For protection of Amazon EC2 resources, Commvault provides a set of identity-based policies that are attached to an IAM user, group, or role. Use these policies to specify what that identity can do (that is, its permissions).
Amazon EC2 Backup
The following Identity-based policy and referenced statement is mandatory for performing backups of Amazon EC2 instances and related Amazon EBS volumes.
-
Required policy: amazon_restricted_role_permissions.json
-
Mandatory statement: "Sid":"AmazonEC2BackupAndRestore1142V1"
Amazon EC2 Recovery
The following Identity-based policy and referenced statement is mandatory for performing recovery of Amazon EC2 instances and related Amazon EBS volumes.
-
Required policy: amazon_restricted_role_permissions.json
-
Mandatory statement: "Sid":"AmazonEC2BackupAndRestore1142V1"
Amazon VPC Backup
The following Identity-based policy and referenced statement is mandatory for performing backups of Amazon VPC resources.
-
Required policy: amazon_restricted_role_permissions.json
-
Mandatory statement: "Sid":"VPCBackupPermissions"
Amazon VPC Recovery
The following Identity-based policy and referenced statement is mandatory for performing recovery of Amazon VPC resources.
-
Required policy: amazon_vpc_restore_permissions.json
-
Mandatory statements:
-
"Sid":"VPCRestorePermissions1138V1"
-
"Sid": "VPCRestorePermissionToCreateFlowLog"
-
Agentless File Recovery
The following Identity-based policies are required to perform file and folder recovery to an existing Amazon EC2 instance using AWS Systems Manager (AWS SSM).
Required policies:
-
AmazonSSMManagedInstanceCore is required to allow the Commvault access node to access the AWS Systems Manager service core functionality.
-
vsa_SSMInstanceProfileS3Policy.json is required to allow Commvault Cloud software to restore file and folders to a temporary staging S3 bucket, then deposit on the selected EC2 instance via AWS SSM.
Application-Consistent Backup and Recovery
The following Identity-based policy is required to perform application-consistent or file system backup of the certain workloads running on Amazon EC2 compute, and protected by installing a Commvault Cloud agent on the host operating system:
- Required policy: amazon_DB_FS_backup_restore_permissions.json
The workloads are as follows:
-
UNIX and Linux file systems
-
Microsoft Windows file systems
-
Db2 databases
-
MongoDB databases (installed on compute, excluding MongoDB Atlas)
-
Microsoft SQL Server databases (including Always On Availability Groups)
-
MySQL databases (including MariaDB databases)
-
Oracle databases (excluding Oracle RAC databases)
-
PostgreSQL databases
-
SAP for Oracle databases
-
SAP HANA databases
-
Sybase databases