Amazon Web Services Permission Usage

Updated

Commvault uses Amazon Web Services (AWS) permissions to perform data protection and data recovery operations for instances that run in AWS. These permissions are used only to access snapshots, volumes, and instance configuration information that are required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. In cases where a user with the required administrative privileges requests that a recovered instance overwrites the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use IAM roles or an access key and secret key pair to access the AWS account.

Note: When using resources from an Admin Account, you must add JSON permissions to both Admin and Tenant accounts.

You can use the following IAM Policies to apply these permissions to a user account:

The following table summarizes the AWS permissions that are needed for Commvault operations and explains how Commvault uses each permission.

Permission

Usage

Backup and restores

Agentless file recovery

In-place instance restore with same GUID

VM conversion

Replication

ebs:CompleteSnapshot

Seal and complete the Amazon Elastic Block Store snapshot.

This is required for direct write restores.

ebs:GetSnapshotBlock

Return data in the Amazon Elastic Block Store snapshots.

This is required for direct read backups.

ebs:ListChangedBlocks

Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume.

Required for CBT-enabled backups.

ebs:ListSnapshotBlocks

Return allocated blocks in an Amazon Elastic Block Store snapshot.

Required for CBT-enabled backups.

ebs:PutSnapshotBlock

Write a block of data to the Amazon Elastic Block Store snapshot.

This is required for direct write restores.

ebs:StartSnapshot

Create a new Amazon Elastic Block Store snapshot.

This is required for direct write restores.

ec2:AssociateIamInstanceProfile

Attach IAM role to an instance.

ec2:AttachNetworkInterface

Attach network interface to an instance.

ec2:AttachVolume

Attach volume to access node for reads and writes during backup, restore, and replication operations.

ec2:CancelImportTask

Cancel the import task.

ec2:CopySnapshot

Copy snapshot from one region to another during snap replication.

ec2:CreateImage

Create AMI of source instance during backup.

ec2:CreateNetworkInterface

Create a new network interface.

ec2:CreateSnapshot

Share the image to admin or user account.

(across AWS accounts)

ec2:CreateTags

Create tags on resources such as instances, volumes, and snapshots.

This is required for direct write restores.

ec2:CreateVolume

Create volume from snapshot for backup or create empty volumes for restores.

ec2:DeleteNetworkInterface

Delete old network interfaces during incremental replication.

ec2:DeleteSnapshot

Clean up snapshots after job completion.

ec2:DeleteTags

Delete tags after backup and restore operations.

ec2:DeleteVolume

Clean up volumes after job completion.

ec2:DeregisterImage

Delete AMI after backup operations and delete old integrity snapshot.

ec2:DescribeAccountAttributes

Get supported network platforms (if EC2 is supported).

ec2:DescribeAvailabilityZones

Get list of availability zones.

ec2:DescribeIamInstanceProfileAssociations

Get IAM role information.

ec2:DescribeImages

Get list of AMIs.

ec2:DescribeImportImageTasks

Used for restore operations with an on-premise access node, including replication operations that use the import method.

Get import task information to check the status of the task.

ec2:DescribeInstanceAttribute

Get EBS optimization information of instance.

ec2:DescribeInstances

Get list of instances, including access node and source instance information.

ec2:DescribeInstanceStatus

Validate instance status after restore operation.

ec2:DescribeInstanceTypeOfferings

Get list of all instance types offered in a region

ec2:DescribeInstanceTypes

Get details of instance types offered in a region

ec2:DescribeKeyPairs

Get list of key pairs.

ec2:DescribeNetworkInterfaces

Get network interface list.

ec2:DescribeRegions

Get list of all regions.

ec2:DescribeSecurityGroups

Get list of security groups.

ec2:DescribeSnapshots

Get snapshot information.

ec2:DescribeSubnets

Get list of subnets.

ec2:DescribeTags

Get tag list to backup and restore tags on instances and volumes.

ec2:DescribeVolumeAttribute

Get product code associated with volume.

ec2:DescribeVolumes

Get volume list and information such as size, type, and attachments.

ec2:DescribeVolumesModifications

Get IOPS values used during hotadd backups.

ec2:DescribeVpcs

Get list of VPCs.

ec2:DescribeVpcEndpoints

Get information about the EBS VPC endpoint during direct read backups.

ec2:DetachNetworkInterface

Detach a network interface from an instance.

ec2:DetachVolume

Detach volume from access node after reads and writes.

ec2:DisassociateIamInstanceProfile

Remove IAM role from instance.

ec2:GetConsoleOutput

Get operating system information.

ec2:GetEbsDefaultKmsKeyId

Create an encrypted snapshot with AWS managed key (default key).

This is required for direct write restores.

ec2:GetEbsEncryptionBydefault

Describes whether EBS encryption by default is enabled for the account in the current region. Required for direct write restores, HotAdd streaming and backup copy jobs.

ec2:ImportImage

Used for restore operations with an on-premise access node, including replication operations that use the import method.

Import image during conversion job.

ec2:ModifyImageAttribute

Share the image to admin or user account.

(across AWS accounts)

ec2:ModifyInstanceAttribute

Set or reset delete on termination policy after restore.

ec2:ModifyNetworkInterfaceAttribute

Set or reset delete on termination policy after restore.

ec2:ModifySnapshotAttribute

Share snapshot to a different region during snap replication and cross account backups and restores.

ec2:ModifyVolume

Adjust IOPS values during hotadd backups.

ec2:RunInstances

Create new instance.

ec2:StartInstances

Start instance after job completion (based on user input).

ec2:StopInstances

Stop instance after restore operation (based on user input).

ec2:TerminateInstances

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

iam:GetAccountAuthorizationDetails

Required to get account info during snap backup operations that use IAM role.

iam:GetInstanceProfile

Required for IAM based authentication.

iam:GetUser

Get information about the user specified in the AWS client. Used during snap replication.

iam:ListInstanceProfiles

Required to get list of instance profile names to populate IAM roles for restores.

iam:ListRoles

Required to list key pairs in restore screen using IAM role.

iam:passrole

Required for restoring IAM role on instance.

iam:SimulatePrincipalPolicy

Required for simulating the set of IAM policies attached to an IAM user, group, or role to determine the policies' effective permissions for a list of API actions and AWS resources.

kms:CreateAlias

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

kms:CreateGrant

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:CreateKey

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

kms:Decrypt

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:DescribeKey

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:Encrypt

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKey

Required for snap replication of default encrypted AWS snapshots.

Also required for direct write restores to write data to the encrypted Amazon Elastic Block Store snapshot.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKeyPair

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKeyWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:GenerateDataKeyPairWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ListAliases

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ListGrants

Attach encrypted volume to access node for reads and writes during backup, restore, and replication operations.

kms:ListKeys

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ListResourceTags

Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication.

kms:ReEncryptFrom

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:ReEncryptTo

Required for snap replication of default encrypted AWS snapshots.

(for default encrypted snapshots)

(for default encrypted snapshots)

kms:TagResource

Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region.

s3:CreateBucket

Required to create an S3 bucket for restores.

(when using Import method)

(when using Import method)

(when using Import method)

s3:DeleteObject

Used for restore operations with an on-premise access node, including replication operations that use the import method.

This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets.

s3:GetBucketAcl

Share the bucket to admin account.

(across AWS accounts)

s3:GetBucketLocation

Get the bucket region for restore operations that use a non-AWS access node.

s3:GetObject

Used for restore operations with an on-premise access node, including replication operations that use the import method.

s3:ListAllMyBuckets

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

s3:ListBucket

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

s3:PutBucketAcl

Share the bucket to admin account.

(across AWS accounts)

s3:PutObject

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

s3:PutObjectAcl

Used to upload objects to S3 bucket.

s3:PutObjectTagging

Required by MediaAgent if S3 library is used with DASH copy.

(when using Import method)

ssm:CancelCommand

Cancel run commands.

ssm:DescribeInstanceInformation

Get a list of instances that have the AWS Systems Manager (SSM) installed.

ssm:ListCommands

List the run commands.

ssm:SendCommand

Launch run commands.

sts:AssumeRole

Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.