Commvault uses AWS permissions to perform protection operations for your Amazon EC2 instances. Commvault's use of AWS permissions is controlled by the AWS user account (which is represented in Commvault as an Amazon EC2 hypervisor).
Commvault uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.
For IAM policies (in JSON format) that include the required permissions for protecting Amazon EC2 instances (and other AWS services), see IAM Policies for Protecting AWS Services with Commvault.
For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.
Permission |
Usage |
Backup and restore |
Agentless file recovery |
In-place restore with same GUID |
VM conversion |
Replication |
---|---|---|---|---|---|---|
ebs:CompleteSnapshot |
Seal and complete the Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
ebs:GetSnapshotBlock |
Return data in the Amazon Elastic Block Store snapshots. Required for direct read backups. |
Yes |
-- |
-- |
-- |
-- |
ebs:ListChangedBlocks |
Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume. Required for CBT-enabled backups. |
Yes |
-- |
-- |
-- |
-- |
ebs:ListSnapshotBlocks |
Return allocated blocks in an Amazon Elastic Block Store snapshot. Required for CBT-enabled backups. |
Yes |
-- |
-- |
-- |
-- |
ebs:PutSnapshotBlock |
Write a block of data to the Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
ebs:StartSnapshot |
Create a new Amazon Elastic Block Store snapshot. Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
ec2:AssociateDhcpOptions |
Associates a set of DHCP options (that you previously created) with the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:AssociateIamInstanceProfile |
Attach IAM role to an instance. |
-- |
-- |
Yes |
-- |
-- |
ec2:AssociateVpcCidrBlock |
Associates a CIDR block with your VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:AttachNetworkInterface |
Attach network interface to an instance. |
-- |
-- |
Yes |
-- |
-- |
ec2:AttachVolume |
Attach volume to access node for reads and writes during backup, restore, and replication operations. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:AuthorizeSecurityGroupEgress |
[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:AuthorizeSecurityGroupIngress |
Adds the specified inbound (ingress) rules to a security group. |
Yes |
-- |
-- |
-- |
-- |
ec2:CancelImportTask |
Cancel the import task. |
-- |
-- |
-- |
Yes |
-- |
ec2:CopySnapshot |
Copy snapshot from one region to another during snap replication. |
-- |
-- |
-- |
-- |
Yes |
ec2:CreateDHCPOptions |
Creates a set of DHCP options for your VPC. |
Yes |
-- |
Yes |
-- |
-- |
ec2:CreateImage |
Create AMI of source instance during backup. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:CreateNetworkInterface |
Creates a network interface in the specified subnet. |
-- |
-- |
Yes |
-- |
-- |
ec2:CreateSecurityGroup |
Creates a security group. |
Yes |
-- |
-- |
-- |
-- |
ec2:CreateSnapshot |
Share the image to admin or user account. |
(Across AWS accounts) |
-- |
-- |
Yes |
-- |
ec2:CreateSubnet |
Creates a subnet in a specified VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:CreateTags |
Create tags on resources such as instances, volumes, and snapshots. Required for direct write restores. |
Yes |
-- |
-- |
Yes |
-- |
ec2:CreateVolume |
Create volume from snapshot for backup or create empty volumes for restores. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:CreateVpc |
Creates a VPC with the specified IPv4 CIDR block. |
Yes |
-- |
-- |
-- |
-- |
ec2:DeleteDhcpOptions |
Deletes the specified set of DHCP options. |
Yes |
-- |
Yes |
-- |
-- |
ec2:DeleteNetworkInterface |
Delete old network interfaces during incremental replication. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DeleteSecurityGroup |
Deletes a security group. |
Yes |
-- |
-- |
-- |
-- |
ec2:DeleteSnapshot |
Clean up snapshots after job completion. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DeleteSubnet |
Deletes the specified subnet. |
Yes |
-- |
Yes |
-- |
-- |
ec2:DeleteTags |
Delete tags after backup and restore operations. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DeleteVolume |
Clean up volumes after job completion. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DeleteVpc |
Deletes the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:DeregisterImage |
Delete AMI after backup operations and delete old integrity snapshot. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeAccountAttributes |
Get supported network platforms (if EC2 is supported). |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeAvailabilityZones |
Get list of availability zones. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeCarrierGateways |
Describes one or more of your carrier gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeCustomerGateways |
Describes one or more of your VPN customer gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeDhcpOptions |
Describes one or more of your DHCP options sets. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeEgressOnlyInternetGateways |
Describes one or more of your egress-only internet gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeFlowLogs |
Describes one or more flow logs. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeIamInstanceProfileAssociations |
Get IAM role information. |
-- |
-- |
Yes |
-- |
-- |
ec2:DescribeImages |
Get list of AMIs. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeImportImageTasks |
Used for restore operations with an on-premise access node, including replication operations that use the import method. Get import task information to check the status of the task. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeInstanceAttribute |
Get EBS optimization information of instance. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeInstances |
Get list of instances, including access node and source instance information. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeInstanceStatus |
Validate instance status after restore operation. |
-- |
-- |
-- |
Yes |
Yes |
ec2:DescribeInstanceTypeOfferings |
Get list of all instance types offered in a region. |
Yes |
-- |
Yes |
Yes |
Yes |
ec2:DescribeInstanceTypes |
Get details of instance types offered in a region. |
Yes |
-- |
Yes |
Yes |
Yes |
ec2:DescribeInternetGateways |
Describes one or more of your internet gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeKeyPairs |
Get list of key pairs. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeManagedPrefixLists |
Describes your managed prefix lists and any AWS-managed prefix lists. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeNatGateways |
Describes one or more of your NAT gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeNetworkAcls |
Describes one or more of your network ACLs. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeNetworkInterfaces |
Gets the network interface list. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribePrefixLists |
Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeRegions |
Get list of all regions. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeRouteTables |
Describes one or more of your route tables. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeSecurityGroupRules |
Describes one or more of your security group rules. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeSecurityGroups |
Gets the list of security groups. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeSnapshots |
Gets snapshot information. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeSubnets |
Gets the list of subnets. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeTags |
Get tag list to backup and restore tags on instances and volumes. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeTransitGatewayAttachments |
Describes one or more attachments between resources and transit gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeTransitGateways |
Describes one or more transit gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeVolumeAttribute |
Get product code associated with volume. |
Yes |
-- |
-- |
Yes |
-- |
ec2:DescribeVolumes |
Get volume list and information such as size, type, and attachments. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeVolumesModifications |
Get IOPS values used during hotadd backups. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeVpcAttribute |
Describes the specified attribute of the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeVpcEndpoints |
Gets the list of VPC endpoints. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeVpcPeeringConnections |
Describes one or more of your VPC peering connections. |
Yes |
-- |
-- |
-- |
-- |
ec2:DescribeVpcs |
Gets the list of VPCs. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DescribeVpnConnections |
Describes one or more of your VPN connections. |
Yes |
--- |
-- |
-- |
-- |
ec2:DescribeVpnGateways |
Describes one or more of your virtual private gateways. |
Yes |
-- |
-- |
-- |
-- |
ec2:DetachNetworkInterface |
Detach a network interface from an instance. |
-- |
-- |
Yes |
Yes |
-- |
ec2:DetachVolume |
Detach volume from access node after reads and writes. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:DisassociateIamInstanceProfile |
Remove IAM role from instance. |
-- |
-- |
Yes |
-- |
-- |
ec2:GetConsoleOutput |
Get operating system information. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:GetEbsDefaultKmsKeyId |
Create an encrypted snapshot with AWS managed key (default key). Required for direct write restores. |
Yes |
-- |
-- |
-- |
-- |
ec2:GetEbsEncryptionBydefault |
Describes whether EBS encryption by default is enabled for the account in the current region. Required for direct write restores, HotAdd streaming and backup copy jobs. |
Yes |
-- |
-- |
-- |
-- |
ec2:GetManagedPrefixListEntries |
Gets information about the entries for a specified managed prefix list. |
Yes |
-- |
-- |
-- |
-- |
ec2:GetSubnetCidrReservations |
Gets information about the subnet CIDR reservations. |
Yes |
-- |
-- |
-- |
-- |
ec2:ImportImage |
Used for restore operations with an on-premise access node, including replication operations that use the import method. Import image during conversion job. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:ModifyImageAttribute |
Share the image to admin or user account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
ec2:ModifyInstanceAttribute |
Set or reset delete on termination policy after restore. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:ModifyNetworkInterfaceAttribute |
Set or reset delete on termination policy after restore. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:ModifySnapshotAttribute |
Share snapshot to a different region during snap replication and cross account backups and restores. |
Yes |
-- |
Yes |
-- |
Yes |
ec2:ModifySubnetAttribute |
Modifies a subnet attribute. |
Yes |
-- |
-- |
-- |
-- |
ec2:ModifyVolume |
Adjust IOPS values during hotadd backups. |
Yes |
-- |
-- |
-- |
-- |
ec2: ModifyVpcAttribute |
Modifies the specified attribute of the specified VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:RegisterImage |
Registers an AMI. Required for UEFI restores and replications to register the interim image. |
Yes (for UEFI-based restores) |
-- |
-- |
Yes |
Yes |
ec2:RevokeSecurityGroupEgress |
[VPC only] Removes the specified outbound (egress) rules from a security group for a VPC. |
Yes |
-- |
-- |
-- |
-- |
ec2:RevokeSecurityGroupIgress |
Removes the specified inbound (ingress) rules from a security group. |
Yes |
-- |
-- |
-- |
-- |
ec2:RunInstances |
Create new instance. |
Yes |
-- |
-- |
Yes |
Yes |
ec2:StartInstances |
Start instance after job completion (based on user input). |
Yes |
-- |
-- |
Yes |
Yes |
ec2:StopInstances |
Stop instance after restore operation (based on user input). |
Yes |
-- |
-- |
Yes |
Yes |
ec2:TerminateInstances |
Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication. |
Yes |
-- |
-- |
Yes |
Yes |
iam:GetAccountAuthorizationDetails |
Required to get account info during snap backup operations that use IAM role. |
Yes |
-- |
-- |
Yes |
Yes |
iam:GetInstanceProfile |
Required for IAM based authentication. |
Yes |
-- |
-- |
Yes |
Yes |
iam:GetUser |
Get information about the user specified in the AWS client. Used during snap replication. |
-- |
-- |
-- |
-- |
Yes |
iam:ListInstanceProfiles |
Required to get list of instance profile names to populate IAM roles for restores. |
Yes |
-- |
-- |
Yes |
Yes |
iam:ListRoles |
Required to list key pairs in restore screen using IAM role. |
Yes |
-- |
-- |
Yes |
Yes |
iam:passrole |
Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation. |
Yes |
-- |
-- |
Yes |
Yes |
iam:SimulatePrincipalPolicy |
Optional permission used for logging the status of permissions required for EBS Direct Backup and Restore. |
Optional |
-- |
-- |
-- |
-- |
kms:CreateAlias |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
Yes |
-- |
-- |
-- |
-- |
kms:CreateGrant |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:CreateKey |
Create customer-managed CMK during cross account backup of volumes encrypted using default CMK. |
Yes |
-- |
-- |
-- |
-- |
kms:Decrypt |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:DescribeKey |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:Encrypt |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:GenerateDataKey |
Required for snap replication of default encrypted AWS snapshots. Also required for direct write restores to write data to the encrypted Amazon Elastic Block Store snapshot. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:GenerateDataKeyPair |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:GenerateDataKeyWithoutPlaintext |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:GenerateDataKeyPairWithoutPlaintext |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:ListAliases |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:ListGrants |
Attach encrypted volume to access node for reads and writes during backup, restore, and replication operations. |
Yes |
-- |
Yes |
-- |
Yes |
kms:ListKeys |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:ListResourceTags |
Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication. |
-- |
-- |
-- |
-- |
Yes |
kms:ReEncryptFrom |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:ReEncryptTo |
Required for snap replication of default encrypted AWS snapshots. |
Yes (for default encrypted snapshots) |
-- |
-- |
-- |
Yes (for default encrypted snapshots) |
kms:TagResource |
Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region. |
Yes |
-- |
-- |
-- |
Yes |
s3:CreateBucket |
Required to create an S3 bucket for restores. |
Yes (when using Import method) |
Yes |
-- |
Yes (when using Import method) |
Yes (when using Import method) |
s3:DeleteObject |
Used for restore operations with an on-premise access node, including replication operations that use the import method. This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets. |
Yes |
Yes |
-- |
Yes |
Yes |
s3:GetBucketAcl |
Share the bucket to admin account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
s3:GetBucketLocation |
Get the bucket region for restore operations that use a non-AWS access node. |
Yes |
Yes |
-- |
Yes |
Yes |
s3:GetObject |
Used for restore operations with an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
s3:GetObjectAcl |
Used to share s3 object to tenant account during cross account agentless restore. |
-- |
Yes |
-- |
-- |
-- |
s3:ListAllMyBuckets |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
-- |
-- |
-- |
Yes |
s3:ListBucket |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
s3:PutBucketAcl |
Share the bucket to admin account. |
Yes (across AWS accounts) |
-- |
-- |
Yes |
-- |
s3:PutBucketOwnershipControls |
Required to enable ACLs on Amazon S3 buckets that are created by Commvault for cross-account agentless restores. |
-- |
Yes |
-- |
-- |
-- |
s3:PutEncryptionConfiguration |
Used to enable server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt your data. |
Yes |
Yes |
-- |
Yes |
Yes |
s3:PutObject |
Used for restore operations that use an on-premise access node, including replication operations that use the import method. |
Yes |
Yes |
-- |
Yes |
Yes |
s3:PutObjectAcl |
Used to upload objects to S3 bucket. |
-- |
Yes |
-- |
-- |
-- |
s3:PutObjectTagging |
- Required by MediaAgent if the S3 library is used with DASH copy. - Sets the supplied tag set to an S3 object. |
Yes |
Yes |
Yes |
Yes (when using Import method) |
Yes |
ssm:CancelCommand |
Cancel run commands. |
-- |
Yes |
-- |
-- |
-- |
ssm:DescribeInstanceInformation |
Get a list of instances that have the AWS Systems Manager (SSM) installed. |
-- |
Yes |
-- |
-- |
-- |
ssm:ListCommands |
List the run commands. |
-- |
Yes |
-- |
-- |
-- |
ssm:SendCommand |
Launch run commands. |
-- |
Yes |
-- |
-- |
-- |
sts:AssumeRole |
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. |
Yes |
Yes |
Yes |
Yes |
Yes |