You can create and assign Amazon Identity and Access Management (IAM) policies to IAM Roles and Users. For more information, on the AWS documentation site, see Policies and permissions in IAM.
For non-administrative users to perform Commvault backup and restores, you must create IAM policies with required permissions, and attach to the IAM User or Role.
Use the following IAM policy definitions to configure your IAM Roles and Users:
Amazon service | JSON file to use | |
|---|---|---|
Amazon Compute Cloud (EC2) | amazon_restricted_role_permissions.json (recommended) | |
Amazon Compute Cloud (EC2) | amazon_permission_backup_restore.json (alternate, wider permission set) | |
Amazon Relational Database Service (Amazon RDS) | ||
Amazon Redshift | ||
Amazon DocumentDB | ||
Amazon DynamoDB | ||
Amazon S3 on Outposts | ||
Amazon Compute Cloud (EC2) database file system and application agents | ||
Use case | JSON file to use | |
Virtual Machine conversion to Amazon EC2 | ||
AWS Cloud Library Creation with AWS STS – IAM Role Policy Authentication | EC2 role creation with STS Policy with AssumeRole for STS Assume IAM Role | |
S3 role creation with S3 Policy with limited permissions for STS Assume IAM Role | ||
EC2 role ARN for STS Assume IAM Role | ||
AWS Cloud Library Creation with AWS STS Assume Role | S3 STS Assume Role creation with STS Policy with AssumeRole | |
Necessary permissions for the S3 role creation with S3 Policy | ||
S3 role ARN for STS Assume Role | ||
Amazon VM Import and Export Service IAM Role | ||
Amazon VM Import and Export IAM Policy | ||
How Commvault Uses AWS Permissions
Commvault uses Amazon Web Services (AWS) permissions to perform data protection and data recovery operations for instances that run in AWS. These permissions are used only to access snapshots, volumes, and instance configuration information that are required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. In cases where a user with the required administrative privileges requests that a recovered instance overwrites the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.
Commvault usage of AWS permissions is controlled by the account settings that are used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use IAM roles or an access key and secret key pair to access the AWS account.
For information about how Commvault uses each permission, see Amazon Web Services Permission Usage.
Related Topics
For more information about Amazon permissions, in the AWS documentation, see Amazon Elastic Compute Cloud API Reference or Amazon Simple Storage Service API Reference.