Amazon Web Services Permission Usage

Updated

Commvault uses Amazon Web Services (AWS) permissions to perform data protection and data recovery operations for instances that run in AWS. These permissions are used only to access snapshots, volumes, and instance configuration information that are required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. In cases where a user with the required administrative privileges requests that a recovered instance overwrites the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use IAM roles or an access key and secret key pair to access the AWS account.

The following table summarizes the Amazon permissions that are needed for Commvault operations and explains how Commvault uses each permission.

Permission

Usage

Backups and restores

Agentless file recovery

In-place instance restore with same GUID

VM conversion

Replication

ebs:ListChangedBlocks

Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume.

Required for CBT-enabled backups.

ebs:ListSnapshotBlocks

Return allocated blocks in an Amazon Elastic Block Store snapshot.

Required for CBT-enabled backups.

ec2:AssociateIamInstanceProfile

Attach IAM role to an instance.

ec2:AttachNetworkInterface

Attach network interface to an instance.

ec2:AttachVolume

Attach volume to proxy for reads and writes during backup, restore, and replication operations.

ec2:CancelImportTask

Cancel the import task.

ec2:CopySnapshot

Copy snapshot from one region to another during snap replication.

ec2:CreateImage

Create AMI of source instance during backup.

ec2:CreateNetworkInterface

Create a new network interface.

ec2:CreateSnapshot

Share the image to admin or user account.

(across AWS accounts)

ec2:CreateTags

Create tags on resources such as instances, volumes, and snapshots.

ec2:CreateVolume

Create volume from snapshot for backup or create empty volumes for restores.

ec2:DeleteNetworkInterface

Delete old network interfaces during incremental replication.

ec2:DeleteSnapshot

Clean up snapshots after job completion.

ec2:DeleteTags

Delete tags after backup and restore operations.

ec2:DeleteVolume

Clean up volumes after job completion.

ec2:DeregisterImage

Delete AMI after backup operations and delete old integrity snapshot.

ec2:DescribeAccountAttributes

Get supported network platforms (if EC2 is supported).

ec2:DescribeAvailabilityZones

Get list of availability zones.

ec2:DescribeIamInstanceProfileAssociations

Get IAM role information.

ec2:DescribeImages

Get list of AMIs.

ec2:DescribeImportImageTasks

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Get import task information to check the status of the task.

ec2:DescribeInstanceAttribute

Get EBS optimization information of instance.

ec2:DescribeInstances

Get list of instances, including proxy and source instance information.

ec2:DescribeInstanceStatus

Validate instance status after restore operation.

ec2:DescribeKeyPairs

Get list of key pairs.

ec2:DescribeNetworkInterfaces

Get network interface list.

ec2:DescribeRegions

Get list of all regions.

ec2:DescribeSecurityGroups

Get list of security groups.

ec2:DescribeSnapshots

Get snapshot information.

ec2:DescribeSubnets

Get list of subnets.

ec2:DescribeTags

Get tag list to backup and restore tags on instances and volumes.

ec2:DescribeVolumeAttribute

Get product code associated with volume.

ec2:DescribeVolumes

Get volume list and information such as size, type, and attachments.

ec2:DescribeVolumesModifications

Get IOPS values used during hotadd backups.

ec2:DescribeVpcs

Get list of VPCs.

ec2:DescribeVpcEndpoints

Get information about the EBS VPC endpoint during direct read backups.

ec2:DetachNetworkInterface

Detach a network interface from an instance.

ec2:DetachVolume

Detach volume from proxy after reads and writes.

ec2:DisassociateIamInstanceProfile

Remove IAM role from instance.

ec2:GetConsoleOutput

Get operating system information.

ebs:GetSnapshotBlock

Returns data in the Amazon Elastic Block Store snapshots.

This is required for direct read backups.

ec2:ImportImage

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

Import image during conversion job.

ec2:ModifyImageAttribute

Share the image to admin or user account.

(across AWS accounts)

ec2:ModifyInstanceAttribute

Set or reset delete on termination policy after restore.

ec2:ModifyNetworkInterfaceAttribute

Set or reset delete on termination policy after restore.

ec2:ModifySnapshotAttribute

Share snapshot to a different region during snap replication and cross account backups and restores.

ec2:ModifyVolume

Adjust IOPS values during hotadd backups.

ec2:RunInstances

Create new instance.

ec2:StartInstances

Start instance after job completion (based on user input).

ec2:StopInstances

Stop instance after restore operation (based on user input).

ec2:TerminateInstances

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

iam:GetAccountAuthorizationDetails

Required to get account info during snap backup operations that use IAM role.

iam:GetInstanceProfile

Required for IAM based authentication.

iam:GetUser

Get information about the user specified in the AWS client. Used during snap replication.

iam:ListInstanceProfiles

Required to get list of instance profile names to populate IAM roles for restores.

iam:ListRoles

Required to list key pairs in restore screen using IAM role.

iam:passrole

Required for restoring IAM role on instance.

iam:SimulatePrincipalPolicy

Required for simulating the set of IAM policies attached to an IAM user, group, or role to determine the policies' effective permissions for a list of API actions and AWS resources.

kms:CreateAlias

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

kms:CreateGrant

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:CreateKey

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

kms:Decrypt

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:DescribeKey

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:Encrypt

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKey

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKeyWithoutPlaintext

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKeyPairWithoutPlaintext

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKeyPair

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ListAliases

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ListGrants

Attach encrypted volume to proxy for reads and writes during backup, restore, and replication operations.

kms:ListKeys

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ListResourceTags

Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication.

kms:ReEncryptFrom

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ReEncryptTo

Required for snap replication of default encrypted Amazon snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:TagResource

Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region.

s3:CreateBucket

Required to create an S3 bucket for restores.

(when using Import method)

(when using Import method)

(when using Import method)

s3:DeleteObject

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:GetBucketAcl

Share the bucket to admin account.

(across AWS accounts)

s3:GetBucketLocation

Get the bucket region for restore operations that use a non-AWS proxy.

s3:GetObject

Used for restore operations with an on-premise proxy, including replication operations that use the import method.

s3:ListAllMyBuckets

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:ListBucket

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutBucketAcl

Share the bucket to admin account.

(across AWS accounts)

s3:PutObject

Used for restore operations that use an on-premise proxy, including replication operations that use the import method.

s3:PutObjectAcl

Used to upload objects to S3 bucket.

s3:PutObjectTagging

Required by MediaAgent if S3 library is used with DASH copy.

(when using Import method)

ssm:CancelCommand

Cancel run commands.

ssm:DescribeDocument

Describe the run command document.

ssm:DescribeInstanceInformation

Get a list of instances that have the AWS Systems Manager (SSM) installed.

ssm:ListCommands

List the run commands.

ssm:ListDocuments

List all run command documents in the account.

ssm:SendCommand

Launch run commands.

sts:AssumeRole

Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.