IAM Policies for Protecting AWS Services with Commvault

To protect AWS services, Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The policies must have the permissions that are necessary for Commvault to perform data protection operations.

Important Considerations

Commvault protects Amazon environments that use AWS Organizations, AWS Control Tower, and Service Control Policies (SCPs).
When using resources from an admin account, you must add JSON permissions to admin and tenant accounts.

The permissions that are required depends on the operations that you want to perform.

To restrict operations, you can remove individual permissions from the IAM policy.
When implementing the IAM policies, validate their operation using IAM Access Analyzer and the steps in Troubleshooting AWS Organizations policies. When implementing changes to IAM policies in environments that are governed using SCPs, run backup and recovery tests to verify that the results are as expected.

IAM Policies

AWS service to protect	IAM policies
Amazon EC2	Backups and restores: amazon_restricted_role_permissions.json Backups to an Amazon S3 library: Amazon S3 permissions Agentless file recovery: AmazonSSMManagedInstanceCore AWS IAM policy S3 permissions for agentless restores
Amazon RDS	amazon_rds_backup_restore_permissions.json
Amazon Redshift	amazon_redshift_backup_restore_permissions.json
Amazon DocumentDB	amazon_documentdb_backup_restore_permissions.json
Amazon DynamoDB	AWS_DynamoDB_permissions.json
Amazon S3 on Outposts	Amazon_S3_on_Outposts_permissions.json
Amazon EC2 with databases, file systems, and application agents	amazon_DB_FS_backup_restore_permissions.json

In the AWS documentation, see the following:

IAM Policies for Protecting AWS Services with Commvault

Important Considerations

IAM Policies

Related Topics