Best Practices for IAM Roles

To control access to resources in your AWS account, you can define Identify and Access Management (IAM) policies, and then associate those policies with roles and users in your organization.

The IAM role must have appropriate permissions. Use the concept of least privilege when assigning permissions to an IAM role, assigning only the minimum permissions that a user requires to perform a task. From the AWS Management Console, on the details page for an IAM user, group, role, or policy, you can use data on the Access Advisor tab to help you determine the permissions that might be required for an IAM role. You can also use the AWS CloudTrail Event history to view detailed event information and identify the actions and resources that are required for specific operations, so that you can further limit the permissions in your policies.

You can further reduce the scope of IAM roles by using tags with IAM policies. Tags add custom attributes to an IAM role by specifying a tag with condition keys. Using this approach, you can create a single, reusable IAM policy that assigns permissions to an IAM role, based on matching tags for specific resources (such as EC2 and S3 resources that are protected by Commvault, or S3 buckets where backups are stored).

Commvault provides templates that you can use to create IAM policies, and documentation of how Commvault uses different permissions. You can modify the policy templates as needed to meet the operational requirements of your AWS account.