Permission Requirements for AWS Resource Protection

For protection of AWS resources, Commvault provides a set of identity-based policies that you attach to an IAM user, group, or role. These policies determine what the identity can do by specifying the permissions that it has.

Support for Customer Modification of Commvault-Provided Policies

Supported

Applying least-privilege permissions by removing IAM policies for AWS resources that you don't use or protect is supported. For more information, see Apply least-privilege permissions in the AWS documentation.

Not Supported

Modifying the individual actions within an IAM policy is not supported.

Policy for Amazon DocumentDB

• Policy: amazon_documentdb_backup_restore_permissions.json

Policy for Amazon DynamoDB

• Policy: AWS_DynamoDB_permissions.json

Policies for Amazon EC2

Amazon EC2 Backup

The following identity-based policy and referenced statement is mandatory for performing backups of Amazon EC2 instances and related Amazon EBS volumes.

• Required policy: amazon_restricted_role_permissions.json

• Mandatory statement: "Sid":"AmazonEC2BackupAndRestore2024eV3"

Amazon EC2 Recovery

The following identity-based policy and referenced statement is mandatory for performing recovery of Amazon EC2 instances and related Amazon EBS volumes.

• Required policy: amazon_restricted_role_permissions.json

• Mandatory statement: "Sid":"AmazonEC2BackupAndRestore2024eV3"

Amazon VPC Backup

The following identity-based policy and referenced statement is mandatory for performing backups of Amazon VPC resources.

• Required policy: amazon_restricted_role_permissions.json

• Mandatory statement: "Sid":"VPCBackupPermissions"

Amazon VPC Recovery

The following identity-based policy and referenced statement is mandatory for performing recovery of Amazon VPC resources.

• Required policy: amazon_vpc_restore_permissions.json

• Mandatory statements:

  • "Sid":"VPCRestorePermissions2024eV1"

  • "Sid": "VPCRestorePermissionToCreateFlowLog"

Agentless File Recovery

The following identity-based policy is required to perform file and folder recovery to an existing Amazon EC2 instance using AWS Systems Manager (AWS SSM).

Required policies:

• AmazonSSMManagedInstanceCore is required to allow the Commvault access node to access the AWS Systems Manager service core functionality.

• vsa_SSMInstanceProfileS3Policy.json is required to allow the Commvault software to restore file and folders to a temporary staging S3 bucket, then deposit on the selected EC2 instance via AWS SSM.

Application-Consistent Backup and Recovery

The following identity-based policy is required to perform application-consistent backups or file system backups of the certain workloads running on Amazon EC2 compute, and protected by installing a Commvault agent on the host operating system:

• Required policy: amazon_DB_FS_backup_restore_permissions.json

The workloads are as follows:

• UNIX and Linux file systems

• Microsoft Windows file systems

• Db2 databases

• MongoDB databases (installed on compute, excluding MongoDB Atlas)

• Microsoft SQL Server databases (including Always On Availability Groups)

• MySQL databases (including MariaDB databases)

• Oracle databases (excluding Oracle RAC databases)

• PostgreSQL databases

• SAP for Oracle databases

• SAP HANA databases

• Sybase databases

Policy for Amazon RDS

• Policy: amazon_rds_backup_restore_permissions.json

Policy for Amazon Redshift

• Policy: amazon_redshift_backup_restore_permissions.json

Policy for Amazon S3 on Outposts

• Policy: Amazon_S3_on_Outposts_permissions.json