If service control policies (SCPs) are enabled in your AWS organization, then for all the AWS organizational units (OUs) that host member accounts with workloads that you want Commvault to protect, you must create and attach the Commvault SCP.
The Commvault SCP, which gives Commvault the permissions that it needs to perform backup, recovery, and other tasks, is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultOperations",
"Effect": "Allow",
"Action": [
"ec2:*",
"ebs:*",
"iam:*",
"kms:*",
"s3:*",
"ssm:*",
"sts:*",
"rds:*",
"redshift:*",
"dynamodb:*",
"s3-outposts:*"
"ec2messages:*",
"ssmmessages:*"
],
"Resource": "*"
}
]
}