instance during backup. |
|||||
ec2:CreateNetworkInterface |
Create a new network interface. |
|||||
ec2:CreateSnapshot |
Share the image to admin or user account. |
(across AWS accounts) |
||||
ec2:CreateTags |
Create tags on resources such as instances, volumes, and snapshots. |
|||||
ec2:CreateVolume |
Create volume from snapshot for backup or create empty volumes for restores. |
|||||
ec2:DeleteNetworkInterface |
Delete old network interfaces during incremental replication. |
|||||
ec2:DeleteSnapshot |
Clean up snapshots after job completion. |
|||||
ec2:DeleteTags |
Delete tags after backup and restore operations. |
|||||
ec2:DeleteVolume |
Clean up volumes after job completion. |
|||||
ec2:DeregisterImage |
Delete AMI after backup operations and delete old integrity snapshot. |
|||||
ec2:DescribeAccountAttributes |
Get supported network platforms (if EC2 is supported). |
|||||
ec2:DescribeAvailabilityZones |
Get list of availability zones. |
|||||
ec2:DescribeIamInstanceProfileAssociations |
Get IAM role information. |
|||||
ec2:DescribeImages |
Get list of AMIs. |
|||||
ec2:DescribeImportImageTasks |
Used for restore operations with an on-premise proxy, including replication operations that use the import method. Get import task information to check the status of the task. |
|||||
ec2:DescribeInstanceAttribute |
Get EBS optimization information of instance. |
|||||
ec2:DescribeInstances |
Get list of instances, including proxy and source instance information. |
|||||
ec2:DescribeInstanceStatus |
Validate instance status after restore operation. |
|||||
ec2:DescribeInstanceTypeOfferings |
Get list of all instance types offered in a region |
|||||
ec2:DescribeInstanceTypes |
Get details of instance types offered in a region |
|||||
ec2:DescribeKeyPairs |
Get list of key pairs. |
|||||
ec2:DescribeNetworkInterfaces |
Get network interface list. |
|||||
ec2:DescribeRegions |
Get list of all regions. |
|||||
ec2:DescribeSecurityGroups |
Get list of security groups. |
|||||
ec2:DescribeSnapshots |
Get snapshot information. |
|||||
ec2:DescribeSubnets |
Get list of subnets. |
|||||
ec2:DescribeTags |
Get tag list to backup and restore tags on instances and volumes. |
|||||
ec2:DescribeVolumeAttribute |
Get product code associated with volume. |
|||||
ec2:DescribeVolumes |
Get volume list and information such as size, type, and attachments. |
|||||
ec2:DescribeVolumesModifications |
Get IOPS values used during hotadd backups. |
|||||
ec2:DescribeVpcs |
Get list of VPCs. |
|||||
ec2:DescribeVpcEndpoints |
Get information about the EBS VPC endpoint during direct read backups. |
|||||
ec2:DetachNetworkInterface |
Detach a network interface from an instance. |
|||||
ec2:DetachVolume |
Detach volume from proxy after reads and writes. |
|||||
ec2:DisassociateIamInstanceProfile |
Remove IAM role from instance. |
|||||
ec2:GetConsoleOutput |
Get operating system information. |
|||||
ec2:GetEbsDefaultKmsKeyId |
Create an encrypted snapshot with AWS managed key (default key). This is required for direct write restores. |
|||||
ec2:GetEbsEncryptionBydefault |
Describe whether EBS encryption by default is enabled for the account in the current region. This is required for direct write restores. |
|||||
ec2:ImportImage |
Used for restore operations with an on-premise proxy, including replication operations that use the import method. Import image during conversion job. |
|||||
ec2:ModifyImageAttribute |
Share the image to admin or user account. |
(across AWS accounts) |
||||
ec2:ModifyInstanceAttribute |
Set or reset delete on termination policy after restore. |
|||||
ec2:ModifyNetworkInterfaceAttribute |
Set or reset delete on termination policy after restore. |
|||||
ec2:ModifySnapshotAttribute |
Share snapshot to a different region during snap replication and cross account backups and restores. |
|||||
ec2:ModifyVolume |
Adjust IOPS values during hotadd backups. |
|||||
ec2:RunInstances |
Create new instance. |
|||||
ec2:StartInstances |
Start instance after job completion (based on user input). |
|||||
ec2:StopInstances |
Stop instance after restore operation (based on user input). |
|||||
ec2:TerminateInstances |
Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication. |
|||||
iam:GetAccountAuthorizationDetails |
Required to get account info during snap backup operations that use IAM role. |
|||||
iam:GetInstanceProfile |
Required for IAM based authentication. |
|||||
iam:GetUser |
Get information about the user specified in the AWS client. Used during snap replication. |
|||||
iam:ListInstanceProfiles |
Required to get list of instance profile names to populate IAM roles for restores. |
|||||
iam:ListRoles |
Required to list key pairs in restore screen using IAM role. |
|||||
iam:passrole |
Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation. |
|||||
iam:SimulatePrincipalPolicy |
Required for simulating the set of IAM policies attached to an IAM user, group, or role to determine the policies' effective permissions for a list of API actions and AWS resources. |
|||||
kms:CreateAlias |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
|||||
kms:CreateGrant |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:CreateKey |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
|||||
kms:Decrypt |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:DescribeKey |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:Encrypt |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:GenerateDataKey |
Required for snap replication of default encrypted Amazon snapshots. Also required for direct write restore to write data to the encrypted Amazon Elastic Block Store snapshot. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:GenerateDataKeyPair |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:GenerateDataKeyWithoutPlaintext |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:GenerateDataKeyPairWithoutPlaintext |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:ListAliases |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:ListGrants |
Attach encrypted volume to proxy for reads and writes during backup, restore, and replication operations. |
|||||
kms:ListKeys |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:ListResourceTags |
Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication. |
|||||
kms:ReEncryptFrom |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:ReEncryptTo |
Required for snap replication of default encrypted Amazon snapshots. |
(for default encrypted snapshots) |
(for default encrypted snapshots) |
|||
kms:TagResource |
Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region. |
|||||
s3:CreateBucket |
Required to create an S3 bucket for restores. |
(when using Import method) |
(when using Import method) |
(when using Import method) |
||
s3:DeleteObject |
Used for restore operations with an on-premise proxy, including replication operations that use the import method. This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets. |
|||||
s3:GetBucketAcl |
Share the bucket to admin account. |
(across AWS accounts) |
||||
s3:GetBucketLocation |
Get the bucket region for restore operations that use a non-AWS proxy. |
|||||
s3:GetObject |
Used for restore operations with an on-premise proxy, including replication operations that use the import method. |
|||||
s3:ListAllMyBuckets |
Used for restore operations that use an on-premise proxy, including replication operations that use the import method. |
|||||
s3:ListBucket |
Used for restore operations that use an on-premise proxy, including replication operations that use the import method. |
|||||
s3:PutBucketAcl |
Share the bucket to admin account. |
(across AWS accounts) |
||||
s3:PutObject |
Used for restore operations that use an on-premise proxy, including replication operations that use the import method. |
|||||
s3:PutObjectAcl |
Used to upload objects to S3 bucket. |
|||||
s3:PutObjectTagging |
Required by MediaAgent if S3 library is used with DASH copy. |
(when using Import method) |
||||
ssm:CancelCommand |
Cancel run commands. |
|||||
ssm:DescribeInstanceInformation |
Get a list of instances that have the AWS Systems Manager (SSM) installed. |
|||||
ssm:ListCommands |
List the run commands. |
|||||
ssm:SendCommand |
Launch run commands. |
|||||
sts:AssumeRole |
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. |