Commvault requires access to your AWS account via AWS Identity and Access Management (IAM) policies which are associated with IAM Roles or users. For more information, on the AWS documentation site, see Policies and permissions in IAM.
If you are performing backups to an S3 library, also add Amazon S3 permissions.
For Commvault to perform backup and restores of AWS resources, you must grant permission for Commvault via an IAM User or Role with the IAM policies defined below:
IAM Policy Definitions for Configuring IAM Roles and Users
AWS service to protect
AWS IAM policy
Amazon Compute Cloud (Amazon EC2)
Amazon Relational Database Service (Amazon RDS)
Amazon S3 on Outposts
Amazon Compute Cloud (EC2) with databases, file systems, and application agents
Additional AWS service to protect
AWS IAM policy
Virtual Machine conversion to Amazon EC2
Commvault Cloud Storage Creation with AWS STS – IAM Role Policy Authentication
Commvault Cloud Storage Creation with AWS STS Assume Role
AWS VM Import/Export IAM Role
How Commvault Uses AWS Permissions
Commvault uses Amazon Web Services (AWS) permissions to perform data protection and data recovery operations for instances that run in AWS. These permissions are used only to access snapshots, volumes, and instance configuration information that are required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. In cases where a user with the required administrative privileges requests that a recovered instance overwrites the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.
Commvault usage of AWS permissions is controlled by the account settings that are used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use IAM roles or an access key and secret key pair to access the AWS account.
Note: When using resources from an Admin Account, you must add JSON permissions to both Admin and Tenant accounts.
For information about how Commvault uses each permission, see Amazon Web Services Permission Usage.