How Commvault Uses AWS Permissions to Protect Amazon EC2

The Commvault software uses AWS permissions to perform protection operations for your Amazon EC2 instances. The software's use of AWS permissions is controlled by the AWS user account (which is represented in Commvault as an Amazon EC2 hypervisor).

The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.

For IAM policies (in JSON format) that include the required permissions for protecting Amazon EC2 and other AWS resources, see Permission Requirements for AWS Resource Protection.

For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.

Commvault supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).

Permission

Usage

Backup and restore

Agentless file recovery

In-place restore with same GUID

VM conversion

Replication

ebs:CompleteSnapshot

Seal and complete the Amazon Elastic Block Store snapshot.

Required for direct write restores.

Yes

--

--

--

--

ebs:GetSnapshotBlock

Return data in the Amazon Elastic Block Store snapshots.

Required for direct read backups.

Yes

--

--

--

--

ebs:ListChangedBlocks

Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume.

Required for CBT-enabled backups.

Yes

--

--

--

--

ebs:ListSnapshotBlocks

Return allocated blocks in an Amazon Elastic Block Store snapshot.

Required for CBT-enabled backups.

Yes

--

--

--

--

ebs:PutSnapshotBlock

Write a block of data to the Amazon Elastic Block Store snapshot.

Required for direct write restores.

Yes

--

--

--

--

ebs:StartSnapshot

Create a new Amazon Elastic Block Store snapshot.

Required for direct write restores.

Yes

--

--

--

--

ec2:AssociateDhcpOptions

Associates a set of DHCP options (that you previously created) with the specified VPC.

Yes

--

--

--

--

ec2:AssociateIamInstanceProfile

Attach IAM role to an instance.

--

--

Yes

--

--

ec2:AssociateVpcCidrBlock

Associates a CIDR block with your VPC.

Yes

--

--

--

--

ec2:AttachInternetGateway

Attach one or more internet gateways.

Yes

--

Yes

--

--

ec2:AttachNetworkInterface

Attach network interface to an instance.

--

--

Yes

--

--

ec2:AttachVolume

Attach volume to access node for reads and writes during backup, restore, and replication operations.

Yes

--

--

Yes

Yes

ec2:AttachVpnGateway

Attach one or more VPN gateways.

Yes

--

Yes

--

--

ec2:AuthorizeSecurityGroupEgress

[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC.

Yes

--

--

--

--

ec2:AuthorizeSecurityGroupIngress

Adds the specified inbound (ingress) rules to a security group.

Yes

--

--

--

--

ec2:CancelImportTask

Cancel the import task.

--

--

--

Yes

--

ec2:CopySnapshot

Copy snapshot from one AWS Region to another during snap replication.

--

--

--

--

Yes

ec2:CreateDHCPOptions

Creates a set of DHCP options for your VPC.

Yes

--

Yes

--

--

ec2:CreateEgressOnlyInternetGateway

Create one or more egress-only internet gateways.

Yes

--

Yes

--

--

ec2:CreateFlowLogs

Create one or more flow logs.

Yes

--

Yes

--

--

ec2:CreateImage

Create an AMI of the source instance during a backup.

Yes

--

--

Yes

Yes

ec2:CreateInternetGateway

Create one or more internet gateways.

Yes

--

Yes

--

--

ec2:CreateManagedPrefixList

Create managed prefix list.

Yes

--

Yes

--

--

ec2:CreateNatGateway

Create one or more NAT gateways.

Yes

--

Yes

--

--

ec2:CreateNetworkAcl

Create the network ACL in a specified VPC.

Yes

--

--

Yes

Yes

ec2:CreateNetworkAclEntry

Create the network ACL entry/rule.

Yes

--

--

Yes

Yes

ec2:CreateNetworkInterface

Creates a network interface in the specified subnet.

--

--

Yes

--

--

ec2:CreateSecurityGroup

Creates a security group.

Yes

--

--

--

--

ec2:CreateSnapshot

Share the image to admin or user account.

(Across AWS accounts)

--

--

Yes

--

ec2:CreateSubnet

Creates a subnet in a specified VPC.

Yes

--

--

--

--

ec2:CreateSubnetCidrReservation

Create a subnet CIDR reservation.

Yes

--

Yes

--

--

ec2:CreateTags

Create tags on resources such as instances, volumes, and snapshots.

Required for direct write restores.

Yes

--

--

Yes

--

ec2:CreateTransitGateway

Create one or more transit gateways.

Yes

--

Yes

--

--

ec2:CreateTransitGatewayVpcAttachment

Create one or more transit gateways VPC attachments.

Yes

--

Yes

--

--

ec2:CreateVolume

Create volume from snapshot for backup or create empty volumes for restores.

Yes

--

--

Yes

Yes

ec2:CreateVpc

Creates a VPC with the specified IPv4 CIDR block.

Yes

--

--

--

--

ec2:CreateVpnGateway

Create one or more VPN gateways.

Yes

--

Yes

--

--

ec2:DeleteDhcpOptions

Deletes the specified set of DHCP options.

Yes

--

Yes

--

--

ec2:DeleteEgressOnlyInternetGateway

Delete one or more egress-only internet gateways.

Yes

--

Yes

--

--

ec2:DeleteInternetGateway

Delete one or more internet gateways.

Yes

--

Yes

--

--

ec2:DeleteManagedPrefixList

Delete managed prefix list.

Yes

--

Yes

--

--

ec2:DeleteNatGateway

Delete one or more NAT gateways.

Yes

--

Yes

--

--

ec2:DeleteNetworkAcl

Deletes the specified network ACL.

Yes

--

Yes

--

--

ec2:DeleteNetworkAclEntry

Deletes the specified network ACL entry/rule.

Yes

--

Yes

--

--

ec2:DeleteNetworkInterface

Delete old network interfaces during incremental replication.

Yes

--

--

Yes

Yes

ec2:DeleteSecurityGroup

Deletes a security group.

Yes

--

--

--

--

ec2:DeleteSnapshot

Clean up snapshots after job completion.

Yes

--

--

Yes

Yes

ec2:DeleteSubnet

Deletes the specified subnet.

Yes

--

Yes

--

--

ec2:DeleteTags

Delete tags after backup and restore operations.

Yes

--

--

Yes

Yes

ec2:DeleteTransitGateway

Delete one or more transit gateways.

Yes

--

Yes

--

--

ec2:DeleteTransitGatewayVpcAttachment

Delete one or more transit gateways VPC attachments.

Yes

--

Yes

--

--

ec2:DeleteVolume

Clean up volumes after job completion.

Yes

--

--

Yes

Yes

ec2:DeleteVpc

Deletes the specified VPC.

Yes

--

--

--

--

ec2:DeleteVpnGateway

Delete one or more VPN gateways.

Yes

--

Yes

--

--

ec2:DeregisterImage

Delete AMI after backup operations and delete old integrity snapshot.

Yes

--

--

Yes

Yes

ec2:DescribeAccountAttributes

Get supported network platforms (if EC2 is supported).

Yes

--

--

Yes

Yes

ec2:DescribeAvailabilityZones

Get list of Availability Zones.

Yes

--

--

Yes

Yes

ec2:DescribeCarrierGateways

Describes one or more carrier gateways.

Yes

--

--

--

--

ec2:DescribeCustomerGateways

Describes one or more VPN customer gateways.

Yes

--

--

--

--

ec2:DescribeDhcpOptions

Describes one or more DHCP options sets.

Yes

--

--

--

--

ec2:DescribeEgressOnlyInternetGateways

Describes one or more egress-only internet gateways.

Yes

--

--

--

--

ec2:DescribeFlowLogs

Describes one or more flow logs.

Yes

--

--

--

--

ec2:DescribeIamInstanceProfileAssociations

Get IAM role information.

--

--

Yes

--

--

ec2:DescribeImages

Get list of AMIs.

Yes

--

--

Yes

Yes

ec2:DescribeImportImageTasks

Used for restore operations with an on-premise access node, including replication operations that use the AWS VM Import/Export transport mode.

Get import task information to check the status of the task.

Yes

--

--

Yes

Yes

ec2:DescribeInstanceAttribute

Get EBS optimization information of instance.

Yes

--

--

Yes

Yes

ec2:DescribeInstances

Get list of instances, including access node and source instance information.

Yes

--

--

Yes

Yes

ec2:DescribeInstanceStatus

Validate instance status after restore operation.

--

--

--

Yes

Yes

ec2:DescribeInstanceTypeOfferings

Get list of all instance types offered in an AWS Region.

Yes

--

Yes

Yes

Yes

ec2:DescribeInstanceTypes

Get details of instance types offered in an AWS Region.

Yes

--

Yes

Yes

Yes

ec2:DescribeInternetGateways

Describes one or more internet gateways.

Yes

--

--

--

--

ec2:DescribeKeyPairs

Get list of key pairs.

Yes

--

--

Yes

Yes

ec2:DescribeManagedPrefixLists

Describes your managed prefix lists and any AWS-managed prefix lists.

Yes

--

--

--

--

ec2:DescribeNatGateways

Describes one or more NAT gateways.

Yes

--

--

--

--

ec2:DescribeNetworkAcls

Describes one or more network ACLs.

Yes

--

--

--

--

ec2:DescribeNetworkInterfaces

Gets the network interface list.

Yes

--

--

Yes

Yes

ec2:DescribePrefixLists

Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service.

Yes

--

--

--

--

ec2:DescribeRegions

Get list of all AWS Regions.

Yes

--

--

Yes

Yes

ec2:DescribeRouteTables

Describes one or more route tables.

Yes

--

--

--

--

ec2:DescribeSecurityGroupRules

Describes one or more security group rules.

Yes

--

--

--

--

ec2:DescribeSecurityGroups

Gets the list of security groups.

Yes

--

--

Yes

Yes

ec2:DescribeSnapshots

Gets snapshot information.

Yes

--

--

Yes

Yes

ec2:DescribeSubnets

Gets the list of subnets.

Yes

--

--

Yes

Yes

ec2:DescribeTags

Get tag list to backup and restore tags on instances and volumes.

Yes

--

--

Yes

Yes

ec2:DescribeTransitGateway

Describes one or more transit gateways.

Yes

--

--

--

--

ec2:DescribeTransitGatewaysAttachments

Describes one or more attachments between resources and transit gateways.

Yes

--

--

--

--

ec2:DescribeTransitGatewayVpcAttachments

Describe one or more transit gateways VPC attachments.

Yes

--

Yes

--

--

ec2:DescribeVolumeAttribute

Get product code associated with volume.

Yes

--

--

Yes

--

ec2:DescribeVolumes

Get volume list and information such as size, type, and attachments.

Yes

--

--

Yes

Yes

ec2:DescribeVolumesModifications

Get IOPS values used during HotAdd backups.

Yes

--

--

--

--

ec2:DescribeVpcAttribute

Describes the specified attribute of the specified VPC.

Yes

--

--

--

--

ec2:DescribeVpcEndpoints

Gets the list of VPC endpoints.

Yes

--

--

--

--

ec2:DescribeVpcPeeringConnections

Describes one or more VPC peering connections.

Yes

--

--

--

--

ec2:DescribeVpcs

Gets the list of VPCs.

Yes

--

--

Yes

Yes

ec2:DescribeVpnConnections

Describes one or more VPN connections.

Yes

--

--

--

--

ec2:DescribeVpnGateways

Describes one or more virtual private gateways.

Yes

--

--

--

--

ec2:DetachVpnGateway

Detach one or more VPN gateways.

Yes

--

Yes

--

--

ec2:DetachInternetGateway

Detach one or more internet gateways.

Yes

--

Yes

--

--

ec2:DetachNetworkInterface

Detach a network interface from an instance.

--

--

Yes

Yes

--

ec2:DetachVolume

Detach volume from access node after reads and writes.

Yes

--

--

Yes

Yes

ec2:DisassociateIamInstanceProfile

Remove IAM role from instance.

--

--

Yes

--

--

ec2:GetConsoleOutput

Get operating system information.

Yes

--

--

Yes

Yes

ec2:GetEbsDefaultKmsKeyId

Create an encrypted snapshot with AWS managed key (default key).

Required for direct write restores.

Yes

--

--

--

--

ec2:GetEbsEncryptionBydefault

Describes whether EBS encryption by default is enabled for the account in the current AWS Region. Required for direct write restores, HotAdd streaming and backup copy jobs.

Yes

--

--

--

--

ec2:GetManagedPrefixListEntries

Gets information about the entries for a specified managed prefix list.

Yes

--

--

--

--

ec2:GetSubnetCidrReservations

Gets information about the subnet CIDR reservations.

Yes

--

--

--

--

ec2:ImportImage

Used for restore operations with an on-premise access node, including replication operations that use the AWS VM Import/Export transport mode.

Import image during conversion job.

Yes

--

--

Yes

Yes

ec2:ModifyImageAttribute

Share the image to admin or user account.

Yes (across AWS accounts)

--

--

Yes

--

ec2:ModifyInstanceAttribute

Set or reset delete on termination policy after restore.

Yes

--

--

Yes

Yes

ec2:ModifyNetworkInterfaceAttribute

Set or reset delete on termination policy after restore.

Yes

--

--

Yes

Yes

ec2:ModifySnapshotAttribute

Share snapshot to a different AWS Region during snap replication and cross account backups and restores.

Yes

--

Yes

--

Yes

ec2:ModifySubnetAttribute

Modifies a subnet attribute.

Yes

--

--

--

--

ec2:ModifyVolume

Adjust IOPS values during HotAdd backups.

Yes

--

--

--

--

ec2: ModifyVpcAttribute

Modifies the specified attribute of the specified VPC.

Yes

--

--

--

--

ec2:ReplaceNetworkAclAssociation

Changes which network ACL a subnet is associated with.

Yes

--

--

Yes

Yes

ec2:RevokeSecurityGroupEgress

[VPC only] Removes the specified outbound (egress) rules from a security group for a VPC.

Yes

--

--

--

--

ec2:RevokeSecurityGroupIgress

Removes the specified inbound (ingress) rules from a security group.

Yes

--

--

--

--

ec2:RunInstances

Create new instance.

Yes

--

--

Yes

Yes

ec2:StartInstances

Start instance after job completion (based on user input).

Yes

--

--

Yes

Yes

ec2:StopInstances

Stop instance after restore operation (based on user input).

Yes

--

--

Yes

Yes

ec2:TerminateInstances

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

Yes

--

--

Yes

Yes

iam:GetAccountAuthorizationDetails

Required to get account info during snap backup operations that use IAM role.

Yes

--

--

Yes

Yes

iam:GetInstanceProfile

Required for IAM based authentication.

Yes

--

--

Yes

Yes

iam:GetUser

Get information about the user specified in the AWS client. Used during snap replication.

--

--

--

--

Yes

iam:ListInstanceProfiles

Required to get list of instance profile names to populate IAM roles for restores.

Yes

--

--

Yes

Yes

iam:ListRoles

Required to list key pairs in restore screen using IAM role.

Yes

--

--

Yes

Yes

iam:passrole

  • Required to create a flow log with cloud-watch-logs as the destination type. This permission can be restricted to the IAM role that is associated with source flow log. For information, see Permissions for IAM users to pass a role in the AWS documentation.

  • Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation.

Yes

--

--

Yes

Yes

iam:SimulatePrincipalPolicy

Optional permission used for logging the status of permissions required for EBS Direct Backup and Restore.

Optional

--

--

--

--

kms:CreateAlias

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

Yes

--

--

--

--

kms:CreateGrant

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:CreateKey

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

Yes

--

--

--

--

kms:Decrypt

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:DescribeKey

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:Encrypt

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKey

Required for snap replication of default encrypted AWS snapshots.

Also required for direct write restores to write data to the encrypted Amazon Elastic Block Store snapshot.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKeyPair

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKeyWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKeyPairWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ListAliases

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ListGrants

Attach encrypted volume to access node for reads and writes during backup, restore, and replication operations.

Yes

--

Yes

--

Yes

kms:ListKeys

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ListResourceTags

Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication.

--

--

--

--

Yes

kms:ReEncryptFrom

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ReEncryptTo

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:TagResource

Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS Region.

Yes

--

--

--

Yes

s3:CreateBucket

Required to create an S3 bucket for restores.

Yes (when using the AWS VM Import/Export transport mode)

Yes

--

Yes (when using the AWS VM Import/Export transport mode)

Yes (when using the AWS VM Import/Export transport mode)

s3:DeleteObject

Used for restore operations with an on-premise access node, including replication operations that use the AWS VM Import/Export transport mode.

This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets.

Yes

Yes

--

Yes

Yes

s3:GetBucketAcl

Share the bucket to admin account.

Yes (across AWS accounts)

--

--

Yes

--

s3:GetBucketLocation

Get the bucket AWS Region for restore operations that use a non-AWS access node.

Yes

Yes

--

Yes

Yes

s3:GetObject

Used for restore operations with an on-premise access node, including replication operations that use the AWS VM Import/Export transport mode.

Yes

Yes

--

Yes

Yes

s3:GetObjectAcl

Used to share an S3 object to the tenant account when you perform an agentless restore to a different account.

--

Yes

--

--

--

s3:GetObjectTagging

Gets the tag set for an S3 object. Required to recover Amazon VPC resources.

Yes

--

Yes

--

--

s3:ListAllMyBuckets

Used for restore operations that use an on-premise access node, including replication operations that use the AWS VM Import/Export transport mode.

Yes

--

--

--

Yes

s3:ListBucket

Used for restore operations that use an on-premise access node, including replication operations that use the AWS VM Import/Export transport mode.

Yes

Yes

--

Yes

Yes

s3:PutBucketAcl

Share the bucket to admin account.

Yes (across AWS accounts)

--

--

Yes

--

s3:PutBucketOwnershipControls

Required to enable ACLs on Amazon S3 buckets that are created by Commvault for cross-account agentless restores.

--

Yes

--

--

--

s3:PutEncryptionConfiguration

Enables server-side encryption with Amazon S3 managed keys (SSE-S3).

Yes

Yes

--

Yes

Yes

s3:PutObject

Used for restore operations that use an on-premise access node, including replication operations that use the AWS VM Import/Export transport mode.

Yes

Yes

--

Yes

Yes

s3:PutObjectAcl

Used to upload objects to S3 bucket.

--

Yes

--

--

--

s3:PutObjectTagging

- Required by MediaAgent if the S3 library is used with DASH copy.

- Sets the supplied tag set to an S3 object.

Yes

Yes

Yes

Yes (when using the AWS VM Import/Export transport mode)

Yes

ssm:CancelCommand

Cancel run commands.

--

Yes

--

--

--

ssm:DescribeInstanceInformation

Get a list of instances that have the AWS Systems Manager (SSM) installed.

--

Yes

--

--

--

ssm:ListCommands

List the run commands.

--

Yes

--

--

--

ssm:SendCommand

Launch run commands.

--

Yes

--

--

--

sts:AssumeRole

Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.

Yes

Yes

Yes

Yes

Yes

sts:DecodeAuthorizationMessage

Required to decode encoded messsages.

Yes

Yes

Yes

Yes

Yes

Loading...