To restrict access to AWS resources for Commvault operations, you can create a policy that restricts access to resources that are created and used by Commvault.
You can associate the policy with an Amazon EC2 hypervisor (Commvault virtualization client) using one of the following methods:
Create an IAM role that uses the policy, and attach the role to an Amazon EC2 instance that is configured as an access node for the hypervisor. With this method, choose the IAM Role option for authentication when you configure the hypervisor in Commvault, and specify access nodes that have the IAM role attached.
Attach the restricted policy to users or user groups. With this method, choose the Access and Secret Key option for authentication when you configure the hypervisor in Commvault, and then enter the access key and secret key associated with a user who has the restricted policy attached.
Create an STS role that uses the restricted policy. With this method, choose the STS assume role with IAM role option for authentication when you configure the hypervisor in Commvault, specify access nodes that have the IAM role attached, and then enter the STS assume role associated with the restricted policy attached.
You can use this restricted role for operations performed from the Command Center or from the CommCell Console.
You can perform the following operations using a role with restricted access:
All supported restore operations from streaming backups
All supported restore operations from IntelliSnap backups
Operations that are performed by a tenant user in a managed services environment, using resources that are configured in a separate Admin account
Cross-hypervisor restores (VM conversion) and replication from VMware to Amazon EC2
Replication from Amazon EC2 to Amazon EC2
A restricted policy limits the access node to resources that are tagged with the string '_GX_BACKUP_', including AMI snapshots, volumes, and EBS snapshots, and does not enable the access node to delete or detach other AWS resources that are not tagged with that string.
In addition, the policy permits deletion only of tags that are created by Commvault, such as '_GX_BACKUP_', 'CV_Retain_Snap', 'CV_Integrity_Snap', '_GX_BACKUP_', and '_GX_AMI_'.
During a backup operation, the tags on the source volumes are inherited by the intermediate resources such as volumes and snapshots.
The restrictions apply to the following Amazon EC2 operations:
Download the amazon_restricted_role_permissions.json policy file.
For links to JSON files for various AWS data types and use cases, see Amazon Web Services User Permissions for Backups and Restores.
Assign the policy to an IAM user or IAM role that is used for authentication of the Amazon hypervisor (Commvault virtualization client).
For more information about IAM policies, see Policies and permissions in IAM on the AWS documentation site.