Commvault Account Factory Customization Blueprints

Commvault provides a shared services account blueprint and a member account blueprint as AWS CloudFormation (CFT) templates.

Support for Customer Modification of Blueprint Templates

Supported

Applying least-privilege permissions by removing IAM policies for AWS resources that you don't use or protect is supported. For more information, see Apply least-privilege permissions in the AWS documentation.

Not Supported

• Modifying Commvault account blueprints is not supported.

• Modifying actions in Commvault IAM policies is not supported.

Blueprint Templates

Commvault provides the following CFT templates:

• Commvault Shared Services Account Blueprint: This template automatically creates the IAM roles and policies that are required to protect your AWS resources from a centralized shared services account within your landing zone.

• Commvault Member Account Blueprint: This template automatically creates the IAM roles and trust policies that are required to allow your Commvault shared services account to assume a role in your Commvault member accounts to protect your AWS resources.

Blueprint Template Naming Convention

Blueprints are versioned for easy identification and comparison. The version syntax is as follows:

11.{platform_release}.{template_version}{release_status}/{template}.yml

Where:

• platform_release: The release of the Commvault software that the blueprint is for.

• template_version: The template version (001, 002, 003, and so on), for the platform release.

• release_status: The Commvault internal flag ‘ur’ identifies the template as ‘unreleased’. You can remove this flag when deploying your blueprints.

• template: The template name.

Access Restrictions Using IAM Policy Conditions

Commvault uses conditions in its IAM polices to reduce the scope of the permissions that the policies grant. The policies grant access to the specified actions, but only if the conditions are met.

Conditions are specified in the YAML files with the following syntax:

“Condition” : {“{condition operator}” : {“{condition-key}”:”{condition-value}”}}

Example 1

The following condition allows actions only on resources that are created by a Commvault backup process (identified by the _GX_BACKUP_ label).

Condition:
    StringLike:
        ec2:ResourceTag/_GX_BACKUP_: '*'

Example 2

The following condition allows actions only on resources that are created by a Commvault IntelliSnap snapshot-based process (identified by the CV_Retain_Snap, CV_Integrity_Snap, and _GX_AMI_ labels) or a Commvault streaming backup process (identified by the _GX_BACKUP_ label).

Condition:
    ForAnyValue:StringEquals:
      aws:TagKeys:
      - CV_Retain_Snap
      - CV_Integrity_Snap
      - _GX_BACKUP_
      - _GX_AMI_

Related Information

• For information about permission requirements, including links to Commvault-provided identity-based policies for AWS resource protection, see Permission Requirements for AWS Resource Protection.

• For information about Commvault-created tags for Amazon EC2 protection, see Support and Usage of AWS Resource Tags for Amazon EC2 Protection.