Requirements and Usage for AWS IAM Policies and Permissions

Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.

These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.

Note

When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.

AWS Organizations and Service Control Policies

Commvault Backup & Recovery protects Amazon environments that use AWS Organizations, AWS Control Tower, and Service Control Policies (SCPs).

Important

When implementing the IAM policies, validate their operation using IAM Access Analyzer and the steps in Troubleshooting AWS Organizations policies. When implementing changes to IAM policies in environments that are governed using SCPs, run backup and recovery tests to verify that the results are as expected.

IAM Policies

AWS service to protect

IAM policies

Amazon EC2

Amazon RDS

amazon_rds_backup_restore_permissions.json

Amazon Redshift

amazon_redshift_backup_restore_permissions.json

Amazon DocumentDB

amazon_documentdb_backup_restore_permissions.json

Amazon DynamoDB

AWS_DynamoDB_permissions.json

Amazon S3 on Outposts

Amazon_S3_on_Outposts_permissions.json

Amazon EC2 with databases, file systems, and application agents

amazon_DB_FS_backup_restore_permissions.json

Commvault Cloud Storage Creation with AWS STS – IAM Role Policy Authentication

See Configuring EC2 IAM Role Details for STS Assume IAM Role.

Commvault Cloud Storage Creation with AWS STS Assume Role

See Configuring STS Assume IAM Role.

AWS VM Import/Export IAM Role

Permission Usage

Permission

Usage

Backup and restore

Agentless file recovery

In-place restore with same GUID

VM conversion

Replication

ebs:CompleteSnapshot

Seal and complete the Amazon Elastic Block Store snapshot.

Required for direct write restores.

Yes

--

--

--

--

ebs:GetSnapshotBlock

Return data in the Amazon Elastic Block Store snapshots.

Required for direct read backups.

Yes

--

--

--

--

ebs:ListChangedBlocks

Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume.

Required for CBT-enabled backups.

Yes

--

--

--

--

ebs:ListSnapshotBlocks

Return allocated blocks in an Amazon Elastic Block Store snapshot.

Required for CBT-enabled backups.

Yes

--

--

--

--

ebs:PutSnapshotBlock

Write a block of data to the Amazon Elastic Block Store snapshot.

Required for direct write restores.

Yes

--

--

--

--

ebs:StartSnapshot

Create a new Amazon Elastic Block Store snapshot.

Required for direct write restores.

Yes

--

--

--

--

ec2:AssociateDhcpOptions

Associates a set of DHCP options (that you previously created) with the specified VPC.

Yes

--

--

--

--

ec2:AssociateIamInstanceProfile

Attach IAM role to an instance.

--

--

Yes

--

--

ec2:AssociateVpcCidrBlock

Associates a CIDR block with your VPC.

Yes

--

--

--

--

ec2:AttachNetworkInterface

Attach network interface to an instance.

--

--

Yes

--

--

ec2:AttachVolume

Attach volume to access node for reads and writes during backup, restore, and replication operations.

Yes

--

--

Yes

Yes

ec2:AuthorizeSecurityGroupEgress

[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC.

Yes

--

--

--

--

ec2:AuthorizeSecurityGroupIngress

Adds the specified inbound (ingress) rules to a security group.

Yes

--

--

--

--

ec2:CancelImportTask

Cancel the import task.

--

--

--

Yes

--

ec2:CopySnapshot

Copy snapshot from one region to another during snap replication.

--

--

--

--

Yes

ec2:CreateImage

Create AMI of source instance during backup.

Yes

--

--

Yes

Yes

ec2:CreateNetworkInterface

Creates a network interface in the specified subnet.

--

--

Yes

--

--

ec2:CreateSecurityGroup

Creates a security group.

Yes

--

--

--

--

ec2:CreateSnapshot

Share the image to admin or user account.

(Across AWS accounts)

--

--

Yes

--

ec2:CreateSubnet

Creates a subnet in a specified VPC.

Yes

--

--

--

--

ec2:CreateTags

Create tags on resources such as instances, volumes, and snapshots.

Required for direct write restores.

Yes

--

--

Yes

--

ec2:CreateVolume

Create volume from snapshot for backup or create empty volumes for restores.

Yes

--

--

Yes

Yes

ec2:CreateVpc

Creates a VPC with the specified IPv4 CIDR block.

Yes

--

--

--

--

ec2:DeleteNetworkInterface

Delete old network interfaces during incremental replication.

Yes

--

--

Yes

Yes

ec2:DeleteSecurityGroup

Deletes a security group.

Yes

--

--

--

--

ec2:DeleteSnapshot

Clean up snapshots after job completion.

Yes

--

--

Yes

Yes

ec2:DeleteTags

Delete tags after backup and restore operations.

Yes

--

--

Yes

Yes

ec2:DeleteVolume

Clean up volumes after job completion.

Yes

--

--

Yes

Yes

ec2:DeleteVpc

Deletes the specified VPC.

Yes

--

--

--

--

ec2:DeregisterImage

Delete AMI after backup operations and delete old integrity snapshot.

Yes

--

--

Yes

Yes

ec2:DescribeAccountAttributes

Get supported network platforms (if EC2 is supported).

Yes

--

--

Yes

Yes

ec2:DescribeAvailabilityZones

Get list of availability zones.

Yes

--

--

Yes

Yes

ec2:DescribeCarrierGateways

Describes one or more of your carrier gateways.

Yes

--

--

--

--

ec2:DescribeCustomerGateways

Describes one or more of your VPN customer gateways.

Yes

--

--

--

--

ec2:DescribeDhcpOptions

Describes one or more of your DHCP options sets.

Yes

--

--

--

--

ec2:DescribeEgressOnlyInternetGateways

Describes one or more of your egress-only internet gateways.

Yes

--

--

--

--

ec2:DescribeFlowLogs

Describes one or more flow logs.

Yes

--

--

--

--

ec2:DescribeIamInstanceProfileAssociations

Get IAM role information.

--

--

Yes

--

--

ec2:DescribeImages

Get list of AMIs.

Yes

--

--

Yes

Yes

ec2:DescribeImportImageTasks

Used for restore operations with an on-premise access node, including replication operations that use the import method.

Get import task information to check the status of the task.

Yes

--

--

Yes

Yes

ec2:DescribeInstanceAttribute

Get EBS optimization information of instance.

Yes

--

--

Yes

Yes

ec2:DescribeInstances

Get list of instances, including access node and source instance information.

Yes

--

--

Yes

Yes

ec2:DescribeInstanceStatus

Validate instance status after restore operation.

--

--

--

Yes

Yes

ec2:DescribeInstanceTypeOfferings

Get list of all instance types offered in a region.

Yes

--

Yes

Yes

Yes

ec2:DescribeInstanceTypes

Get details of instance types offered in a region.

Yes

--

Yes

Yes

Yes

ec2:DescribeInternetGateways

Describes one or more of your internet gateways.

Yes

--

--

--

--

ec2:DescribeKeyPairs

Get list of key pairs.

Yes

--

--

Yes

Yes

ec2:DescribeManagedPrefixLists

Describes your managed prefix lists and any AWS-managed prefix lists.

Yes

--

--

--

--

ec2:DescribeNatGateways

Describes one or more of your NAT gateways.

Yes

--

--

--

--

ec2:DescribeNetworkAcls

Describes one or more of your network ACLs.

Yes

--

--

--

--

ec2:DescribeNetworkInterfaces

Gets the network interface list.

Yes

--

--

Yes

Yes

ec2:DescribePrefixLists

Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service.

Yes

--

--

--

--

ec2:DescribeRegions

Get list of all regions.

Yes

--

--

Yes

Yes

ec2:DescribeRouteTables

Describes one or more of your route tables.

Yes

--

--

--

--

ec2:DescribeSecurityGroupRules

Describes one or more of your security group rules.

Yes

--

--

--

--

ec2:DescribeSecurityGroups

Gets the list of security groups.

Yes

--

--

Yes

Yes

ec2:DescribeSnapshots

Gets snapshot information.

Yes

--

--

Yes

Yes

ec2:DescribeSubnets

Gets the list of subnets.

Yes

--

--

Yes

Yes

ec2:DescribeTags

Get tag list to backup and restore tags on instances and volumes.

Yes

--

--

Yes

Yes

ec2:DescribeTransitGatewayAttachments

Describes one or more attachments between resources and transit gateways.

Yes

--

--

--

--

ec2:DescribeTransitGateways

Describes one or more transit gateways.

Yes

--

--

--

--

ec2:DescribeVolumeAttribute

Get product code associated with volume.

Yes

--

--

Yes

--

ec2:DescribeVolumes

Get volume list and information such as size, type, and attachments.

Yes

--

--

Yes

Yes

ec2:DescribeVolumesModifications

Get IOPS values used during hotadd backups.

Yes

--

--

--

--

ec2:DescribeVpcAttribute

Describes the specified attribute of the specified VPC.

Yes

--

--

--

--

ec2:DescribeVpcEndpoints

Gets the list of VPC endpoints.

Yes

--

--

--

--

ec2:DescribeVpcPeeringConnections

Describes one or more of your VPC peering connections.

Yes

--

--

--

--

ec2:DescribeVpcs

Gets the list of VPCs.

Yes

--

--

Yes

Yes

ec2:DescribeVpnConnections

Describes one or more of your VPN connections.

Yes

---

--

--

--

ec2:DescribeVpnGateways

Describes one or more of your virtual private gateways.

Yes

--

--

--

--

ec2:DetachNetworkInterface

Detach a network interface from an instance.

--

--

Yes

Yes

--

ec2:DetachVolume

Detach volume from access node after reads and writes.

Yes

--

--

Yes

Yes

ec2:DisassociateIamInstanceProfile

Remove IAM role from instance.

--

--

Yes

--

--

ec2:GetConsoleOutput

Get operating system information.

Yes

--

--

Yes

Yes

ec2:GetEbsDefaultKmsKeyId

Create an encrypted snapshot with AWS managed key (default key).

Required for direct write restores.

Yes

--

--

--

--

ec2:GetEbsEncryptionBydefault

Describes whether EBS encryption by default is enabled for the account in the current region. Required for direct write restores, HotAdd streaming and backup copy jobs.

Yes

--

--

--

--

ec2:GetManagedPrefixListEntries

Gets information about the entries for a specified managed prefix list.

Yes

--

--

--

--

ec2:GetSubnetCidrReservations

Gets information about the subnet CIDR reservations.

Yes

--

--

--

--

ec2:ImportImage

Used for restore operations with an on-premise access node, including replication operations that use the import method.

Import image during conversion job.

Yes

--

--

Yes

Yes

ec2:ModifyImageAttribute

Share the image to admin or user account.

Yes (across AWS accounts)

--

--

Yes

--

ec2:ModifyInstanceAttribute

Set or reset delete on termination policy after restore.

Yes

--

--

Yes

Yes

ec2:ModifyNetworkInterfaceAttribute

Set or reset delete on termination policy after restore.

Yes

--

--

Yes

Yes

ec2:ModifySnapshotAttribute

Share snapshot to a different region during snap replication and cross account backups and restores.

Yes

--

Yes

--

Yes

ec2:ModifySubnetAttribute

Modifies a subnet attribute.

Yes

--

--

--

--

ec2:ModifyVolume

Adjust IOPS values during hotadd backups.

Yes

--

--

--

--

ec2: ModifyVpcAttribute

Modifies the specified attribute of the specified VPC.

Yes

--

--

--

--

ec2:Registerimage

Registers an AMI.

Required for UEFI restores and replications to register the interim image.

Yes (for UEFI-based restores)

--

--

Yes

Yes

ec2:RevokeSecurityGroupEgress

[VPC only] Removes the specified outbound (egress) rules from a security group for a VPC.

Yes

--

--

--

--

ec2:RevokeSecurityGroupIgress

Removes the specified inbound (ingress) rules from a security group.

Yes

--

--

--

--

ec2:RunInstances

Create new instance.

Yes

--

--

Yes

Yes

ec2:StartInstances

Start instance after job completion (based on user input).

Yes

--

--

Yes

Yes

ec2:StopInstances

Stop instance after restore operation (based on user input).

Yes

--

--

Yes

Yes

ec2:TerminateInstances

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

Yes

--

--

Yes

Yes

iam:GetAccountAuthorizationDetails

Required to get account info during snap backup operations that use IAM role.

Yes

--

--

Yes

Yes

iam:GetInstanceProfile

Required for IAM based authentication.

Yes

--

--

Yes

Yes

iam:GetUser

Get information about the user specified in the AWS client. Used during snap replication.

--

--

--

--

Yes

iam:ListInstanceProfiles

Required to get list of instance profile names to populate IAM roles for restores.

Yes

--

--

Yes

Yes

iam:ListRoles

Required to list key pairs in restore screen using IAM role.

Yes

--

--

Yes

Yes

iam:passrole

Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation.

Yes

--

--

Yes

Yes

iam:SimulatePrincipalPolicy

Optional permission used for logging the status of permissions required for EBS Direct Backup and Restore.

Optional

--

--

--

--

kms:CreateAlias

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

Yes

--

--

--

--

kms:CreateGrant

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:CreateKey

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

Yes

--

--

--

--

kms:Decrypt

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:DescribeKey

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:Encrypt

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKey

Required for snap replication of default encrypted AWS snapshots.

Also required for direct write restores to write data to the encrypted Amazon Elastic Block Store snapshot.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKeyPair

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKeyWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:GenerateDataKeyPairWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ListAliases

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ListGrants

Attach encrypted volume to access node for reads and writes during backup, restore, and replication operations.

Yes

--

Yes

--

Yes

kms:ListKeys

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ListResourceTags

Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication.

--

--

--

--

Yes

kms:ReEncryptFrom

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:ReEncryptTo

Required for snap replication of default encrypted AWS snapshots.

Yes (for default encrypted snapshots)

--

--

--

Yes (for default encrypted snapshots)

kms:TagResource

Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region.

Yes

--

--

--

Yes

s3:CreateBucket

Required to create an S3 bucket for restores.

Yes (when using Import method)

Yes

--

Yes (when using Import method)

Yes (when using Import method)

s3:DeleteObject

Used for restore operations with an on-premise access node, including replication operations that use the import method.

This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets.

Yes

Yes

--

Yes

Yes

s3:GetBucketAcl

Share the bucket to admin account.

Yes (across AWS accounts)

--

--

Yes

--

s3:GetBucketLocation

Get the bucket region for restore operations that use a non-AWS access node.

Yes

Yes

--

Yes

Yes

s3:GetObject

Used for restore operations with an on-premise access node, including replication operations that use the import method.

Yes

Yes

--

Yes

Yes

s3:GetObjectAcl

Used to share s3 object to tenant account during cross account agentless restore.

--

Yes

--

--

--

s3:ListAllMyBuckets

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

Yes

--

--

--

Yes

s3:ListBucket

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

Yes

Yes

--

Yes

Yes

s3:PutBucketAcl

Share the bucket to admin account.

Yes (across AWS accounts)

--

--

Yes

--

s3:PutEncryptionConfiguration

Used to enable server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt your data.

Yes

Yes

--

Yes

Yes

s3:PutObject

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

Yes

Yes

--

Yes

Yes

s3:PutObjectAcl

Used to upload objects to S3 bucket.

--

Yes

--

--

--

s3:PutObjectTagging

Required by MediaAgent if S3 library is used with DASH copy.

Yes

Yes

--

Yes (when using Import method)

Yes

ssm:CancelCommand

Cancel run commands.

--

Yes

--

--

--

ssm:DescribeInstanceInformation

Get a list of instances that have the AWS Systems Manager (SSM) installed.

--

Yes

--

--

--

ssm:ListCommands

List the run commands.

--

Yes

--

--

--

ssm:SendCommand

Launch run commands.

--

Yes

--

--

--

sts:AssumeRole

Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.

Yes

Yes

Yes

Yes

Yes

In the AWS documentation, see the following:

Loading...