The Commvault software uses AWS permissions to perform protection operations for your Amazon DynamoDB instances.
The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.
For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.
Commvault supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).
|
Permission |
Usage |
|---|---|
|
dynamodb:BatchWriteItem |
Grants permission to put or delete multiple items in one or more tables |
|
dynamodb:CreateTable |
Grants permission to the CreateTable operation adds a new table to your account |
|
dynamodb:DeleteTable |
Grants permission to the DeleteTable operation which deletes a table and all of its items |
|
dynamodb:DescribeTable |
Grants permission to return information about the table |
|
dynamodb:Describestream |
Grants permission to return information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table |
|
dynamodb:GetRecords |
Grants permission to retrieve the stream records from a given shard |
|
dynamodb:GetShardIterator |
Grants permission to return a shard iterator |
|
dynamodb:ListGlobalTables |
Grants permission to list all global tables that have a replica in the specified region |
|
dynamodb:ListStreams |
Grants permission to return an array of stream ARNs associated with the current account and endpoint |
|
dynamodb:ListTables |
Grants permission to return an array of table names associated with the current account and endpoint |
|
dynamodb:ListTagsOfResource |
Grants permission to list all tags on an Amazon DynamoDB resource |
|
dynamodb:Scan |
Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index |
|
dynamodb:UpdateTable |
Grants permission to modify the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table |
|
ec2:DescribeAccountAttributes |
Grants permission to describe the attributes of the AWS account |
|
ec2:DescribeAvailabilityZones |
Grants permission to describe one or more of the Availability Zones that are available to you |
|
ec2:DescribeRegions |
Allows describing Amazon EC2 regions. |
|
ec2:DescribeSecurityGroups |
Allows describing Amazon EC2 security groups. |
|
ec2:DescribeSubnets |
Allows describing Amazon VPC subnets. |
|
ec2:DescribeVpcs |
Allows describing Amazon VPCs (Virtual Private Clouds). |
|
iam:GetAccountAuthorizationDetails |
Allows retrieving details of IAM policies and permissions attached to the AWS account. |
|
iam:GetUser |
Allows retrieving information about an IAM user. Required for authentication of user and the session. |
|
kms:Decrypt |
Allows decrypting data using an AWS KMS key. |
|
kms:DescribeKey |
Allows describing details of an AWS KMS key. This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys. |
|
kms:Encrypt |
Allows encrypting data using an AWS KMS key. |
|
kms:GenerateDataKey |
Allows generating a data encryption key using an AWS KMS key. |
|
kms:GenerateDataKeyWithoutPlaintext |
Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key. |
|
kms:ListGrants |
Controls permission to view all grants for an AWS KMS key |
|
kms:ReEncryptFrom |
Controls permission to decrypt data as part of the process that decrypts and re-encrypts the data within AWS KMS |
|
kms:ReEncryptTo |
Controls permission to encrypt data as part of the process that decrypts and re-encrypts the data within AWS KMS |