To restrict access to AWS resources for Commvault operations, you can create a policy that restricts access to resources that are created and used by Commvault.
You can associate the policy with an Amazon hypervisor (Commvault virtualization client) using one of the following methods:
Create an IAM role that uses the policy, and attach the role to an Amazon instance that is configured as a VSA proxy for the hypervisor. With this method, choose the IAM Role option for authentication when you configure the hypervisor in Commvault, and specify access nodes (VSA proxies) that have the IAM role attached.
Attach the restricted policy to users or user groups. With this method, choose the Access and Secret Key option for authentication when you configure the hypervisor in Commvault, and then enter the access key and secret key associated with a user who has the restricted policy attached.
Create an STS role that uses the restricted policy. With this method, choose the AWS STS assume role with IAM policy role option for authentication when you configure the hypervisor in Commvault, specify access nodes (VSA proxies) that have the IAM role attached, and then enter the STS assume role associated with the restricted policy attached.
You can use this restricted role for operations performed from the Command Center or from the CommCell Console.
You can perform the following operations using a role with restricted access:
All supported restore operations from streaming backups
All supported restore operations from IntelliSnap backups
Operations that are performed by a tenant user in a managed services environment, using resources that are configured in a separate Admin account
Cross-hypervisor restores (VM conversion) and replication from VMware to AWS
Replication from AWS to AWS
A restricted policy limits the VSA proxy to resources that are tagged with the string '_GX_BACKUP_', including AMI snapshots, volumes, and EBS snapshots, and does not enable the VSA proxy to delete or detach other AWS resources that are not tagged with that string.
In addition, the policy permits deletion only of tags that are created by Commvault, such as '_GX_BACKUP_', 'CV_Retain_Snap', 'CV_Integrity_Snap', '_GX_BACKUP_', and '_GX_AMI_'.
During a backup operation, the tags on the source volumes are inherited by the intermediate resources such as volumes and snapshots.
The restrictions apply to the following EC2 operations:
Before You Begin
Install the Virtual Server Agent on an Amazon EC2 instance.
Download the amazon_restricted_role_permissions.json policy file.
For links to JSON files for various AWS data types and use cases, see Amazon Web Services User Permissions for Backups and Restores.
Assign the policy to an IAM user or IAM role that is used for authentication of the Amazon hypervisor (Commvault virtualization client).
For more information about IAM policies, see Policies and permissions in IAM on the AWS documentation site.