Commvault provides a service control policy (SCP) that ensures that each protectable AWS service can be used by IAM users and IAM roles in your organization.
SCP don't actually grant permissions. Instead, they enable AWS account administrators to delegate access to actions by attaching standard AWS Identity and Access Management (IAM) permissions policies to users, groups, or roles.
Requirements
If SCPs are enabled in your AWS organization, you must attach your customized Commvault SCP to the following AWS accounts and OUs:
-
Root account
-
Infrastructure OU: Hosts the Commvault shared services account, infrastructure, and resources. Consolidating your Commvault resources in this way reduces your total cost of ownership (TCO) for Commvault data protection.
-
Commvault shared services account: Stores your Commvault resources for protecting the AWS workloads in your member accounts.
-
Blueprint hub account: Stores your Account Factory blueprints.
-
-
Workloads OU: Hosts your member accounts that have AWS workloads to protect.
-
Commvault member account 1
-
Commvault member account 2
. . .
-
Commvault member account n
-
-
Recommendations
Carefully Review and Customize the Commvault SCP
The Commvault SCP is an example that demonstrates the implementation and use of SCPs. It's not intended to be interpreted as official Commvault recommendations or best practices to be implemented exactly as shown.
Before you use the Commvault SCP, do the following:
-
Carefully review and customize the Commvault SCP for your organization's unique requirements.
-
Thoroughly test your customized Commvault SCP in your environment with the AWS services that you use.
-
Remember that SCPs affect every user and role, including the root user, in every account that you attach SCPs to.
-
Remember that SCPs do not affect service-linked roles. Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs.
Understand the Risks of a Deny Approach to SCPs
The Commvault SCP works in AWS environments where explicit Allow statements are used to control access to a service and/or actions within the organization. The Commvault SCP does not use blanket Deny statements because these statements risk preventing data protection operations across the organization, unless you also add the necessary exceptions.
If you implement a deny list approach to SCPs, you must verify that none of the actions that Commvault requires are denied. For information about those requirements, see Permission Requirements for AWS Resource Protection.
Use IAM Last Accessed Information to Refine Permissions
You can use last accessed information in IAM to determine which services and actions you need to include in your SCPs. For more information, see Refine permissions in AWS using last accessed information.
Before disabling a service from an SCP that you use for Commvault, consider whether you want to allow usage and protection of that service for your developers. If you do, you can create a production SCP and a non-production SCP for Commvault.
Included AWS Services
The AWS services included in the Commvault SCP are as follows:
-
Amazon Elastic Compute Cloud (EC2)
-
AWS Identity and Access Management (IAM)
-
Amazon Elastic Block Store (EBS)
-
Amazon Key Management Service (KMS)
-
Amazon Simple Storage Service (S3)
-
AWS Secure Token Service (STS)
-
AWS Systems Manager (SSM)
-
Amazon Message Delivery Service
Quick-Create Link
CommvaultServiceControlPolicyStack
SCP Statement
The Commvault SCP is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultEC2Protection112024e001",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"ebs:*",
"kms:*",
"s3:*",
"sts:*",
"ssm:*",
"ec2messages:*",
"ssmmessages:*"
],
"Resource": "*"
},
{
"Sid": "AllowCommvaultRDSProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"rds:*",
"s3:*"
],
"Resource": "*"
},
{
"Sid": "AllowCommvaultRedshiftProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"redshift:*",
"s3:*"
],
"Resource": "*"
},
{
"Sid": "AllowCommvaultDocDBProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"rds:*",
"s3:*"
],
"Resource": "*"
},
{
"Sid": "AllowCommvaultIntelliSnapDBFSProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"s3:*"
],
"Resource": "*"
},
{
"Sid": "AllowCommvaultDynamoDBProtection",
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"ec2:*",
"iam:*",
"kms:*",
"s3:*"
],
"Resource": "*"
},
{
"Sid": "AllowCommvaultS3Protection",
"Effect": "Allow",
"Action": [
"s3:*",
"s3-outposts:*"
],
"Resource": "*"
},
{
"Sid": "AllowCommvaultAssumeRoleAuthentication",
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": "*"
}
]
}
AllowCommvaultEC2Protection112024e001
Description
The AllowCommvaultEC2Protection112024e001 SCP policy statement enables all Amazon EC2 actions to be granted to your organization root, OUs, or accounts.
Using this Policy Statement
You can create and attach the AllowCommvaultEC2Protection112024e001 service control policy to your organization root, OUs, or accounts to allow Amazon EC2 protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultEC2Protection112024e001",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"ebs:*",
"kms:*",
"s3:*",
"sts:*",
"ssm:*",
"ec2messages:*",
"ssmmessages:*"
],
"Resource": "*"
},
]
}
AllowCommvaultRDSProtection
Description
The AllowCommvaultRDSProtection SCP policy statement enables all Amazon RDS actions to be granted to your organization root, OUs, or accounts.
Using this Policy Statement
You can create and attach the AllowCommvaultRDSProtection service control policy to your organization root, OUs, or accounts to allow Amazon RDS protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultRDSProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"rds:*",
"s3:*"
],
"Resource": "*"
}
]
}
AllowCommvaultRedshiftProtection
Description
AllowCommvaultRedshiftProtection is a sub-statement of AllowCommvaultEC2Protection112024e001.
Using this Policy Statement
You can create and attach the AllowCommvaultRedshiftProtection service control policy to your organization root, OUs, or accounts to allow Amazon RDS protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
Note
Commvault does not version control each per-service SCP. To determine the version of the SCP, see the AllowCommvaultEC2Protection statement.
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultRedshiftProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"redshift:*",
"s3:*"
],
"Resource": "*"
}
]
}
AllowCommvaultDocDBProtection
Description
AllowCommvaultDocDBProtection is a sub-statement of AllowCommvaultEC2Protection112024e001.
Using this Policy Statement
You can create and attach the AllowCommvaultDocDBProtection service control policy to your organization root, OUs, or accounts to allow Amazon RDS protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
Note
Commvault does not version control each per-service SCP. To determine the version of the SCP, see the AllowCommvaultEC2Protection statement.
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultDocDBProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"rds:*",
"s3:*"
],
"Resource": "*"
}
]
}
AllowCommvaultIntelliSnapDBFSProtection
Description
AllowCommvaultIntelliSnapDBFSProtection is a sub-statement of AllowCommvaultEC2Protection112024e001.
Using this Policy Statement
You can create and attach the AllowCommvaultIntelliSnapDBFSProtection service control policy to your organization root, OUs, or accounts to allow Amazon RDS protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
Note
Commvault does not version control each per-service SCP. To determine the version of the SCP, see the AllowCommvaultEC2Protection statement.
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultIntelliSnapDBFSProtection",
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:*",
"kms:*",
"s3:*"
],
"Resource": "*"
}
]
}
AllowCommvaultDynamoDBProtection
Description
AllowCommvaultDynamoDBProtection is a sub-statement of AllowCommvaultEC2Protection112024e001.
Using this Policy Statement
You can create and attach the AllowCommvaultDynamoDBProtection service control policy to your organization root, OUs, or accounts to allow Amazon RDS protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
Note
Commvault does not version control each per-service SCP. To determine the version of the SCP, see the AllowCommvaultEC2Protection statement.
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultDynamoDBProtection",
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"ec2:*",
"iam:*",
"kms:*",
"s3:*"
],
"Resource": "*"
}
]
}
AllowCommvaultS3Protection
Description
AllowCommvaultS3Protection is a sub-statement of AllowCommvaultEC2Protection112024e001.
Using this Policy Statement
You can create and attach the AllowCommvaultS3Protection service control policy to your organization root, OUs, or accounts to allow Amazon RDS protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
Note
Commvault does not version control each per-service SCP. To determine the version of the SCP, see the AllowCommvaultEC2Protection statement.
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultS3Protection",
"Effect": "Allow",
"Action": [
"s3:*",
"s3-outposts:*"
],
"Resource": "*"
}
]
}
AllowCommvaultAssumeRoleAuthentication
Description
AllowCommvaultAssumeRoleAuthentication is a sub-statement of AllowCommvaultEC2Protection112024e001.
Using this Policy Statement
You can create and attach the AllowCommvaultAssumeRoleAuthentication service control policy to your organization root, OUs, or accounts to allow Amazon RDS protection.
Policy Details
-
Type: Service control policy (SCP)
-
Creation time: June 15, 2024 00:00 UTC
Policy Version
Policy version: 112024e001
Note
Commvault does not version control each per-service SCP. To determine the version of the SCP, see the AllowCommvaultEC2Protection statement.
-
This policy was released for Commvault Platform Release 2024E (112024e).
-
This policy is version 001.
JSON Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommvaultAssumeRoleAuthentication",
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": "*"
}
]
}