| Option | Description | Additional Information | 
| Name | The name of the Cloud library. |  | 
| Device Name | A unique device name generated by the system when the library is added. |  | 
| Type | Select Amazon S3 from the list. |  | 
| MediaAgent | The name of the MediaAgent to which the device is attached. Select a MediaAgent from the list to add to the cloud storage device. The list contains the names of all the MediaAgents configured in the CommCell. |  | 
| Access Information | Add the credentials and other details required to access the cloud storage space. |  | 
| Authentication | Select Access & Secret Keys. |  | 
| Service Host | A valid endpoint name for the Amazon S3 region provided by the agency. (Commvault transfers data using HTTPS protocol to the service host.) Default: s3.[region].amazonaws.com. For example,s3.us-west-1.amazonaws.com. | 
To find the region, see https://docs.aws.amazon.com/general/latest/gr/rande.html.
For more information about Amazon Access Points, see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points.html. For more information about AWS PrivateLink for Amazon S3, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html.
For Amazon S3 Transfer Acceleration, provide the service host provider name as s3-accelerate.amazonaws.com.
For AWS PrivateLink for Amazon S3, provide the service host provider name as [VPC-endpoint-ID].[region].vpce.amazonaws.com. For example,vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com.
For Amazon S3 Access Points, provide the service host provider name as s3-accesspoint.[region].amazonaws.com.
For Access Point with AWS PrivateLink, provide the service host provider name as accesspoint.[VPC-endpoint-ID].[region].vpce.amazonaws.com. For example,accesspoint.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com.
To connect to the VPC STS endpoint, provide the service host provider name as vpce-1234567f12345678-123456e2hf.s3.us-east-1.vpce.amazonaws.com.
Do not add the bucket name as the service host.
Multiple hosts can be added in the Service Host field using commas to separate them. For example servicehost1, servicehost2, servicehost3. (For local cloud servers with multiple IP addresses, the list of IP addresses can be added. For example,192.xxx.0.100,192.xxx.0.101, 192.xxx.0.102. ) 
Note All the hosts (or IP addresses) in the list must point to the same storage. Adding a host or IP address to a different storage will result in data loss. | 
| Credential | Select a pre-defined credential from the list. To define a new credential, click the Add New button from the list. The following information is required. 
Credential name: A user-defined name for the credential.
Access key ID: Access key ID for the account.
Secret access key: Secret access key for the account. | Credentials must not contain blank spaces or other special characters. For instructions about creating a credential, see Adding a Credential to Credential Vault. | 
| Bucket | Click the Detect button to detect an existing bucket. For Amazon S3 Access Points, enter the bucket/container as follows: [accesspoint name]-[account id]
For example: accesspointtest-999999999999
 | Sometimes, existing bucket list may not get populated while detecting the buckets, as some vendors may not support this operation, or if there are no permissions to complete the operation. In such cases, type the name of the existing bucket that you want to use. The system will automatically use the existing bucket if it is available. | 
|  | The following permissions must be defined in the Permissions Policy associated with a user or an IAM Role. | Sample json file with these permissions. | 
|  | "s3:CreateBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:RestoreObject",
"s3:ListBucketVersions",
"s3:PutBucketObjectLockConfiguration"
"s3:PutBucketVersioning",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
 | 
The CreateBucketpermission is required only when the bucket must be created by the MediaAgent while configuring the cloud storage. (This permission can be skipped if an existing bucket is used for configuring the cloud storage.)
The ListAllMyBucketspermissions request is required for the Detect button to work.
For a bucket with versioning enabled, the user must have DeleteObjectVersionandListBucketVersionspermissions to delete a versioned objects when a pruning request is sent to delete the objects.
To recall data from Amazon Glacier  Glacier/Deep Archive or Combined Tier Storage Classes, make sure that the user associated with the bucket has the RestoreObjectpermission. For more information on POST Object restore, see https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOSTrestore.html.
The PutBucketVersioningpermission is required to enable versioning on the bucket. Object lock can be enabled only on versioning enabled bucket.
The GetBucketVersioningpermission is required to infer whether versioning is enabled on a bucket or not.
The GetBucketObjectLockConfigurationpermission is required to infer whether object lock is enabled on a bucket or not. | 
| Storage Class | The following Amazon S3 storage classes are supported for Commvault Cloud Storage libraries: 
S3 Standard
S3 Intelligent-Tiering
S3 Standard-Infrequent Access
S3 One Zone - Infrequent Access
S3 Glacier Instant Retrieval 
S3 Glacier Flexible Retrieval
S3 Glacier Deep Archive
S3 Reduced Redundancy Storage | Reference https://aws.amazon.com/s3/storage-classes/ for more information. |