Commvault provides IAM policies that specify the permissions that are necessary for the Commvault software to perform data protection operations on your AWS resources.
Considerations and Recommendations
-
Commvault protects AWS environments that use AWS Organizations, AWS Control Tower, and Service Control Policies (SCPs).
-
The permissions that are required depends on the operations that you need to perform. To restrict operations, remove individual permissions from the IAM policy.
-
Use tags or TagKeys to further restrict the scope of access for Commvault data protection operations.
-
When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts.
-
When implementing the IAM policies, validate their operation using IAM Access Analyzer and the steps in Troubleshooting AWS Organizations policies. When implementing changes to IAM policies in environments that are governed using SCPs, run backup and recovery tests to verify that the results are as expected.
Policy for Amazon DocumentDB
Policy for Amazon DynamoDB
- Policy: AWS_DynamoDB_permissions.json
Policies for Amazon EC2
Backups and Restores
-
Required blocks: Depends on the operations that you need to perform
Backups to an Amazon S3 Library
- Policy: Amazon S3 permissions
Agentless File Recovery
-
Policies:
-
AmazonSSMManagedInstanceCore AWS managed policy
-
vsa_SSMInstanceProfileS3Policy.json JSON file
-
Policy for Amazon EC2 with Database, File System, or Application Agents
Policy for Amazon RDS
Policy for Amazon Redshift
Policy for Amazon S3 on Outposts
Policies for Amazon VPC
Backups
-
Required blocks: "Sid":"VPCBackupPermissions"
Backups to an Amazon S3 Library
- Policy: Amazon S3 permissions
Restores
-
Required blocks:
-
"Sid":"VPCRestorePermissions2024eV1"
-
"Sid": "VPCRestorePermissionToCreateFlowLog"
-
Agentless File Recovery
-
Policies:
-
AmazonSSMManagedInstanceCore AWS managed policy
-
vsa_SSMInstanceProfileS3Policy.json JSON file
-