Adding an AWS Key Management Service Server

You can add or modify an AWS Key Management Service (KMS) Server from the Command Center.

If the user account does not have the kms:Decrypt permission, then you can perform only backup operations, and you cannot perform auxiliary copy or restore operations.

For guidelines about key rotation, see Key Rotation Guidelines for Amazon Web Service Key Management Service Server.

Note: If you configure the CommServe LiveSync feature in the CommCell environment, then you must copy the key management server certificates to all the nodes under the same path.

Before You Begin

  • The Commvault user should have Edit Storage Policy \ Copy permissions to a storage policy copy to assign the AWS Key Management Service Server to the copy. For more information, see Storage Policy Management Permissions.
  • The AWS Key Management Service account that you configure must have the following permissions:
    • kms:CreateKey
    • kms:Decrypt
    • kms:DisableKeyRotation
    • kms:Encrypt
    • kms:ScheduleKeyDeletion
    • kms:TagResource


  1. From the navigation pane, go to Manage > Security.

    The Security page appears.

  2. Click the Key management servers tile.

    The Key management servers page appears.

  3. Click Add at the top right, and then select AWS KMSP.

    The Add AWS KMS dialog box appears.

  4. Complete the following steps:
    • Name: Enter the name of the key provider.
    • Region: Select the region where AWS hosts the key management service.
    • Access key: Enter the AWS access key.
    • Secret access key: Enter the AWS secret access key.
  5. Click Save.

Last modified: 3/18/2020 4:40:01 AM