Adding an AWS Key Management Service Server

You can add or modify an AWS Key Management Service (KMS) Server from the Command Center.

If the user account does not have the kms:Decrypt permission, then you can perform only backup operations, and you cannot perform auxiliary copy or restore operations.

For guidelines about key rotation, see Key Rotation Guidelines for Amazon Web Service Key Management Service Server.

Before You Begin

  • The Commvault user should have Edit Storage Policy \ Copy permissions to a storage policy copy to assign the AWS Key Management Service Server to the copy. For more information, see Storage Policy Management Permissions.
  • The AWS Key Management Service account that you configure must have the following permissions:
    • kms:CreateKey
    • kms:Decrypt
    • kms:DisableKeyRotation
    • kms:Encrypt
    • kms:ScheduleKeyDeletion
    • kms:TagResource


  1. From the navigation pane, go to Manage > Security.

    The Security page appears.

  2. Click the Key management servers tile.

    The Key management servers page appears.

  3. Click Add at the top right, and then select AWS KMS.

    The Add AWS KMS dialog box appears.

  4. Complete the following steps:
    • Name: Enter a unique name for the key provider. This is the friendly name that will help you distinguish from other key management service servers.
    • Region: Select the region where AWS hosts the key management service.
    • Access key: Enter the AWS access key.
    • Secret access key: Enter the AWS secret access key.
  5. Click Save.

Last modified: 1/11/2021 12:16:29 PM