Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.
These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.
Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.
Note
When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.
AWS Organizations and Service Control Policies
Commvault Backup & Recovery protects Amazon environments that use AWS Organizations, AWS Control Tower, and Service Control Policies (SCPs).
Important
When implementing the IAM policies, validate their operation using IAM Access Analyzer and the steps in Troubleshooting AWS Organizations policies. When implementing changes to IAM policies in environments that are governed using SCPs, run backup and recovery tests to verify that the results are as expected.
IAM Policies
|
AWS service to protect |
IAM policies |
|---|---|
|
Amazon EC2 |
|
|
Amazon RDS |
|
|
Amazon Redshift |
|
|
Amazon DocumentDB |
|
|
Amazon DynamoDB |
|
|
Amazon S3 on Outposts |
|
|
Amazon EC2 with databases, file systems, and application agents |
|
|
Commvault Cloud Storage Creation with AWS STS – IAM Role Policy Authentication |
See Configuring EC2 IAM Role Details for STS Assume IAM Role. |
|
Commvault Cloud Storage Creation with AWS STS Assume Role |
|
|
AWS VM Import/Export IAM Role |
Permission Usage
|
Permission |
Usage |
Backup and restore |
Agentless file recovery |
In-place restore with same GUID |
VM conversion |
Replication |
|---|---|---|---|---|---|---|
|
ebs:CompleteSnapshot |
Seal and complete the Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:GetSnapshotBlock |
Return data in the Amazon Elastic Block Store snapshots. Required for direct read backups. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:ListChangedBlocks |
Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume. Required for CBT-enabled backups. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:ListSnapshotBlocks |
Return allocated blocks in an Amazon Elastic Block Store snapshot. Required for CBT-enabled backups. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:PutSnapshotBlock |
Write a block of data to the Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ebs:StartSnapshot |
Create a new Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AssociateDhcpOptions |
Associates a set of DHCP options (that you previously created) with the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AssociateIamInstanceProfile |
Attach IAM role to an instance. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:AssociateVpcCidrBlock |
Associates a CIDR block with your VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AttachNetworkInterface |
Attach network interface to an instance. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:AttachVolume |
Attach volume to access node for reads and writes during backup, restore, and replication operations. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:AuthorizeSecurityGroupEgress |
[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:AuthorizeSecurityGroupIngress |
Adds the specified inbound (ingress) rules to a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:CancelImportTask |
Cancel the import task. |
-- |
-- |
-- |
Yes |
-- |
|
ec2:CopySnapshot |
Copy snapshot from one region to another during snap replication. |
-- |
-- |
-- |
-- |
Yes |
|
ec2:CreateImage |
Create AMI of source instance during backup. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:CreateNetworkInterface |
Creates a network interface in the specified subnet. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:CreateSecurityGroup |
Creates a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:CreateSnapshot |
Share the image to admin or user account. |
(Across AWS accounts) |
-- |
-- |
Yes |
-- |
|
ec2:CreateSubnet |
Creates a subnet in a specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:CreateTags |
Create tags on resources such as instances, volumes, and snapshots. Required for direct write restores. |
Yes |
-- |
-- |
Yes |
-- |
|
ec2:CreateVolume |
Create volume from snapshot for backup or create empty volumes for restores. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:CreateVpc |
Creates a VPC with the specified IPv4 CIDR block. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DeleteNetworkInterface |
Delete old network interfaces during incremental replication. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteSecurityGroup |
Deletes a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DeleteSnapshot |
Clean up snapshots after job completion. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteTags |
Delete tags after backup and restore operations. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteVolume |
Clean up volumes after job completion. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DeleteVpc |
Deletes the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DeregisterImage |
Delete AMI after backup operations and delete old integrity snapshot. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeAccountAttributes |
Get supported network platforms (if EC2 is supported). |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeAvailabilityZones |
Get list of availability zones. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeCarrierGateways |
Describes one or more of your carrier gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeCustomerGateways |
Describes one or more of your VPN customer gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeDhcpOptions |
Describes one or more of your DHCP options sets. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeEgressOnlyInternetGateways |
Describes one or more of your egress-only internet gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeFlowLogs |
Describes one or more flow logs. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeIamInstanceProfileAssociations |
Get IAM role information. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:DescribeImages |
Get list of AMIs. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeImportImageTasks |
Used for restore operations with an on-premise access node, including replication operations that use the import method. Get import task information to check the status of the task. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstanceAttribute |
Get EBS optimization information of instance. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstances |
Get list of instances, including access node and source instance information. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstanceStatus |
Validate instance status after restore operation. |
-- |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeInstanceTypeOfferings |
Get list of all instance types offered in a region. |
Yes |
-- |
Yes |
Yes |
Yes |
|
ec2:DescribeInstanceTypes |
Get details of instance types offered in a region. |
Yes |
-- |
Yes |
Yes |
Yes |
|
ec2:DescribeInternetGateways |
Describes one or more of your internet gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeKeyPairs |
Get list of key pairs. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeManagedPrefixLists |
Describes your managed prefix lists and any AWS-managed prefix lists. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeNatGateways |
Describes one or more of your NAT gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeNetworkAcls |
Describes one or more of your network ACLs. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeNetworkInterfaces |
Gets the network interface list. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribePrefixLists |
Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeRegions |
Get list of all regions. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeRouteTables |
Describes one or more of your route tables. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeSecurityGroupRules |
Describes one or more of your security group rules. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeSecurityGroups |
Gets the list of security groups. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeSnapshots |
Gets snapshot information. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeSubnets |
Gets the list of subnets. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeTags |
Get tag list to backup and restore tags on instances and volumes. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeTransitGatewayAttachments |
Describes one or more attachments between resources and transit gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeTransitGateways |
Describes one or more transit gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVolumeAttribute |
Get product code associated with volume. |
Yes |
-- |
-- |
Yes |
-- |
|
ec2:DescribeVolumes |
Get volume list and information such as size, type, and attachments. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeVolumesModifications |
Get IOPS values used during hotadd backups. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcAttribute |
Describes the specified attribute of the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcEndpoints |
Gets the list of VPC endpoints. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcPeeringConnections |
Describes one or more of your VPC peering connections. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DescribeVpcs |
Gets the list of VPCs. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DescribeVpnConnections |
Describes one or more of your VPN connections. |
Yes |
--- |
-- |
-- |
-- |
|
ec2:DescribeVpnGateways |
Describes one or more of your virtual private gateways. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:DetachNetworkInterface |
Detach a network interface from an instance. |
-- |
-- |
Yes |
Yes |
-- |
|
ec2:DetachVolume |
Detach volume from access node after reads and writes. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:DisassociateIamInstanceProfile |
Remove IAM role from instance. |
-- |
-- |
Yes |
-- |
-- |
|
ec2:GetConsoleOutput |
Get operating system information. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:GetEbsDefaultKmsKeyId |
Create an encrypted snapshot with AWS managed key (default key). Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:GetEbsEncryptionBydefault |
Describes whether EBS encryption by default is enabled for the account in the current region. Required for direct write restores, HotAdd streaming and backup copy jobs. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:GetManagedPrefixListEntries |
Gets information about the entries for a specified managed prefix list. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:GetSubnetCidrReservations |
Gets information about the subnet CIDR reservations. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:ImportImage |
Used for restore operations with an on-premise access node, including replication operations that use the import method. Import image during conversion job. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:ModifyImageAttribute |
Share the image to admin or user account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
|
ec2:ModifyInstanceAttribute |
Set or reset delete on termination policy after restore. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:ModifyNetworkInterfaceAttribute |
Set or reset delete on termination policy after restore. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:ModifySnapshotAttribute |
Share snapshot to a different region during snap replication and cross account backups and restores. |
Yes |
-- |
Yes |
-- |
Yes |
|
ec2:ModifySubnetAttribute |
Modifies a subnet attribute. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:ModifyVolume |
Adjust IOPS values during hotadd backups. |
Yes |
-- |
-- |
-- |
-- |
|
ec2: ModifyVpcAttribute |
Modifies the specified attribute of the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:Registerimage |
Registers an AMI. Required for UEFI restores and replications to register the interim image. |
Yes (for UEFI-based restores) |
-- |
-- |
Yes |
Yes |
|
ec2:RevokeSecurityGroupEgress |
[VPC only] Removes the specified outbound (egress) rules from a security group for a VPC. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:RevokeSecurityGroupIgress |
Removes the specified inbound (ingress) rules from a security group. |
Yes |
-- |
-- |
-- |
-- |
|
ec2:RunInstances |
Create new instance. |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:StartInstances |
Start instance after job completion (based on user input). |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:StopInstances |
Stop instance after restore operation (based on user input). |
Yes |
-- |
-- |
Yes |
Yes |
|
ec2:TerminateInstances |
Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:GetAccountAuthorizationDetails |
Required to get account info during snap backup operations that use IAM role. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:GetInstanceProfile |
Required for IAM based authentication. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:GetUser |
Get information about the user specified in the AWS client. Used during snap replication. |
-- |
-- |
-- |
-- |
Yes |
|
iam:ListInstanceProfiles |
Required to get list of instance profile names to populate IAM roles for restores. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:ListRoles |
Required to list key pairs in restore screen using IAM role. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:passrole |
Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation. |
Yes |
-- |
-- |
Yes |
Yes |
|
iam:SimulatePrincipalPolicy |
Optional permission used for logging the status of permissions required for EBS Direct Backup and Restore. |
Optional |
-- |
-- |
-- |
-- |
|
kms:CreateAlias |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
Yes |
-- |
-- |
-- |
-- |
|
kms:CreateGrant |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:CreateKey |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
Yes |
-- |
-- |
-- |
-- |
|
kms:Decrypt |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:DescribeKey |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:Encrypt |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKey |
Required for snap replication of default encrypted AWS snapshots. Also required for direct write restores to write data to the encrypted Amazon Elastic Block Store snapshot. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKeyPair |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKeyWithoutPlaintext |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:GenerateDataKeyPairWithoutPlaintext |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ListAliases |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ListGrants |
Attach encrypted volume to access node for reads and writes during backup, restore, and replication operations. |
Yes |
-- |
Yes |
-- |
Yes |
|
kms:ListKeys |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ListResourceTags |
Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication. |
-- |
-- |
-- |
-- |
Yes |
|
kms:ReEncryptFrom |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:ReEncryptTo |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
|
kms:TagResource |
Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region. |
Yes |
-- |
-- |
-- |
Yes |
|
s3:CreateBucket |
Required to create an S3 bucket for restores. |
Yes (when using Import method) |
Yes |
-- |
Yes (when using Import method) |
Yes (when using Import method) |
|
s3:DeleteObject |
Used for restore operations with an on-premise access node, including replication operations that use the import method. This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:GetBucketAcl |
Share the bucket to admin account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
|
s3:GetBucketLocation |
Get the bucket region for restore operations that use a non-AWS access node. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:GetObject |
Used for restore operations with an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:GetObjectAcl |
Used to share s3 object to tenant account during cross account agentless restore. |
-- |
Yes |
-- |
-- |
-- |
|
s3:ListAllMyBuckets |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
-- |
-- |
-- |
Yes |
|
s3:ListBucket |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:PutBucketAcl |
Share the bucket to admin account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
|
s3:PutEncryptionConfiguration |
Used to enable server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt your data. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:PutObject |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
|
s3:PutObjectAcl |
Used to upload objects to S3 bucket. |
-- |
Yes |
-- |
-- |
-- |
|
s3:PutObjectTagging |
Required by MediaAgent if S3 library is used with DASH copy. |
Yes |
Yes |
-- |
Yes (when using Import method) |
Yes |
|
ssm:CancelCommand |
Cancel run commands. |
-- |
Yes |
-- |
-- |
-- |
|
ssm:DescribeInstanceInformation |
Get a list of instances that have the AWS Systems Manager (SSM) installed. |
-- |
Yes |
-- |
-- |
-- |
|
ssm:ListCommands |
List the run commands. |
-- |
Yes |
-- |
-- |
-- |
|
ssm:SendCommand |
Launch run commands. |
-- |
Yes |
-- |
-- |
-- |
|
sts:AssumeRole |
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. |
Yes |
Yes |
Yes |
Yes |
Yes |
Related Topics
In the AWS documentation, see the following: