Loading...

Amazon Web Services Permission Usage

Commvault uses Amazon Web Services (AWS) permissions to perform data protection and data recovery operations for instances that run in AWS. These permissions are used only to access snapshots, volumes, and instance configuration information that are required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. In cases where a user with the required administrative privileges requests that a recovered instance overwrites the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use IAM roles or an access key and secret key pair to access the AWS account.

The following table summarizes the Amazon permissions that are needed for Commvault operations and explains how Commvault uses each permission.

Permission

Backups and restores

Agentless file recovery

In-place instance restore with same GUID

VM conversion

Replication

Usage

ec2:AssociateIamInstanceProfile

 

 

 

 

Attach IAM role to an instance.

ec2:AttachNetworkInterface

 

 

 

 

Attach network interface to an instance.

ec2:AttachVolume

 

 

Attach volume to proxy for reads and writes during backup, restore, and replication operations.

ec2:CancelImportTask

 

 

 

 

Cancel the import task.

ec2:CopySnapshot

 

 

 

 

Copy snapshot from one region to another during snap replication.

ec2:CreateImage

 

 

Create AMI of source instance during backup.

ec2:CreateNetworkInterface

 

 

 

 

Create a new network interface.

ec2:CreateSnapshot

(across AWS accounts)

 

 

 

Share the image to admin or user account.

ec2:CreateTags

 

 

 

 

 

Create tags on resources such as instances, volumes, and snapshots.

ec2:CreateVolume

 

 

Create volume from snapshot for backup or create empty volumes for restores.

ec2:DeleteNetworkInterface

 

 

Delete old network interfaces during incremental replication.

ec2:DeleteSnapshot

 

 

Clean up snapshots after job completion.

ec2:DeleteTags

 

 

Delete tags after backup and restore operations.

ec2:DeleteVolume

 

 

Clean up volumes after job completion.

ec2:DeregisterImage

 

 

Delete AMI after backup operations and delete old integrity snapshot.

ec2:DescribeAccountAttributes

 

 

Get supported network platforms (if EC2 is supported).

ec2:DescribeAvailabilityZones

 

 

Get list of availability zones.

ec2:DescribeIamInstanceProfileAssociations

 

 

 

 

Get IAM role information.

ec2:DescribeImages

 

 

Get list of AMIs.

ec2:DescribeImportImageTasks

 

 

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Get import task information to check the status of the task.

ec2:DescribeInstanceAttribute

 

 

Get EBS optimization information of instance.

ec2:DescribeInstances

 

 

Get list of instances, including proxy and source instance information.

ec2:DescribeInstanceStatus

 

 

 

Validate instance status after restore operation.

ec2:DescribeKeyPairs

 

 

Get list of key pairs.

ec2:DescribeNetworkInterfaces

 

 

Get network interface list.

ec2:DescribeRegions

 

 

Get list of all regions.

ec2:DescribeSecurityGroups

 

 

Get list of security groups.

ec2:DescribeSnapshots

 

 

Get snapshot information.

ec2:DescribeSubnets

 

 

Get list of subnets.

ec2:DescribeTags

 

 

Get tag list to backup and restore tags on instances and volumes.

ec2:DescribeVolumeAttribute

 

 

 

Get product code associated with volume.

ec2:DescribeVolumes

 

 

Get volume list and information such as size, type, and attachments.

ec2:DescribeVpcs

 

 

Get list of VPCs.

ec2:DetachNetworkInterface

 

 

 

Detach a network interface from an instance.

ec2:DetachVolume

 

 

Detach volume from proxy after reads and writes.

ec2:DisassociateIamInstanceProfile

 

 

 

 

Remove IAM role from instance.

ec2:GetConsoleOutput

 

 

Get operating system information.

ec2:ImportImage

 

 

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Import image during conversion job.

ec2:ModifyImageAttribute

(across AWS accounts)

 

 

 

Share the image to admin or user account.

ec2:ModifyInstanceAttribute

 

 

Set or reset delete on termination policy after restore.

ec2:ModifyNetworkInterfaceAttribute

 

 

Set or reset delete on termination policy after restore.

ec2:RunInstances

 

 

Create new instance.

ec2:StartInstances

 

 

Start instance after job completion (based on user input).

ec2:StopInstances

 

 

Stop instance after restore operation (based on user input).

ec2:TerminateInstances

 

 

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

iam:GetAccountAuthorizationDetails

 

 

Required to get account info during snap backup operations that use IAM role.

iam:GetRole

 

 

Required for IAM based authentication.

iam:ListInstancesProfiles

 

 

Required to get list of instance profile names to populate IAM roles for restores.

iam:ListRoles

 

 

Required to list key pairs in restore screen using IAM role.

iam:passrole

 

 

Required for restoring IAM role on instance.

kms:CreateGrant

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:Decrypt

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:DescribeKey*

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:Encrypt

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKey*

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:GenerateDataKeyWithoutPlaintext

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ListAliases

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ListKeys

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

kms:ReEncrypt*

(for default encrypted snapshots)

 

 

 

(for default encrypted snapshots)

Required for snap replication of default encrypted Amazon snapshots.

s3:CreateBucket

(when using Import method)

 

(when using Import method)

(when using Import method)

Required to create an S3 bucket for restores.

s3:DeleteObject

 

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:GetBucketAcl

(across AWS accounts)

 

 

 

 

Share the bucket to admin account.

s3:GetBucketLocation

 

Get the bucket region for restore operations that use a non-AWS proxy.

s3:GetObject

 

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:ListAllMyBuckets

 

 

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:ListBucket

 

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutBucketAcl

(across AWS accounts)

 

 

 

 

Share the bucket to admin account.

s3:PutObject

 

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutObjectAcl

 

 

 

 

Used to upload objects to S3 bucket.

s3:PutObjectTagging

 

(when using Import method)

Required by MediaAgent if S3 library is used with DASH copy.

ssm:CancelCommand

 

 

 

 

Cancel run commands.

ssm:DescribeDocument

 

 

 

 

Describe the run command document.

ssm:DescribeInstanceInformation

 

 

 

 

Get a list of instances that have the AWS Systems Manager (SSM) installed.

ssm:ListCommands

 

 

 

 

List the run commands.

ssm:ListDocuments

 

 

 

 

List all run command documents in the account.

ssm:SendCommand

 

 

 

 

Launch run commands.

Last modified: 9/27/2019 6:43:11 PM