Amazon Web Services User Permissions for Backups and Restores


You can create and assign Amazon Identity and Access Management (IAM) policies to IAM Roles and Users. For more information, on the AWS documentation site, see Policies and permissions in IAM.

For non-administrative users to perform Commvault backup and restores, you must create IAM policies with required permissions, and attach to the IAM User or Role.

Use the following IAM policy definitions to configure your IAM Roles and Users:

Amazon service

JSON file to use

Amazon Compute Cloud (EC2)

amazon_restricted_role_permissions.json (recommended)

Amazon Compute Cloud (EC2)

amazon_permission_backup_restore.json (alternate, wider permission set)

Amazon Relational Database Service (Amazon RDS)


Amazon Redshift


Amazon DocumentDB


Amazon DynamoDB


Amazon S3 on Outposts


Amazon Compute Cloud (EC2) database file system and application agents


Use case

JSON file to use

Virtual Machine conversion to Amazon EC2


AWS Cloud Library Creation with AWS STS – IAM Role Policy Authentication

EC2 role creation with STS Policy with AssumeRole for STS Assume IAM Role


S3 role creation with S3 Policy with limited permissions for STS Assume IAM Role


EC2 role ARN for STS Assume IAM Role


AWS Cloud Library Creation with AWS STS Assume Role

S3 STS Assume Role creation with STS Policy with AssumeRole


Necessary permissions for the S3 role creation with S3 Policy


S3 role ARN for STS Assume Role


Amazon VM Import and Export Service IAM Role


Amazon VM Import and Export IAM Policy


How Commvault Uses AWS Permissions

Commvault uses Amazon Web Services (AWS) permissions to perform data protection and data recovery operations for instances that run in AWS. These permissions are used only to access snapshots, volumes, and instance configuration information that are required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. In cases where a user with the required administrative privileges requests that a recovered instance overwrites the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use IAM roles or an access key and secret key pair to access the AWS account.

For information about how Commvault uses each permission, see Amazon Web Services Permission Usage.

For more information about Amazon permissions, in the AWS documentation, see Amazon Elastic Compute Cloud API Reference or Amazon Simple Storage Service API Reference.