The Commvault software uses AWS permissions to perform protection operations for your Amazon EC2 instances. The software's use of AWS permissions is controlled by the AWS user account (which is represented in Commvault as an Amazon EC2 hypervisor).
The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.
For IAM policies (in JSON format) that include the required permissions for protecting Amazon EC2 instances (and other AWS services), see IAM Policies for Protecting AWS Services with Commvault.
For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.
Commvault supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).
|
Permission |
Usage |
Backup and restore |
Agentless file recovery |
In-place restore with same GUID |
VM conversion |
Replication |
|---|---|---|---|---|---|---|
|
ebs:CompleteSnapshot |
Seal and complete the Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:GetSnapshotBlock |
Return data in the Amazon Elastic Block Store snapshots. Required for direct read backups. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:ListChangedBlocks |
Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume. Required for CBT-enabled backups. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:ListSnapshotBlocks |
Return allocated blocks in an Amazon Elastic Block Store snapshot. Required for CBT-enabled backups. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:PutSnapshotBlock |
Write a block of data to the Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:StartSnapshot |
Create a new Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AssociateDhcpOptions |
Associates a set of DHCP options (that you previously created) with the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AssociateIamInstanceProfile |
Attach IAM role to an instance. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:AssociateVpcCidrBlock |
Associates a CIDR block with your VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AttachInternetGateway |
Attach one or more internet gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:AttachNetworkInterface |
Attach network interface to an instance. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:AttachVolume |
Attach volume to access node for reads and writes during backup, restore, and replication operations. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:AttachVpnGateway |
Attach one or more VPN gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:AuthorizeSecurityGroupEgress |
[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AuthorizeSecurityGroupIngress |
Adds the specified inbound (ingress) rules to a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:CancelImportTask |
Cancel the import task. |
-- |
-- |
-- |
Yes |
-- |
|
ec2:CopySnapshot |
Copy snapshot from one AWS Region to another during snap replication. |
-- |
-- |
-- |
-- |
Yes |
|
ec2:CreateDHCPOptions |
Creates a set of DHCP options for your VPC. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateEgressOnlyInternetGateway |
Create one or more egress-only internet gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateFlowLogs |
Create one or more flow logs. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateImage |
Create an AMI of the source instance during a backup. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:CreateInternetGateway |
Create one or more internet gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateManagedPrefixList |
Create managed prefix list. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateNatGateway |
Create one or more NAT gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateNetworkAcl |
Create the network ACL in a specified VPC. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:CreateNetworkAclEntry |
Create the network ACL entry/rule. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:CreateNetworkInterface |
Creates a network interface in the specified subnet. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:CreateSecurityGroup |
Creates a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:CreateSnapshot |
Share the image to admin or user account. |
(Across AWS accounts) |
-- |
-- |
Yes |
-- |
|
ec2:CreateSubnet |
Creates a subnet in a specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:CreateSubnetCidrReservation |
Create a subnet CIDR reservation. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateTags |
Create tags on resources such as instances, volumes, and snapshots. Required for direct write restores. |
Yes |
-- |
-- |
Yes |
-- |
|
ec2:CreateTransitGateway |
Create one or more transit gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateTransitGatewayVpcAttachment |
Create one or more transit gateways VPC attachments. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:CreateVolume |
Create volume from snapshot for backup or create empty volumes for restores. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:CreateVpc |
Creates a VPC with the specified IPv4 CIDR block. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:CreateVpnGateway |
Create one or more VPN gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteDhcpOptions |
Deletes the specified set of DHCP options. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteEgressOnlyInternetGateway |
Delete one or more egress-only internet gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteInternetGateway |
Delete one or more internet gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteManagedPrefixList |
Delete managed prefix list. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteNatGateway |
Delete one or more NAT gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteNetworkAcl |
Deletes the specified network ACL. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteNetworkAclEntry |
Deletes the specified network ACL entry/rule. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteNetworkInterface |
Delete old network interfaces during incremental replication. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteSecurityGroup |
Deletes a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DeleteSnapshot |
Clean up snapshots after job completion. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteSubnet |
Deletes the specified subnet. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteTags |
Delete tags after backup and restore operations. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteTransitGateway |
Delete one or more transit gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteTransitGatewayVpcAttachment |
Delete one or more transit gateways VPC attachments. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeleteVolume |
Clean up volumes after job completion. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteVpc |
Deletes the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DeleteVpnGateway |
Delete one or more VPN gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DeregisterImage |
Delete AMI after backup operations and delete old integrity snapshot. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeAccountAttributes |
Get supported network platforms (if EC2 is supported). |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeAvailabilityZones |
Get list of Availability Zones. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeCarrierGateways |
Describes one or more carrier gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeCustomerGateways |
Describes one or more VPN customer gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeDhcpOptions |
Describes one or more DHCP options sets. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeEgressOnlyInternetGateways |
Describes one or more egress-only internet gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeFlowLogs |
Describes one or more flow logs. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeIamInstanceProfileAssociations |
Get IAM role information. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:DescribeImages |
Get list of AMIs. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeImportImageTasks |
Used for restore operations with an on-premise access node, including replication operations that use the import method. Get import task information to check the status of the task. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstanceAttribute |
Get EBS optimization information of instance. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstances |
Get list of instances, including access node and source instance information. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstanceStatus |
Validate instance status after restore operation. |
-- |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstanceTypeOfferings |
Get list of all instance types offered in an AWS Region. |
Yes |
-- |
Yes |
Yes |
Yes |
|
ec2:DescribeInstanceTypes |
Get details of instance types offered in an AWS Region. |
Yes |
-- |
Yes |
Yes |
Yes |
|
ec2:DescribeInternetGateways |
Describes one or more internet gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeKeyPairs |
Get list of key pairs. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeManagedPrefixLists |
Describes your managed prefix lists and any AWS-managed prefix lists. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeNatGateways |
Describes one or more NAT gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeNetworkAcls |
Describes one or more network ACLs. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeNetworkInterfaces |
Gets the network interface list. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribePrefixLists |
Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeRegions |
Get list of all AWS Regions. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeRouteTables |
Describes one or more route tables. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeSecurityGroupRules |
Describes one or more security group rules. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeSecurityGroups |
Gets the list of security groups. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeSnapshots |
Gets snapshot information. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeSubnets |
Gets the list of subnets. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeTags |
Get tag list to backup and restore tags on instances and volumes. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeTransitGateway |
Describes one or more transit gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeTransitGatewaysAttachments |
Describes one or more attachments between resources and transit gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeTransitGatewayVpcAttachments |
Describe one or more transit gateways VPC attachments. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DescribeVolumeAttribute |
Get product code associated with volume. |
Yes |
-- |
-- |
Yes |
-- |
|
ec2:DescribeVolumes |
Get volume list and information such as size, type, and attachments. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeVolumesModifications |
Get IOPS values used during hotadd backups. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcAttribute |
Describes the specified attribute of the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcEndpoints |
Gets the list of VPC endpoints. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcPeeringConnections |
Describes one or more VPC peering connections. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcs |
Gets the list of VPCs. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeVpnConnections |
Describes one or more VPN connections. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpnGateways |
Describes one or more virtual private gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DetachVpnGateway |
Detach one or more VPN gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DetachInternetGateway |
Detach one or more internet gateways. |
Yes |
-- |
Yes |
-- |
-- |
|
ec2:DetachNetworkInterface |
Detach a network interface from an instance. |
-- |
-- |
Yes |
Yes |
-- |
|
ec2:DetachVolume |
Detach volume from access node after reads and writes. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DisassociateIamInstanceProfile |
Remove IAM role from instance. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:GetConsoleOutput |
Get operating system information. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:GetEbsDefaultKmsKeyId |
Retreives the configured default KMS key for EBS encryption for the account and region, used whenever an encrypted EBS snapshot is created. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:GetEbsEncryptionBydefault |
Describes whether EBS encryption by default is enabled for the account in the current AWS Region. Required for direct write restores, HotAdd streaming and backup copy jobs. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:GetManagedPrefixListEntries |
Gets information about the entries for a specified managed prefix list. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:GetSubnetCidrReservations |
Gets information about the subnet CIDR reservations. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:ImportImage |
Used for restore operations with an on-premise access node, including replication operations that use the import method. Import image during conversion job. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:ModifyImageAttribute |
Share the image to admin or user account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
|
ec2:ModifyInstanceAttribute |
Set or reset delete on termination policy after restore. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:ModifyNetworkInterfaceAttribute |
Set or reset delete on termination policy after restore. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:ModifySnapshotAttribute |
Share snapshot to a different AWS Region during snap replication and cross account backups and restores. |
Yes |
-- |
Yes |
-- |
Yes |
|
ec2:ModifySubnetAttribute |
Modifies a subnet attribute. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:ModifyVolume |
Adjust IOPS values during hotadd backups. |
Yes |
-- |
-- |
-- |
-- |
|
ec2: ModifyVpcAttribute |
Modifies the specified attribute of the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:ReplaceNetworkAclAssociation |
Changes which network ACL a subnet is associated with. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:RevokeSecurityGroupEgress |
[VPC only] Removes the specified outbound (egress) rules from a security group for a VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:RevokeSecurityGroupIgress |
Removes the specified inbound (ingress) rules from a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:RunInstances |
Create new instance. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:StartInstances |
Start instance after job completion (based on user input). |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:StopInstances |
Stop instance after restore operation (based on user input). |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:TerminateInstances |
Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:GetAccountAuthorizationDetails |
Required to get account info during snap backup operations that use IAM role. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:GetInstanceProfile |
Required for IAM based authentication. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:GetUser |
Get information about the user specified in the AWS client. Used during snap replication. |
-- |
-- |
-- |
-- |
Yes |
|
iam:ListInstanceProfiles |
Required to get list of instance profile names to populate IAM roles for restores. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:ListRoles |
Required to list key pairs in restore screen using IAM role. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:passrole |
|
Yes |
-- |
-- |
Yes |
Yes |
|
iam:SimulatePrincipalPolicy |
Optional permission used for logging the status of permissions required for EBS Direct Backup and Restore. |
Optional |
-- |
-- |
-- |
-- |
|
kms:CreateAlias |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
Yes |
-- |
-- |
-- |
-- |
|
kms:CreateGrant |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:CreateKey |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
Yes |
-- |
-- |
-- |
-- |
|
kms:Decrypt |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:DescribeKey |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:Encrypt |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKey |
Required for snap replication of default encrypted AWS snapshots. Also required for direct write restores to write data to the encrypted Amazon Elastic Block Store snapshot. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKeyPair |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKeyWithoutPlaintext |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKeyPairWithoutPlaintext |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ListAliases |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ListGrants |
Attach encrypted volume to access node for reads and writes during backup, restore, and replication operations. |
Yes |
-- |
Yes |
-- |
Yes |
|
kms:ListKeys |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ListResourceTags |
Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication. |
-- |
-- |
-- |
-- |
Yes |
|
kms:ReEncryptFrom |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ReEncryptTo |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:TagResource |
Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS Region. |
Yes |
-- |
-- |
-- |
Yes |
|
s3:CreateBucket |
Required to create an S3 bucket for restores. |
Yes (when using the import transport method) |
Yes |
-- |
Yes (when using the import transport method) |
Yes (when using the import transport method) |
|
s3:DeleteObject |
Used for restore operations with an on-premise access node, including replication operations that use the import method. This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:GetBucketAcl |
Share the bucket to admin account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
|
s3:GetBucketLocation |
Get the bucket AWS Region for restore operations that use a non-AWS access node. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:GetObject |
Used for restore operations with an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:GetObjectAcl |
Used to share an S3 object to the tenant account when you perform an agentless restore to a different account. |
-- |
Yes |
-- |
-- |
-- |
|
s3:GetObjectTagging |
Gets the tag set for an S3 object. Required to recover Amazon VPC resources. |
Yes |
-- |
Yes |
-- |
-- |
|
s3:ListAllMyBuckets |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
-- |
-- |
-- |
Yes |
|
s3:ListBucket |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:PutBucketAcl |
Share the bucket to admin account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
|
s3:PutBucketOwnershipControls |
Required to enable ACLs on Amazon S3 buckets that are created by Commvault for cross-account agentless restores. |
-- |
Yes |
-- |
-- |
-- |
|
s3:PutEncryptionConfiguration |
Enables server-side encryption with Amazon S3 managed keys (SSE-S3). |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:PutObject |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:PutObjectAcl |
Used to upload objects to S3 bucket. |
-- |
Yes |
-- |
-- |
-- |
|
s3:PutObjectTagging |
- Required by MediaAgent if the S3 library is used with DASH copy. - Sets the supplied tag set to an S3 object. |
Yes |
Yes |
Yes |
Yes (when using the import transport method) |
Yes |
|
ssm:CancelCommand |
Cancel run commands. |
-- |
Yes |
-- |
-- |
-- |
|
ssm:DescribeInstanceInformation |
Get a list of instances that have the AWS Systems Manager (SSM) installed. |
-- |
Yes |
-- |
-- |
-- |
|
ssm:ListCommands |
List the run commands. |
-- |
Yes |
-- |
-- |
-- |
|
ssm:SendCommand |
Launch run commands. |
-- |
Yes |
-- |
-- |
-- |
|
sts:AssumeRole |
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. |
Yes |
Yes |
Yes |
Yes |
Yes |
|
sts:DecodeAuthorizationMessage |
Required to decode encoded messsages. |
Yes |
Yes |
Yes |
Yes |
Yes |